Change of Address Redirect Fraud via Email
How fraudsters use email-based account takeover and online address change forms to redirect digital financial correspondence and enable account fraud.
Part of: Change-of-Address Redirect Fraud
Last reviewed: 9 June 2026
While physical mail redirection fraud exploits postal service processes, email-based change of address fraud exploits the online account management portals through which most financial institutions now allow customers to update their contact details. Phishing emails that capture banking or financial account credentials give fraudsters direct access to update address information within an account, redirecting future electronic statements and security notifications to an address they control.
This digital variant of address redirect fraud can be harder to detect than postal redirect fraud because there is no physical mail absence to notice. Electronic statements and security alerts simply go to a different email address or postal address without any visible interruption to the account holder's experience — particularly if the account holder has already moved to paperless statements and rarely checks their physical mailbox.
This guide covers how email-initiated address fraud differs from postal variants, what account features provide protection, and how to detect changes you did not make.
How this scam works on email
A phishing email captures a victim's banking or financial account credentials. The attacker logs in to the real account and changes the email address and mailing address for statements and correspondence. Future security alerts — new device logins, password resets, suspicious transaction notifications — go to the attacker's controlled address, not the account holder's.
With statement access redirected, the attacker applies for new credit in the account holder's name, requests replacement cards to the new address, or initiates fraudulent transfers that the account holder's security notifications would otherwise flag. The account holder only notices when they experience a declined card, an unexpected credit inquiry, or when they think to check their account address settings.
In some cases, the fraudster updates email notification settings to stop sending any alerts at all, making the ongoing access entirely silent until a major financial impact is noticed.
Common red flags
- You stop receiving expected account statements or security notifications for a financial account
- You receive an account change confirmation email (or text, if secondary contact is still active) for an address change you did not request
- A login notification arrives from a device or location you do not recognise
- Credit card or bank card arrives at an address different from yours
- Account shows a new mailing or email address when you log in directly
How to protect yourself
- Enable all available security notifications on financial accounts — new device logins, address changes, and unusual transactions
- Check your address and notification settings periodically when you log in to financial accounts
- Use a unique, strong password for each financial account and enable two-factor authentication
- Monitor your credit report regularly for new accounts or changes you do not recognise
- Sign up for USPS Informed Delivery (US) to track expected physical mail as a secondary indicator of address changes
How to report it
- Contact your financial institution immediately if an unauthorised address change is discovered
- File a report with the FTC at reportfraud.ftc.gov and use identitytheft.gov for a recovery plan
- Report to the IC3 at ic3.gov if financial fraud has resulted from the access
- Place a fraud alert or credit freeze with the major credit bureaus
Frequently asked questions
How would I know if someone has changed the email address on my financial account?
Log in directly to your account and check the contact details in your profile settings. Also check whether you are still receiving the security notifications and statements you would normally expect. Any discrepancy warrants an immediate call to the institution's fraud line.
Can two-factor authentication prevent email-based address fraud?
Two-factor authentication significantly raises the barrier to account takeover, particularly if the second factor is a separate phone number or authentication app rather than an email code. If a fraudster has already changed your email address, email-based 2FA codes would go to them. Use an authentication app where available.