Blog / Identity Theft

What to do if a scammer has your email address: Steps to take right away

Your email address is more than just a means of contacting you — it’s closely tied to your online accounts, personal information, and even your financial security. Should you be worried if a scammer has your email address? Yes, but don’t panic — take action. So, what do you do if a scammer has your email address? In this article, you’ll learn exactly what steps to take to secure your account, protect your sensitive information from identity theft, and stop scammers from doing more damage.

Author image

Violeta Lyskoit

June 13, 2025

13 min read

What can someone do with your email address? 

Your email address might not seem as sensitive as your Social Security number (SSN) or financial information, but it can still provide scammers with a starting point to wreak havoc on your life. It’s often the gateway to many parts of your digital life, from banking apps to social media and other online accounts.

Email-related fraud generally falls into two types: scams that occur without direct access to your email account and scams that happen when someone has gained access.

  • Without access to your email account, scammers can send phishing emails, conduct credential stuffing attacks, or gather more personal information to commit identity theft.
  • With access to your email account, fraudsters can hack your other online accounts, access sensitive personal data stored in your inbox, or impersonate you to scam your contacts.

Scammers don’t need much to start their attacks — simply having your email address is enough to start a chain reaction. But can a scammer do anything with just your email address? Not everything, but they can do more than you might expect.

While an email address alone isn’t as sensitive as a password or Social Security number, it’s often the starting point for phishing attempts or building a profile about you based on publicly available information.

To learn more about the risks, take a look at our detailed guide on what someone can do with your email address.

PRO TIP #1: Do you know what someone can do with your Social Security number (SSN)? Someone with your SSN can steal your identity, open credit accounts, file fraudulent tax returns, or even commit financial fraud in your name. Protect it like your most valuable asset.

How do scammers get your email address?

Scammers are creative, and they have plenty of ways to find your email address. Some of the most common sources or ways scammers can get your email address include:

  • Data breaches. Hackers break into company databases and steal personally identifiable information (PII), including email addresses. These emails can end up on the dark web or in the hands of cybercriminals.
  • Social media. Scammers check social media profiles where people often list their email addresses in bios, posts, or comments. LinkedIn and Facebook are particularly popular targets.
  • Public directories and websites. If you’ve ever listed your email address on a public website, such as a job board, a forum, or a personal blog, scammers can easily find it.
  • Phishing attacks. Fake websites, ads, or emails trick victims into entering their email address and other credentials. For example, a fake survey might ask for your email as part of a scam.
  • Data brokers. Companies collect and sell email addresses to advertisers. Once sold, these lists can land in the hands of spammers or scammers.
  • Email chains. Replying to forwarded emails or participating in public email chains may expose your email to malicious actors. They can grab email addresses shared throughout the chain.
  • Guessing. Scammers often successfully guess email addresses using common formats (such as [email protected]). This technique is called email enumeration.
  • Fake contests and freebies. Scammers set up fake giveaways or freebies to lure victims into providing their email addresses. They often use this tactic to collect many valid email addresses.
  • Old or inactive online accounts. Forgotten sensitive accounts you no longer use, especially those on websites that suffered breaches, are a goldmine for scammers. These online accounts are often less secure and rarely monitored.

Signs that your email has been hacked

Several signs can help you recognize email account compromise. So how do you know if your email has been hacked?

  • You can’t log into your account. If your usual password no longer works and password recovery options fail, a hacker may have changed it to lock you out.
  • Friends or contacts receive strange emails from you. If people in your contact list bring up emails you didn’t send (these often contain strange links or requests), it’s a sign your email account has been compromised. You can tell that an email is a phishing scam if it creates urgency, comes from an unverified sender, contains suspicious links or attachments, or has errors in grammar and design.
  • You notice unusual login activity. Many email providers show recent login locations. If you see login attempts from unfamiliar places, devices, or times, a hacker may have accessed your account.
  • Your “Sent” folder has emails you don’t recognize. Check your sent messages. If you see emails there that you didn’t write, someone may be using your email account to scam others.
  • You’re receiving unexpected MFA or password reset emails. Scammers often try to log into your accounts by triggering password resets or multi-factor authentication (MFA). If you didn’t request them, it could mean someone is trying to hack your email.
  • You notice strange messages or notifications in your inbox. Look out for emails that confirm purchases, password resets, or new device authorizations that you don’t recognize.
  • Spam overwhelms your inbox. A sudden increase in spam emails can signal that attackers want to distract you. They may be attempting to hide important security alerts in the flood of spam.
  • Your other accounts are compromised. Hackers typically start with your email account. Next, they can take control of linked accounts, like social media profiles, banking apps, or shopping websites.

PRO TIP #2: Do you know what someone can do with your phone number? If a scammer gets hold of it, they can perform SIM swaps, intercept two-factor authentication codes, send phishing texts (smishing), or even track your location. Keep your phone number private and protected.

What to do if a scammer has your email address

Finding out a scammer has your email address can be alarming, but you can take steps to protect yourself. The severity of the situation depends on whether a scammer simply knows your email address or has actually gained access to your account. Either way, act quickly to help minimize potential damage.

What to do if a scammer knows your email address

Even if a scammer only knows your email address without your password, you're still at risk. Scammers can use your email address as a starting point for various attacks, from sending you targeted phishing emails to attempting to break into your other accounts. Take protective steps now to prevent more serious problems later.

  • Don't respond to suspicious emails. Ignore and delete any strange emails you receive. By responding, you confirm your email is active, which makes you a target for more scams.
  • Use spam filters. Adjust your email settings to filter out potential phishing and spam messages. Most email providers allow you to customize these settings.
  • Remove your email from public websites. Use search engines to find where your email appears online and request removal from those sites. Consider using a data removal service to help with this process.
  • Report phishing attempts. Forward suspicious emails to your email provider's anti-phishing team and to organizations like the Anti-Phishing Working Group at [email protected].
  • Create a separate email for online signups. Use a different email address for newsletters, shopping, and social media to keep your primary email safer from potential data breaches.
  • Be vigilant about phishing tactics. Learn to spot fake emails by checking sender addresses, hovering over links before clicking, and being suspicious of urgent requests or too-good-to-be-true offers.
  • Consider using email aliases. Many email providers allow you to create temporary or alternate addresses that forward emails to your main email account.
  • Monitor your accounts regularly. Check your email and connected accounts for suspicious activity, login attempts, or messages you didn't send.
  • Use different passwords for different online services. If scammers try to use your email to access your other accounts, unique passwords will keep them from succeeding even if they guess one password correctly.

PRO TIP #3: How can I stop someone from using my email address?

If someone is using your email address without actually accessing your account (known as email spoofing), you should:

  1. Contact your email provider to report the abuse.
  2. Review recent logins to check that your account hasn't been compromised.
  3. Consider setting up email authentication protocols like SPF, DKIM, or DMARC if you have a custom domain.
  4. Use email filtering to block messages from known spammers.
  5. Consider creating a new email address for your most important communications.

What to do if a scammer has access to your email account

If a scammer has gained access to your email account, the situation is more serious. However, you can take steps to regain control and limit the damage.

  • Change your password immediately. Create a strong, unique password that’s at least 12 characters long. Include a mix of uppercase and lowercase letters, numbers, and symbols. Avoid reusing old passwords or choosing ones that are easy to guess, such as your birthdate or pet’s name.
  • Enable two-factor authentication (2FA). Set up 2FA to add an extra layer of security. 2FA will require a second form of authentication, such as a code sent to your phone, when logging into your account. Even if a hacker knows your password, 2FA can stop them from accessing your email.
  • Review recent account activity. Check your email’s login history for unfamiliar devices or locations. Many email providers let you see this information in your account’s security settings. If you spot suspicious activity, document it and take action ASAP.
  • Log out of all devices. Go into your email account settings and choose to end all active sessions. This action will remove access for anyone currently logged in, including scammers.
  • Update your account recovery options. Review and update your recovery email and phone number to make sure they haven’t been changed. Hackers often alter these settings to lock you out of your own account.
  • Notify your contacts. Let your friends, family, and colleagues know your email has been hacked. Hackers may have sent messages pretending to be you in an attempt to scam them. Warn them not to click on links or respond to suspicious emails from your email address.
  • Scan your devices for malware. Use antivirus or anti-malware software to thoroughly scan your computer, phone, or tablet for any malicious programs that may have given the scammer access to your account. Remove any threats found.
  • Check for unauthorized transactions. Review bank statements, credit card bills, and online payment accounts for suspicious charges or purchases. Hackers often target financial information stored in your email.
  • Change passwords for linked accounts. Update passwords for all your accounts, including those connected to your email, such as social media, online banking, and shopping websites. Consider using a password manager to keep track of them securely.
  • Report the hack. Most email providers have procedures in place for reporting unauthorized access and recovering compromised accounts. If you've become a victim of identity theft or financial scams such as check fraud, you should also report the incident to the FTC or other relevant authorities.

TL;DR: My email has been hacked. How do I fix it?

If you've confirmed your email has been hacked and someone has actual access to your account, you should:

  1. Try to reclaim your email account using the "Forgot password" feature.
  2. Contact your email provider's support team if you can't regain access.
  3. Once you regain access, change your password and security questions.
  4. Enable 2FA authentication.
  5. Scan your devices for malware.
  6. Alert your contacts about the hack.
  7. Review all connected accounts for suspicious activity.
  8. Monitor financial accounts closely for fraud.
  9. Consider freezing your credit if you suspect identity theft.

When should you consider creating a new email address?

Sometimes, even after you’ve taken all possible precautions — changed passwords, enabled multi-factor authentication, and reported phishing attempts — scammers might still target your email address. If your inbox continues to overflow with spam, it may be time to take the ultimate step, which is to create a new email address.

Switching to a new email address may feel inconvenient and overwhelming. However, if scammers have your old email address in their grasp, starting fresh could be the best way to regain control over your online life.

How to prevent your email address from being leaked

One of the best ways to protect yourself from scams, spam, and hacks is to prevent your email address from falling into the wrong hands. You can take several smart steps to reduce the risk of your email address being leaked or misused.

  • Use strong, unique passwords. Always use a password that’s long, random, and made up of upper and lowercase letters, numbers, and special characters. Never reuse passwords across accounts. If you do and a hacker guesses one, they could gain access to several of your accounts. Consider using a password manager to generate and store secure passwords so you don’t have to come up with or remember them yourself.
  • Enable multi-factor authentication (MFA). MFA adds an extra layer of protection to your email by requiring a second step, such as a code sent to your phone, when logging in. MFA ensures that even if someone steals your password, they can’t access your account without the second factor.
  • Be mindful of where you share your email. Only provide your email address to trusted and secure websites, services, or people. Avoid entering your email on public forums, comment sections, or unverified websites that might sell your data to third parties.
  • Subscribe wisely to newsletters and services. Use a dedicated "throwaway" email address for subscriptions, online shopping, or any service that doesn’t absolutely need your primary email address. This approach ensures that even if these websites experience a security breach, your main email stays protected from spam and potential threats.
  • Adjust your email spam filters. Most email providers have spam and phishing filters that block fraudulent emails. Review and fine-tune these filters to minimize unwanted emails in your inbox. Report spam and phishing attempts so they don’t happen again.
  • Consider using email aliases. Many email providers allow you to create alternate email addresses (aliases) attached to your main account. You can use these for signups or less secure activities. If one alias gets leaked, you can easily deactivate it without compromising your primary email.
  • Watch out for phishing attempts. Scammers use phishing emails to trick people into revealing their passwords or other sensitive information. Never click links or download attachments if you’re unsure of the sender’s legitimacy. Verify the sender by contacting the company directly through its known official channels.
  • Use strong privacy settings on social media. Many people unknowingly share their email addresses on public-facing profiles. Review the privacy settings for your social media accounts and make your email address visible only to close connections, or hide it entirely.
  • Consider dark web monitoring tools to protect your email address. Sign up for an identity theft protection service like NordProtect to help safeguard your sensitive information. NordProtect offers a dark web monitoring tool that scans the dark web for leaked sensitive data, such as your email, Social Security number, and phone number. If the tool detects your information, such as your email address, on the dark web, you’ll be alerted.

NordProtect identity theft protection service also offers advanced tools to identify risks in your online footprint and protect your email from being exposed in the first place. It’s an easy, effective way to stay on top of your digital security.

Author image
Violeta Lyskoit

Violeta is a copywriter who turns cybersecurity from confusing to clear. She helps people stay a step ahead of identity thieves with simple, practical advice.

The credit scores provided are based on the VantageScore 3.0® credit score by TransUnion® model. Lenders use a variety of credit scores and may utilize a different scoring model from VantageScore 3.0® credit score to assess your creditworthiness.

You have numerous rights under the FCRA, including the right to dispute inaccurate information in your credit report(s). Consumer reporting agencies are required to investigate and respond to your dispute but are not obligated to change or remove accurate information that is reported in compliance with applicable law. While this plan can provide you assistance in filing a dispute, the FCRA allows you to file a dispute for free with a consumer reporting agency without the assistance of a third party.

No single product can fully prevent identity theft or monitor every single transaction.

Some features may require authentication and a valid Social Security Number to activate. To access credit reports, scores, and/or credit monitoring services (“Credit Monitoring Services”), you must successfully pass your identity authentication with TransUnion®, and your VantageScore 3.0® credit score file must contain sufficient credit history information. If either of these requirements is not met, you will not be able to access our Credit Monitoring Services. It may take a few days for credit monitoring to start after a successful enrollment.

NordProtect's dark web monitoring service scans various sources where users' compromised personal information is suspected of being published or leaked, with new sources added frequently. However, there is no guarantee that NordProtect will locate and monitor every possible site or directory where consumers' compromised personal information is leaked or published. Accordingly, we may not be able to notify you of all your personal information that may have been compromised.

Identity and cyber protection benefits are available to customers residing in the U.S., including U.S. territories and the District of Columbia, with the exception of residents of New York and Washington. Benefits under the Master Policy are issued and covered by HSB Specialty Insurance Company. You can find further details and exclusions in the summary of benefits.

Our identity theft restoration service is part of a comprehensive identity theft recovery package that offers a reimbursement of up to $1 million for identity recovery expenses. To access the support of an identity restoration case manager, you must file a claim with HSB, which NordProtect has partnered with to provide the coverage. HSB is a global specialty insurance company and one of the largest cyber insurance writers in the U.S.