How scammers get access to email accounts and how to stop it

Font Size:

New research from the University of California has found scammers are increasingly trying to take over email accounts and can spend up to a week in the account once they have access.

The research, conducted in conjunction with online security experts Barracuda, revealed that there is a specialised economy emerging around email account takeovers.

In email account takeovers, attackers use legitimate accounts they have recently compromised to send phishing emails to an array of recipients. These phishing emails come from legitimate accounts, so they are more effective at fooling email protection systems and unsuspecting users.

Over the past year, the researchers studied the end-to-end lifecycle of a compromised account. They examined 159 compromised accounts and investigated how the takeover took place, how long the attackers had access to the compromised account and how the attackers were able to use and extract information from these accounts.

The report found that more than one-third of the hijacked accounts had attackers using the account for more than one week.

In 31 per cent of the account takeovers, one set of attackers were focused on compromising the accounts and then sold access to another set of cybercriminals who were focused on monetising the hijacked accounts.

“Cybercriminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximise the ways they can exploit the account, whether that means selling the credentials or using the access themselves,” said Don MacLennan from Barracuda.

Across the incidents studied, researchers found that the majority of phishing attacks relied on two deceptive narratives:

  • messages that falsely alert the user of a problem with their email account
  • messages that provide a link to a fake ‘shared’ document.

In both cases, the attacker provides a link for the victim to click on, which often leads to a phishing website designed to look like a legitimate login page but that ultimately steals the victim’s username and password.

One of the best methods for defending against email takeover is placing strong two-factor authentication on your email account, according to Barracuda.

Have you ever been the victim of a phishing attack? Have you had your email account taken over by a scammer?

If you enjoy our content, don’t keep it to yourself. Share our free eNews with your friends and encourage them to sign up.

Join YourLifeChoices today
and get this free eBook!

By joining YourLifeChoices you consent that you have read and agree to our Terms & Conditions and Privacy Policy


Online privacy protection more important than ever

More Aussies over 65yrs are taking to the internet - but some are taking risks in the process.

Turn yourself into a pro for those all-important family video calls

Video calls are vital during COVID-19. Here are some simple ways to improve them.

What social media has taught us about COVID-19

Life in lockdown: What social media can teach us about the COVID-19 experience.

Written by Ben


Total Comments: 5
  1. 0

    Received a phishing email today purportedly from US Mail regarding a parcel. Although I am awaiting a parcel I was immediately suspicious and googled the email address. I was right to be suspicious as advice was that this email address was a scam email. I always check google when I receive an email from an unknown address requesting I open a link. Always be on guard.

  2. 0

    A couple of days ago got a phone call from a ‘Private’ number with a recorded voice stating they were from Amazon and my account details had been compromised. Press 1 to be put onto a ‘consultant’. Funny. I do not have an Amazon account and have never bought anything from Amazon, An obvious phishing scam.

  3. 0

    Receive phishing scams almost daily, received one today from someone supposedly from PayPal, the email said there was some suspicious activity on my account, they wanted me to log into my account via a link that they supplied to verify my details, obviously I didn’t log in, PayPal advise sending the email to their Scam email department, which I did. I never open or click on links from sources I don’t trust or know. Be aware of one particular scammer fro a guy called Dylan Whitehouse or variations of that, he has been identified as someone out of a University in the US, you would think with all the tracking that’s available they would be able to identify these people, but it’s seems it’s easy for these scammers to hide their identity.

  4. 0

    I have someone talking in Chinese on my phone. I don’t speak Chinese so what a waste of time for them. If I did speak I would never trust a Chinese considering what has happened in the last 8 months.
    Not very honourable mob and only want to save face.They should Look in the mirror and see the real person that is not honourable.
    Delete the number after sending to scam watch

    • 0

      I worked with Chinese people for nearly 20 years, and am still in touch with wonderful friends amongst them that I met in the early eighties.
      They are just like the rest of us: some incredibly generous, loyal people, some fair to middling like most of us, and some real bad ones, just like any population on earth.



continue reading


Friday Funnies: Short jokes for the shortest month

February flies by too fast, just like these short but sharp jokes. What is the recipe for Honeymoon Salad?Lettuce alone...


Succulent Spice-Roasted Salmon

These little salmon bites are something I've made time and time again over the years and this method of roasting...


How to take great pictures of gardens

If you've never been too good at taking pictures of your beautiful blooms, now's the time to brush up on...

Aged Care

Paid on par with cleaners: the broader issue affecting aged care

Paid on par with cleaners: the broader issue affecting the quality of aged care Ben Farr-Wharton, Edith Cowan University; Matthew...


Researchers fear diet produces ‘untoward effects on the heart’

The keto diet, lauded for its purported fat-burning capabilities, could be bad for your heart, according to new research. The...


Vaccine overdose cases raise questions over doctor training

Australia's vaccine rollout suffered a major hiccup, with health minister Greg Hunt revealing on Wednesday that two elderly residents at...

Retirement Income

Why middle-income Australians are the big losers in retirement

Australia's middle-income earners are losing out when it comes to retirement income. That's the view of Mercer's senior partner, David...


Nine food and heart health myths busted

Should you cook with butter or olive oil? Is that drink of red wine protecting your heart? Pink Himalayan salt is healthy, right? There...