Account Takeover Scams via Email
Scammers use phishing emails to steal credentials and gain unauthorised access to bank, shopping, and social accounts.
Part of: Account Takeover Scams
Last reviewed: 1 June 2026
Account takeover fraud starts with a convincing email — usually a fake security alert, a password-reset request the victim did not initiate, or a spoofed verification notice. Once the victim enters their credentials on the fake page, attackers immediately use them to log in, change the recovery email and phone number, and lock the real owner out.
The consequences range from drained bank accounts and fraudulent purchases to wholesale identity theft if the compromised account is used to reset passwords on other services. Email-based account takeover is industrialised: automated tools test stolen credentials against hundreds of services within seconds of capture.
How this scam works on Email
A typical attack begins with a 'suspicious login detected' or 'verify your identity' email containing a link to a cloned login page. After credential entry, the victim may be redirected to the real service's homepage so they notice nothing unusual until they find they can no longer log in.
Credential-stuffing attacks take a different route: criminals buy bulk lists of email/password pairs from previous data breaches and run automated tools across major services, relying on password reuse. Email is used here to deliver the initial breach notification that prompts panicked victims to click without thinking.
Common red flags
- Unexpected security-alert email about a login you did not make
- Email asking you to confirm credentials or click a link to 'prevent account suspension'
- Password-reset email you did not request
- Login-link URL does not match the service's exact domain
- Email lacks your name or account-specific details the real service would include
- Sender address uses a look-alike domain (e.g. 'g00gle.com', '[bank]-alerts.net')
How to protect yourself
- Use a unique password for every account — a password manager makes this practical
- Enable multi-factor authentication everywhere, especially email and banking accounts
- If you receive an unexpected security alert, go to the service directly (not via the email) to check
- Sign up for breach-notification services so you know when your credentials appear in leaked datasets
- Regularly review active sessions in your email and social accounts and revoke any you do not recognise
How to report it
- Report to the platform whose account was compromised through their official support or security team
- File a report with Action Fraud, the FTC, or your national cyber-crime authority
- Notify your bank if financial accounts may have been accessed
Frequently asked questions
My email account was taken over — what do I do first?
Contact your email provider immediately through an alternative channel to initiate account recovery. Once restored, change passwords on all linked services, revoke active sessions, and enable MFA. Check whether the attacker set up mail-forwarding rules to intercept future messages.