How Hackers Attack Email Accounts — And How to Stop Them

Email is the master key. Hack someone's email and you own every account linked to it — banking, social media, work systems, everything. That's why email accounts are the single most targeted asset in modern cybercrime. Here's exactly how attackers do it, and exactly how to stop them.

Credential Stuffing

Billions of username and password combinations have been leaked in data breaches over the past decade. Attackers don't need to "hack" you directly — they simply take leaked credential lists and try them against every major email provider automatically. If you've reused a password anywhere, it's almost certainly in one of these lists.

This attack is called credential stuffing, and it's devastatingly effective precisely because password reuse is so common. A breach at a gaming forum from five years ago can give an attacker the keys to your email today.

You can check whether your email address has appeared in known breaches at haveibeenpwned.com. The results are often sobering. The fix is simple in principle but requires discipline in practice: every account must have a unique, randomly generated password, stored in a password manager.

Phishing

Phishing is the art of tricking someone into handing over their credentials voluntarily. Attackers send emails that appear to be from trusted organisations — your bank, your email provider, a government agency — and direct you to a fake login page that harvests your password the moment you type it.

Modern phishing has become sophisticated. Attackers register lookalike domains: paypa1.com, arnazon.com, enemai1.de. They match the visual design of the real site pixel-for-pixel. They use urgency: "Your account will be suspended in 24 hours unless you verify now." They spoof display names so the sender appears to be "enemail Security" even though the sending address is something else entirely.

The cardinal rule: never click login links in emails. Navigate directly to the service by typing the address yourself, or use a bookmark. If an email claims there's an urgent problem with your account, go directly to the site — not via the link provided.

Man-in-the-Middle Attacks

When your email travels across the internet, it passes through multiple servers. If any connection along that path is unencrypted, an attacker positioned on the network can read or modify the message in transit. This is a man-in-the-middle (MitM) attack.

Public WiFi networks are the classic venue. An attacker on the same coffee shop network can intercept unencrypted traffic trivially. But the threat is more subtle too: a protocol called STARTTLS, used to encrypt connections between mail servers, can be "downgraded" by an attacker who intercepts the negotiation and forces both servers to communicate in plain text — without either server detecting the attack.

End-to-end encryption eliminates this threat entirely. If a message is encrypted on your device before it's sent, a MitM attacker intercepts only unreadable ciphertext, no matter what happens to the connection in transit.

Social Engineering and SIM Swapping

Many people protect their email accounts with SMS-based two-factor authentication — a code sent to their phone. Attackers have found a way around this: SIM swapping. By impersonating you to your mobile carrier — armed with personal details gathered from social media or previous breaches — they convince the carrier to transfer your phone number to a SIM card they control. Suddenly, all your SMS verification codes go to the attacker.

This attack has been used to compromise high-profile accounts belonging to executives, politicians, and cryptocurrency holders. The defence is to move away from SMS-based 2FA entirely. Hardware security keys (FIDO2/WebAuthn) or authenticator apps are not vulnerable to SIM swapping.

Malware and Keyloggers

All the server-side security in the world is worthless if your device is compromised. Malware — delivered via malicious email attachments, infected downloads, or compromised websites — can record every keystroke you type, including your email password, and transmit it silently to an attacker. Some malware goes further, taking screenshots, accessing your password manager, or intercepting browser sessions.

This is why device hygiene is not optional. An end-to-end encrypted email service protects your messages from provider-level access and network interception — but it cannot protect you from malware running on your own computer that captures your password before it's encrypted or reads your decrypted messages as you view them.

Your Defence Checklist

Email account security is not a single setting — it's a stack of overlapping defences. Here's what actually works:

Unique passwords via a password manager — use Bitwarden, 1Password, or KeePassXC. Generate a random password for every account. Never reuse.
Hardware 2FA — a YubiKey or similar FIDO2 device is phishing-resistant by design. It only responds to the real domain, not a lookalike.
End-to-end encrypted email provider — if your provider can't read your emails, neither can an attacker who compromises your provider. This is the only defence against server-side breaches.
Encrypted DNS — use DNS-over-HTTPS or DNS-over-TLS to prevent attackers from redirecting your lookups to fake sites. Cloudflare 1.1.1.1 and NextDNS are good options.
Device hygiene — keep your OS and applications patched. Use reputable antivirus/antimalware. Be sceptical of email attachments, even from known contacts.
Regular breach monitoring — set up alerts at haveibeenpwned.com for your email address. Act immediately when a breach is detected.

Important: If your email provider can read your emails, so can anyone who compromises your provider. Server-side encryption with keys the provider controls offers no real protection against breaches — only end-to-end encryption does.

Protect your inbox at the cryptographic level

End-to-end encrypted email that protects your content even if your account is breached. enemail encrypts everything before it leaves your device.

Create your free account