Scammers who hijack email accounts have already cost Americans more than $262 million since January 2025, according to the FBI, which logged over 5,100 account-takeover complaints in that span. Because a single compromised email address can unlock banking portals, social media profiles, and cloud storage through password-reset links, the six daily habits outlined below act as the cheapest line of defense most households have not yet adopted.
Account takeover losses hit $262 million as email stays the weakest link
The FBI’s Internet Crime Complaint Center recorded more than 5,100 account-takeover complaints since January 2025, with combined losses exceeding $262 million, in an alert about fraudulent bank-support impersonation. The agency describes a consistent pattern: criminals send emails or texts that appear to come from a victim’s financial institution, then coax login credentials and even one-time passcodes from people who believe they are speaking with legitimate staff. Once inside an email inbox, attackers can trigger password resets across every linked service, turning one stolen credential into a full financial takeover.
Email is the reset key for almost every other online account. That structural reality means a handful of inbox-level habits can either block or accelerate an attacker’s access. The six practices below draw on federal guidance from the FBI, the Federal Trade Commission, the National Institute of Standards and Technology, and the United Kingdom’s National Cyber Security Centre.
Six daily habits that shut down the most common attack paths
1. Never share verification codes delivered by text or email. The FBI alert specifies that attackers often succeed by obtaining “credentials and even MFA codes” through social engineering. No legitimate bank or tech company will ask a customer to read back a one-time code over the phone or paste it into a chat window. Treating every such request as fraudulent, regardless of how convincing the caller or message appears, removes the single step that converts a phishing attempt into a confirmed breach.
That rule applies even when a message seems to reference a real transaction. If a caller claims there is suspicious activity on your account and asks for a code, the safer move is to hang up and call the number printed on the back of your bank card or listed on the institution’s official website. Using a trusted phone number or app, rather than any contact information supplied in the suspicious message, breaks the attacker’s control of the conversation.
2. Inspect sender addresses and URLs before clicking. The FTC’s phishing guidance warns that scam emails frequently mimic trusted brands with slight misspellings, swapped characters, or extra words in the domain name. Hovering over a link to preview its destination, instead of clicking immediately, takes seconds and often reveals mismatches that the message body is designed to hide. The same FTC advice on spotting phishing attempts encourages consumers to report suspicious emails and texts to regulators and service providers, because those reports help identify emerging campaigns and takedown needs.
Simple visual checks can be surprisingly effective. A supposed bank notice arriving from a free webmail address, or a shipping alert that directs you to a domain unrelated to the carrier’s official site, are strong signs of fraud. When in doubt, navigate to the organization’s website by typing its address directly into your browser, rather than following embedded links.
3. Turn on app-based two-factor authentication for the email account itself. The FTC draws a clear distinction between weaker and stronger second-factor options. Authenticator apps such as Google Authenticator or Microsoft Authenticator generate codes locally on a device, which means they cannot be intercepted in transit the way SMS codes can. In its guidance on using two-factor protections, the agency notes that codes delivered by email are particularly risky, because anyone who compromises that inbox can immediately obtain them.
Securing the email account with app-based codes closes that loop. Even if a password leaks in a separate breach, an attacker would still need physical access to the device running the authenticator app. For most households, enabling this setting on their primary email account is the single highest-impact change they can make in under ten minutes.
4. Audit sent folders and forwarding rules after any unusual activity. Attackers who gain temporary access often set up silent forwarding rules so that copies of every incoming message, including future password-reset links and bank alerts, route to an external address they control. They may also send test messages to themselves or to accomplices, leaving faint traces in the sent-mail history. The FTC’s account-recovery checklists emphasize that after any sign of compromise-such as password-reset notifications you did not request or unfamiliar logins-users should review both sent folders and forwarding settings before assuming the problem is fixed.
That audit should become a habit after any suspicious incident, not just confirmed breaches. If you receive alerts about sign-ins from a new device, or friends report strange messages from your address, log in from a trusted device, change your password, verify recovery options, and then scan for forwarding rules or filters you did not create. Removing those hidden hooks prevents attackers from lingering in the background.
5. Switch to passkeys or hardware security keys where offered. Passkeys bind authentication to a specific device and use public-key cryptography, which means there is no shared secret-no password-that a phisher can trick you into revealing. NIST’s Digital Identity Guidelines explain why such phishing-resistant authenticators outperform traditional passwords and SMS codes: even if a user visits a fake site, the passkey will not complete a login because the cryptographic challenge does not match the legitimate service.
Hardware security keys, which plug into a USB port or connect via NFC, offer similar protections. The UK’s National Cyber Security Centre recommends enabling passkeys or hardware keys wherever services support them, especially for high-value accounts like email and banking. While setup requires a few extra steps, these tools sharply reduce the risk that a momentary lapse-clicking a convincing phishing link, for example-will lead to a full account takeover.
6. Keep email client software and browser extensions updated. Outdated software can expose session tokens, cached credentials, or exploitable bugs even when passwords are strong and multifactor authentication is enabled. The FTC’s phishing guidance includes regular software updates alongside link inspection and multifactor authentication as a core protective habit, because patches close the known vulnerabilities that automated attack kits target first.
That advice extends to browser extensions that interact with email, such as productivity add-ons or third-party inbox managers. Removing tools you no longer use and updating the rest reduces the number of components that could be abused to read or forward messages without your knowledge.
Passkey adoption data and the gaps federal agencies have not filled
A reasonable expectation is that households switching to passkeys on their primary email account shortly after receiving a bank-branded phishing message would report fewer downstream account takeovers than those relying solely on app-based multifactor authentication. The logic is straightforward: passkeys eliminate the reusable credential that phishing is designed to steal, while app-based codes can still be surrendered under pressure if a scammer convinces the victim the request is legitimate.
Yet no major federal dataset currently isolates that comparison. The FBI’s complaint statistics on account takeover aggregate losses and incident counts but do not break out which victims used passkeys, authenticator apps, SMS codes, or no second factor at all. Without that detail, policymakers and consumers lack clear evidence on how much incremental protection passkeys provide in day-to-day household use compared with more familiar methods.
NIST’s SP 800-63-3 framework defines the security properties and assurance levels of different authenticator types, offering a strong technical basis for recommending phishing-resistant options. However, the framework is not a longitudinal study; it does not track real-world takeover rates before and after consumers adopt passkeys or hardware keys on critical accounts like email. Similarly, FTC recovery materials focus on what to do after a compromise-reviewing account settings, updating passwords, and monitoring financial statements-rather than quantifying which pre-incident protections most reliably prevent a breach.
That leaves a gap between the theory of strong authentication and the practice of everyday digital life. For now, households must rely on a combination of technical guidance and common-sense risk reduction. Treating verification codes as private, scrutinizing sender details, enabling app-based multifactor authentication on email, auditing forwarding rules, adopting passkeys where possible, and keeping software current will not eliminate every threat. But together, these habits significantly raise the cost and complexity of account takeover for criminals who depend on quick, low-effort wins.
Until complaint data and consumer studies catch up, the safest assumption is that email will remain the master key attackers most want to steal. Making that key harder to copy-through stronger authentication and more vigilant daily use-offers one of the few defenses that individuals can control directly while broader policy and enforcement efforts evolve.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
