Email security, explained in plain English
Your email account is the master key: your banking, shopping, social media and government services all reset their passwords through your inbox, so whoever controls the inbox controls the lot. This guide covers the five moves that actually protect it, the back door most advice ignores, and where to start when an account is already in someone else's hands.
Why your inbox is the master key
Ask what a stranger could do with your email for one hour. They could reset your bank login, your PayPal, your Amazon, your Facebook, and read enough mail to answer any security question your accounts still use. They could set a forwarding rule and give it all back, keeping a silent copy of everything from then on. Attackers go for email first because every other account can be opened from inside it.
The five moves that actually matter
- One long, unique password, kept in a password manager. Most takeovers start with a password leaked from some unrelated site being tried on your email. A password no other site has ever seen is the defence.
- Two-factor authentication, via an authenticator app. A code from an app on your phone stops a stolen password being enough. SMS codes are better than nothing but can be stolen with your phone number. Our 2FA setup guide shows how to turn it on without locking yourself out.
- Audit your recovery details twice a year. Old backup emails, lapsed phone numbers and guessable security questions are the back door. Remove what you no longer control, and make sure what remains is something only you can answer.
- Check forwarding rules and filters. The quiet forward-everything rule is the most common thing attackers leave behind, and most people have never once looked at that settings page. Look today, and after any security scare.
- Split the jobs across mailboxes. One address for everything means one reset link between a stranger and your entire life. The four-mailbox system separates money, identity, shopping and junk so one breach cannot cascade.
The back door nobody talks about
Everything above guards the front door, the login. Account recovery is the back door, and it is wide open on most accounts: a "forgot password" flow only has to convince the provider once, through whatever recovery channel is weakest. That is the recovery gap, and it is why a well-defended account still gets taken. SAFE2RECOVER exists for exactly this layer: we hold and guard the recovery mail for your important accounts, so a reset you did not request is caught and held before it lands. How it works, or get protected, free, with no card to start.
Already gone wrong? Start with the right guide
- Hacked email recovery, any provider: the calm, general walkthrough.
- Hacked Gmail account: Google's automated recovery, done right.
- Hacked Outlook or Hotmail account: the reset and the acsr recovery form.
- Hacked Facebook account: the hacked flow and the email-change revert.
- Hacked Instagram account: login links, revert emails, selfie verification.
- Hacked Apple account: Apple ID, iCloud and the waiting period.
- Secure a lost or stolen device: lock, locate and wipe, in the right order.
Running a business? See what an email security service does for business inboxes. And for the day everything goes wrong at once, build a digital emergency kit so someone you trust can act for you.
Frequently asked questions
What is the single most important email security step?
Treat your inbox as the master key it is. Give it a long, unique password stored in a password manager, and turn on two-factor authentication with an authenticator app. Those two moves stop the overwhelming majority of takeovers. Then audit your recovery details, because recovery is the back door that bypasses both.
Is two-factor authentication enough to keep my email safe?
It protects the login, which is necessary but not sufficient. Account recovery is the bypass: an attacker who controls your recovery email or phone can run a forgot-password flow and walk past your 2FA entirely. That is why auditing recovery channels, and watching the recovery mail itself, matters as much as the login protections.
How do hackers actually get into email accounts?
Mostly not by cracking passwords. They reuse passwords leaked from other sites, phish a login code with a fake page or urgent message, or aim a password-reset flow at a weak recovery channel: an old backup address, a lapsed phone number, a guessable security question. The defence matches the attack: unique passwords, scepticism about urgent messages, and clean recovery details.
What are the signs my email is already compromised?
Sent messages you did not write, contacts receiving scam mail from you, sign-in alerts from unfamiliar places, a password that stops working, or recovery details changing without you. Any one sign is enough to act on. Our hacked email recovery guide covers exactly what to do, in order.