Business email compromise has cost victims a combined $55 billion, and the attack method relies on a simple trick: gaining control of an email inbox and using it to reset passwords, redirect payments, and impersonate trusted contacts. Federal agencies including the FBI, CISA, and NIST have each published guidance identifying email as the single highest-value target for scammers, because it functions as the master key to nearly every other online account. Six specific habits, drawn from those federal recommendations, can sharply reduce the odds of an account takeover.
Why email is the master key scammers want most
The FBI’s Internet Crime Complaint Center documented billions in losses from business email compromise in a public service announcement focused on how criminals exploit compromised inboxes. Once attackers control an email account, they can trigger password resets on banking portals, payroll systems, and cloud storage platforms without ever needing those separate credentials. The IC3 warning describes a pattern in which scammers use hijacked email to impersonate executives, vendors, or attorneys, then redirect wire transfers and steal sensitive data from organizations that never realize the initial breach point was a single inbox.
That pattern extends well beyond businesses. Personal email accounts serve the same reset function for social media profiles, tax filing services, and medical portals. A scammer who controls one Gmail or Outlook inbox can lock a person out of dozens of linked accounts within minutes. The speed of these takeovers is what makes prevention habits, rather than after-the-fact response, the only reliable defense.
Six habits federal agencies recommend to block inbox takeovers
CISA’s guidance for small and medium businesses treats multifactor authentication as the top defensive measure and ranks email as the first account that should receive it. The agency’s recommendations for requiring multifactor authentication emphasize that a single stolen password should never be enough to access sensitive systems. The consumer-facing guidance, published under the banner of stronger sign-in practices, frames the same point for individuals: enable MFA everywhere, but start with email because it controls recovery for everything else. Drawing on both CISA documents and the NIST Digital Identity Guidelines, six concrete habits emerge.
- Turn on MFA for every email account immediately. CISA’s small-business materials identify multifactor authentication as the single most effective step a business or individual can take to prevent unauthorized access. Most major email providers offer this in their security settings, and activation typically takes less than five minutes. Even basic app-based or SMS codes are far better than relying on a password alone.
- Choose phishing-resistant authenticators over SMS codes. CISA’s consumer guidance recommends moving toward stronger MFA methods such as hardware security keys or authenticator apps. SMS-based codes can be intercepted through SIM-swapping attacks or exposed when messages appear on lock screens. Hardware keys and app-based one-time codes are far harder for attackers to intercept remotely, especially when combined with device-based prompts that show which site is requesting access.
- Treat account recovery options as part of your authentication security. NIST Special Publication 800-63, the federal standard for digital identity guidelines, treats recovery paths with the same rigor as login credentials. A weak recovery phone number, an outdated backup email, or security questions with easily guessed answers can undo strong MFA. Reviewing and updating recovery options at least twice a year closes a gap that many users overlook and ensures that if you lose a device, an attacker cannot simply use an old phone number or inbox to reclaim your account.
- Store backup codes offline and securely. When MFA is enabled, most providers generate one-time backup codes for emergencies. Saving these in a password manager or a physical safe prevents lockout while keeping them away from attackers who might access cloud-synced notes, screenshots, or unencrypted files. Printing codes or writing them down is safer than leaving them in email drafts or online documents that share the same account you are trying to protect.
- Monitor login alerts and act on unfamiliar activity within hours. Google, Microsoft, and Apple all offer real-time notifications when a new device or location accesses an account. Responding quickly to an alert-by changing the password, reviewing recent activity, and revoking suspicious sessions-can stop an attacker before they reach linked accounts or set up forwarding rules. Ignoring or dismissing these alerts is one of the most common mistakes documented in compromise reports, because it gives intruders time to quietly map out and exploit connected services.
- Never click password-reset links you did not request. The IC3 warning on business email compromise describes how attackers send fraudulent reset notices to trick users into handing over credentials on spoofed login pages. If a reset email arrives unexpectedly, the safest response is to go directly to the provider’s website by typing the URL manually or using a trusted bookmark, then check whether a legitimate reset was triggered. Deleting the suspicious message and, if necessary, changing your password from a known-good session prevents attackers from using social engineering to bypass technical protections.
Each of these habits targets a specific step in the attack chain that federal agencies have documented. Together, they raise the cost and difficulty of an inbox takeover significantly, forcing many attackers to move on to easier targets.
What the evidence does not yet prove about MFA timing
A reasonable working theory holds that individuals who enable phishing-resistant MFA on email within 48 hours of receiving any password reset notice would experience dramatically fewer subsequent account takeovers compared to those relying on SMS-based codes alone. The logic tracks with every federal recommendation: stronger authenticators block more attacks, and faster response limits the window for exploitation.
No publicly available dataset, however, confirms a specific reduction rate tied to that 48-hour window or to a particular combination of MFA methods. Existing public reports from law enforcement and security agencies tend to aggregate incidents after the fact, focusing on total losses and broad attack patterns rather than the minute-by-minute sequence of how each account was secured. As a result, there is not yet enough evidence to claim that enabling a hardware key within a certain number of hours will reduce risk by a precise percentage.
This gap in quantified evidence does not undermine the underlying guidance. Instead, it highlights how difficult it is to measure prevention in the real world. Many people enable MFA only after an attempted compromise, and organizations often discover business email compromise weeks or months after the initial intrusion. By the time an incident is reported, logs may be incomplete or inconsistent across providers, making it nearly impossible to reconstruct exactly when a user changed settings relative to an attacker’s first move.
For now, the most defensible position is to treat phishing-resistant MFA and rapid response as complementary best practices rather than as a formula with guaranteed numerical outcomes. Turning on strong MFA for email before any suspicious activity occurs remains the ideal. When that is not the case, enabling it as soon as a reset notice or login alert appears still meaningfully shrinks the opportunity for attackers to escalate access, even if the exact impact cannot be expressed as a precise percentage reduction in risk.
Future research could close this evidence gap by combining anonymized telemetry from major email providers with incident reports from agencies like the FBI and CISA. With better data on when users enable different types of MFA relative to suspicious events, it may become possible to quantify how much benefit early adoption and rapid changes provide. Until then, the practical takeaway stays simple: treat your inbox as the master key it is, follow the federal guidance on multifactor authentication and recovery, and respond quickly to any sign that someone else is trying to use your email as a gateway into the rest of your digital life.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
