Spot Email Account Compromise: How to Recognize and Stop an Email Security Breach

EAC isn’t new, but even with its long history, many professionals still don’t recognize how it works or what signs to watch for.

This guide explains how to recognize the warning signs of an email account compromise, what to do if your account has been breached, and the best email security protection practices to defend against future attacks.

How Does an EAC Attack Lead to an Email Security Breach?

Most email account compromises begin with a phishing email. All it takes is clicking a link, opening the wrong attachment, or typing your password into a login page that looks familiar but isn’t. For a deeper look at how these attacks unfold, see this guide on phishing. 

Sometimes it’s brute force: repeatedly guessing weak passwords until one works. However it starts, the result is the same—a legitimate email account quietly handed over to someone who knows exactly what to do with it, often leading to a full-scale email security breach.

 Phishing and Weak Passwords in an Email Security Breach

Financial institutions, real estate firms, law offices, and other organizations with high-value transactions have been hit hard, especially in today’s remote work landscape, where Office 365 cloud app security is often relied on, and face-to-face verification is rare. In August, a New York City firm managing luxury properties lost nearly $19 million after a single phishing email resulted in ground-lease payments being moved around haphazardly. All it takes is one small entry point for an attacker, and the losses can reach millions.

Once inside, attackers stay quiet. They monitor inboxes, study writing styles, and slip into ongoing conversations—forwarding invoices or making small, believable requests that rarely raise suspicion. These scams are deliberate, not random, slowly pulling more people into the trap. The playbook isn’t unique to email either. Invoice changes, wire transfers pushed to the wrong account, even impersonation tricks that appear in inboxes also show up in everyday fraud cases. Analyses of common fraud targeting the public point to the same patterns, which makes email account compromise easier to understand as part of a larger problem, not just an isolated cyber issue. For a closer look at how attackers exploit trusted channels, see how exposed emails lead to breaches.

For a closer look at how attackers exploit trusted channels, see how exposed emails lead to breaches.

Why Email Security Breaches Are Hard to Detect

The rise of cloud-based platforms like Microsoft 365 Email Security and Google Workspace email security has made EAC even more efficient and dangerous, as cyber thieves are able to open any account, test their methods until they are able to bypass default filters, and reuse these methods in attacks targeting thousands of different accounts.

What makes EAC especially hard to detect is that these fraudulent emails come from legitimate accounts. There’s no spoofing involved. The devices, login patterns, and even IP addresses often appear normal. So the messages pass SPF, DKIM, and DMARC authentication without raising any red flags. They look clean, and they land in inboxes like any other message.

One such message came from a paralegal’s real account at a law firm. It asked a client to “Review Document,” linking to a fake login page rigged with fileless malware. Luckily, this email was identified and quarantined by Guardian Digital EnGarde cloud email security before it reached the client’s inbox. Without this level of advanced email security, the attack could have led to wire fraud and further compromises.

This malicious email originated from the compromised vtaig.com account—one of many legitimate-looking accounts used to launch large-scale social engineering scams. It even passed through a Message Labs (now Symantec.cloud) antispam system before Guardian Digital EnGarde Cloud Email Security quarantined it. Without deeper inspection or advanced email security, these emails would’ve landed just like any other, and without effective email scanning software, the losses in both cases could have been significant.

How to Recognize an Email Security Breach

After reading about the dangers of EAC, you may wonder how to tell if your email account has been hacked and whether you’ve experienced an email security breach. While there is a wide range of cloud email security solutions available, it’s equally important to understand the warning signs that indicate compromise.

One of the first signs is not being able to log in. If your password no longer works, someone may have changed it and locked you out. Once they get in, that's often one of the first things they do.

Signs of an Email Security Breach in Your Account

Next, check out your Sent folder. Are there messages you sent but don’t remember? If you spot strange subject lines, links you never added, or get replies from people puzzled by your emails, chances are someone’s using your account to impersonate you. Attackers also hide behind phishing link wrappers, tucking malicious URLs inside ones that look legitimate to slip past filters.

Most email providers let you see a log of recent activity. If you notice logins from places or devices you don’t recognize, it’s a clear sign someone else may be inside your account.

Don’t overlook your contacts. A friend or coworker may ask why you’re sending them spam or strange messages—that’s often the first sign. 

What to do Immediately After an Email Security Breach

It’s crucial to know what to do immediately if your email account is hacked, both to limit the damage of the email security breach and to resolve the issue. If you find out that someone has taken over your email account, you should do the following:

• Notify law enforcement and your financial institution, especially if you’ve discovered fraudulent wire transfers.
• Request that your bank contact the financial institution where the fraudulent transfer was sent.
• File a complaint at www.IC3.gov, regardless of monetary loss. Provide any relevant information in your complaint and identify that your complaint pertains to the email security breach caused by the EAC scam.
• Change any password that is the same as your email password.

FAQ: Can attackers still access my email after I change my password?

Yes. If attackers have already set up forwarding rules or added recovery options, they can still monitor your emails even after you reset your password. To fully secure your account after an email security breach, review your settings for suspicious activity, remove unfamiliar rules, and enable multi-factor authentication. Remember, vulnerabilities don’t stop at desktops—mobile devices can expose sensitive information too. Learn more about how mobile is the new target.

FAQ: What should I do if my client or colleague reports receiving a suspicious email from me?

First, confirm whether your account has been compromised. If you confirm an email security breach, immediately notify your contacts from a secured account, explain the situation, and advise them not to interact with the fraudulent email. Reporting quickly helps protect your reputation and reduces the financial fallout often tied to EAC scams.

Best Email Security Protection Tips to Defend Your Account

While EAC is a challenging scam to detect and stop, users should take steps to protect themselves and their contacts from EAC by engaging in these best practices:

• Think before you click! Take adequate time to thoroughly evaluate each email you receive before clicking on links, opening attachments, or interacting in any way.
• Watch for small changes in email addresses that mimic legitimate ones.
• Verify any changes to wire transfer instructions by contacting the associated parties through a recognized channel.
• Use a two-step verification process for wire transfers.
• Know your customer. Be aware of your client’s typical wire transfer activity and question any suspicious behavior.

Critically Important: Implement a fully supported cloud email security solution capable of detecting and blocking EAC scams and other advanced threats to ensure every email that reaches your inbox is safe and legitimate. Use our free Email Risk Assessment Toolkit to evaluate your email risk profile and get customized advice on strengthening your email security protection.