Most people underestimate how valuable their email account really is.
For many individuals and organisations, a single email account is linked directly to banking platforms, investment services, payroll systems, HR portals, healthcare providers, legal correspondence and tax services. Control of that inbox is often enough to trigger password resets, approve authentication requests and, in some cases, take control of those connected accounts entirely.
This pattern shows up repeatedly during incident response. When an email account is compromised, it is rarely the end of the issue, it is usually the starting point.
How the inbox becomes a control layer
The level of risk becomes clearer when you consider how email is used across modern systems.
In most environments, an email address functions as the username, the account recovery route and the verification mechanism at the same time. Password reset processes are almost always routed through the inbox, which means access to email provides a direct and legitimate path into other accounts without the need to bypass technical controls.
Over time, the inbox also becomes a consolidated record of activity. Financial correspondence, employment records, legal communications, medical information, service confirmations and address history tend to accumulate there by default. Unlike physical paperwork, this material can be searched quickly and methodically, which significantly increases its value to an attacker.
There is a compounding effect as well. Information obtained from one message often supports access elsewhere. A utility email confirms an address. A payslip confirms an employer. A confirmation message reveals which providers are in use. Each additional data point reduces uncertainty and raises the likelihood of further access being achieved.
1. Prioritise multi-factor authentication on your email account
The most effective step you can take is to enable multi-factor authentication on your email account. This ensures that a password alone is not enough to gain access and introduces a second factor that an attacker is unlikely to have.
Where possible, this should be delivered through an authenticator application rather than SMS. SMS-based authentication remains vulnerable to SIM-swapping, where a number is transferred to another device through social engineering of the mobile network provider.
The National Cyber Security Centre now recommends doing away with passwords entirely and using passkeys instead, which is a cryptographic key stored on your phone or laptop that is faster, more convenient, and even more secure than an authenticator application.
Recommended approach:
- Enable multi-factor authentication or setup a passkey on the primary email account as a priority
- Use an authenticator application rather than SMS wherever possible
- Extend this control to banking, payroll and other sensitive services
- For organisations, enforce this centrally rather than relying on individual users
2. Segregate email usage by sensitivity
When a service you’ve signed up to is breached, one of the first things exposed is the email address used to register. If that same address is also tied to your bank, pension provider and work systems, it immediately becomes a reference point for all of them. From an attacker’s perspective, that single data point provides a clear place to start.
The risk is larger than most people expect. What looks like a minor breach of a retail account or newsletter subscription can indirectly expose the address used for far more sensitive services.
Using separate email accounts helps contain that risk. One address should be reserved for financial and regulated services, and another used for general sign‑ups, retail accounts and subscriptions. This way, a low‑impact breach does not automatically expose the email address linked to your most sensitive accounts.
For organisations, this is just as relevant. Corporate email addresses regularly appear in public breach data, not because the organisation was hacked, but because an employee used their work address to register for a personal service. Clear policies on acceptable use, and enforcing them properly, significantly reduce that exposure.
Recommended approach:
- Use one email account for high-sensitivity services such as banking, payroll and regulated platforms
- Use a separate account for general services such as retail, subscriptions and sign-ups
- Avoid using corporate email addresses for personal registrations
- For organisations, define and enforce acceptable use policies
3. Apply scrutiny to federated login permissions
Options such as “Continue with Google” or “Continue with Apple” are often seen as a harmless convenience. In practice, each one creates a direct trust relationship between a third‑party service and your primary account.
While some services request only basic identification, others ask for broader access. We routinely see permissions granted for contacts, calendar data or profile information with little scrutiny, even where that level of access is difficult to justify.
The key issue is accumulation. Individually, these connections may appear low risk. Over time, however, they build a wider attack surface around a single, high‑value account.
Before approving access, it is worth checking what is being requested and whether it feels proportionate to the service being used. In many cases, it is reasonable to question whether a secondary service needs to be directly linked to a primary identity at all.
Recommended approach:
- Read permission requests before approving access
- Limit use of these login methods to services where the connection is justified
- Periodically review and remove applications that no longer require access
4. Use a password manager to eliminate password reuse
Reusing passwords is one of the main reasons a breach at one site becomes a problem across many. Attackers routinely take credentials from one breach and test them against other services automatically. If you use the same password in more than one place, you are exposed to that.
A password manager generates and stores a unique password for every account. You only need to remember one strong master password. Most of them fill credentials automatically in your browser and on your phone, so the day-to-day experience is actually simpler than remembering passwords yourself.
Recommended approach:
- Use a unique password for every account
- Allow the password manager to generate and store credentials
- Protect the manager itself with multi-factor authentication
- For organisations, use enterprise tools to enforce standards and provide oversight
5. Treat email as an unsecured channel for sensitive information
Standard email is not encrypted end‑to‑end in any meaningful way for most users. Once you send something, you have no control over where it ends up, how long it is stored, or who might access it if either inbox is ever compromised.
If an organisation offers a secure portal for sharing sensitive documents, use it. If they do not, ask. For anything that cannot wait, at minimum send documents as password-protected files and share the password through a separate channel.
Recommended approach:
- Use secure portals where available
- Request secure alternatives where they are not offered
- Send documents as password-protected files if necessary
- Share passwords through a separate channel
Reducing the amount of sensitive information stored in your inbox also reduces the impact of a potential compromise.
A practical starting point
These measures do not require specialist tools and can be implemented quickly.
Start by confirming that multi-factor authentication is enabled on your email account, reviewing which services are linked to it and ensuring the password is strong and not reused elsewhere.
From there, carry out a simple audit. List the services tied to your email account, check which ones have multi-factor authentication enabled and identify any reused credentials.
This will usually highlight gaps that can be addressed immediately.
Final observation
Your email account sits at the centre of your digital footprint. It connects services, holds records and acts as the default recovery mechanism.
It should be treated accordingly.