My friend Lisa called me last night, voice shaking. Someone had cleaned out her PayPal. Then her Amazon. Then tried her bank. Three accounts in 40 minutes. The criminals never touched her passwords. They didn’t have to. They had her email.
Think about what lives in yours.
Bank statements. Doctor results. Your retirement account, your mortgage company, every streaming service, every store you’ve ever bought anything from. And every single password reset link on the planet lands right there.
A criminal doesn’t need to hack your bank. They just need your inbox. One account. Every other door swings wide open. That’s not a flaw. That’s how email was designed to work. And most people protect it with the same password they’ve used for years and years.
Nope. Not anymore.
🔑 Here’s how fast it happens
Hackers go to your bank’s website. Click “Forgot Password.” Type your email. The bank sends a reset link straight to your inbox. The criminal, already inside, clicks it, creates a new password and walks right in. Then they do it to your Amazon. Your PayPal. Your brokerage. Each one takes about 60 seconds. It’s less effort than ordering a pizza.
The FBI calls this account takeover fraud. And 81% of victims said they thought they were “pretty careful” about security beforehand. (Their words, not mine.)
🔒 Three moves. This weekend.
1. Get a real password. Under 16 characters or reused anywhere? Change it today. Use NordPass* ($1.43/month) to generate something unguessable. You remember one master password. It handles the rest.
2. Turn on two-factor authentication. But not the text version. SMS codes can be hijacked through SIM swap attacks, where a criminal calls your carrier, sweet-talks a rep and transfers your number to their phone. I’ve covered this. It’s terrifyingly easy. Use Google Authenticator instead. Links and steps on how to use it here on my site. Done.
3. Audit every app connected to your inbox. Every “Sign in with Google” click handed that app a key to your email. Some read your messages. Some send emails as you. I did this audit last year and found 34 apps with access to my Gmail. Thirty-four. Apps I’d forgotten existed, holding a key to everything. Gone. Do it now: myaccount.google.com > Security > Third-party apps with account access.
Your bank has a fraud department. Your credit card has zero-liability protection. Nobody is covering your email. That one is entirely on you.
Twenty minutes. Three moves. Lisa wishes she’d done it sooner.
👉 Know someone who still uses the same password for everything? Forward this. Tell them it’s free, takes 20 minutes and could save them everything. Or use the links below to post on your social media. You’ll help more than one person, I’m sure of it.