How scammers get access to email accounts and how to stop it

Font Size:

New research from the University of California has found scammers are increasingly trying to take over email accounts and can spend up to a week in the account once they have access.

The research, conducted in conjunction with online security experts Barracuda, revealed that there is a specialised economy emerging around email account takeovers.

In email account takeovers, attackers use legitimate accounts they have recently compromised to send phishing emails to an array of recipients. These phishing emails come from legitimate accounts, so they are more effective at fooling email protection systems and unsuspecting users.

Over the past year, the researchers studied the end-to-end lifecycle of a compromised account. They examined 159 compromised accounts and investigated how the takeover took place, how long the attackers had access to the compromised account and how the attackers were able to use and extract information from these accounts.

The report found that more than one-third of the hijacked accounts had attackers using the account for more than one week.

In 31 per cent of the account takeovers, one set of attackers were focused on compromising the accounts and then sold access to another set of cybercriminals who were focused on monetising the hijacked accounts.

“Cybercriminals are getting stealthier and finding new ways to remain undetected in compromised accounts for long periods of time so they can maximise the ways they can exploit the account, whether that means selling the credentials or using the access themselves,” said Don MacLennan from Barracuda.

Across the incidents studied, researchers found that the majority of phishing attacks relied on two deceptive narratives:

  • messages that falsely alert the user of a problem with their email account
  • messages that provide a link to a fake ‘shared’ document.

In both cases, the attacker provides a link for the victim to click on, which often leads to a phishing website designed to look like a legitimate login page but that ultimately steals the victim’s username and password.

One of the best methods for defending against email takeover is placing strong two-factor authentication on your email account, according to Barracuda.

Have you ever been the victim of a phishing attack? Have you had your email account taken over by a scammer?

If you enjoy our content, don’t keep it to yourself. Share our free eNews with your friends and encourage them to sign up.

Join YourLifeChoices today
and get this free eBook!

By joining YourLifeChoices you consent that you have read and agree to our Terms & Conditions and Privacy Policy


Online privacy protection more important than ever

More Aussies over 65yrs are taking to the internet - but some are taking risks in the process.

Turn yourself into a pro for those all-important family video calls

Video calls are vital during COVID-19. Here are some simple ways to improve them.

What social media has taught us about COVID-19

Life in lockdown: What social media can teach us about the COVID-19 experience.

Written by Ben


Total Comments: 5
  1. 0

    Received a phishing email today purportedly from US Mail regarding a parcel. Although I am awaiting a parcel I was immediately suspicious and googled the email address. I was right to be suspicious as advice was that this email address was a scam email. I always check google when I receive an email from an unknown address requesting I open a link. Always be on guard.

  2. 0

    A couple of days ago got a phone call from a ‘Private’ number with a recorded voice stating they were from Amazon and my account details had been compromised. Press 1 to be put onto a ‘consultant’. Funny. I do not have an Amazon account and have never bought anything from Amazon, An obvious phishing scam.

  3. 0

    Receive phishing scams almost daily, received one today from someone supposedly from PayPal, the email said there was some suspicious activity on my account, they wanted me to log into my account via a link that they supplied to verify my details, obviously I didn’t log in, PayPal advise sending the email to their Scam email department, which I did. I never open or click on links from sources I don’t trust or know. Be aware of one particular scammer fro a guy called Dylan Whitehouse or variations of that, he has been identified as someone out of a University in the US, you would think with all the tracking that’s available they would be able to identify these people, but it’s seems it’s easy for these scammers to hide their identity.

  4. 0

    I have someone talking in Chinese on my phone. I don’t speak Chinese so what a waste of time for them. If I did speak I would never trust a Chinese considering what has happened in the last 8 months.
    Not very honourable mob and only want to save face.They should Look in the mirror and see the real person that is not honourable.
    Delete the number after sending to scam watch

    • 0

      I worked with Chinese people for nearly 20 years, and am still in touch with wonderful friends amongst them that I met in the early eighties.
      They are just like the rest of us: some incredibly generous, loyal people, some fair to middling like most of us, and some real bad ones, just like any population on earth.



continue reading


Mozzies biting? Here's how to choose a repellent - and how to use it

Mozzies biting? Here's how to choose a repellent (and how to use it for the best protection) Shutterstock Cameron Webb,...


Sir Bob Geldof on grief, fame and getting through it all

I've hardly started questioning Sir Bob Geldof before he is off on a long, sweary rant about everything he thinks...


Abandon Australia Day and choose the history we want to celebrate?

Australia Day is the anniversary of the arrival of the First Fleet in Australia. On 26 January 1788, 11 convict...


Speaking up for the disappearing art of listening

Columnist Peter Leith is 91 and describes himself as "half-deaf and half-blind". But he sees and hears a lot and...


Hyperpigmentation: How to tackle those tricky dark patches on your ski

There are plenty of great things about summer - sunshine, picnics and fruity cocktails immediately spring to mind - but...


Enthralling, dystopian, sublime: NGV Triennial has a huge 'wow' factor

Refik Anadol: Quantum memories 2020 (render) custom software, quantum computing, generative algorithm with artificial intelligence (AI), real time digital animation...


Where to eat, drink and play on Kangaroo Island

Australia's third largest island is an oasis of pristine wilderness, premium produce and hidden secrets ripe for discovery. Easily accessible...


Will you need a vaccination to visit Australian venues?

State premiers have suggested that once vaccinations begin in Australia, those without vaccinations may be banned from visiting some venues...