If someone gets into your email, they own all the accounts you have. These 3 moves block them forever

My friend Lisa called me last night with a shaking voice. Someone had cleaned up their PayPal. Then his Amazon. Then they tried their bank. Three accounts in 40 minutes. The criminals never touched your passwords. They didn’t have to do it.

They had his email.

10 SIMPLE CYBERSECURITY RESOLUTIONS FOR A SAFER 2026

Think about what lives in yours right now. Bank statements. Medical results. Your retirement account, your mortgage company, every streaming service, every store you’ve ever purchased anything from. And here’s the part that should stop you: every password reset link on the planet arrives directly in your inbox.

A criminal doesn’t need to hack your bank. They just need your inbox. An account. Every other door opens wide. That is not a defect of the system. This is how email was designed to work. And most people protect it with the same password they’ve been using since the Bush administration.

No. Not anymore.

That’s how fast it really happens.

The criminal accesses your bank’s website. Click “Forgot my password” and enter your email address. The bank sends a reset link to your inbox. The criminal, who is already inside your email, clicks on it, creates a new password and logs in directly. Then they do it on their Amazon. Your Paypal. Your brokerage. Your health insurance portal.

Each count lasts about 60 seconds. It’s less effort than ordering a pizza.

The FBI calls this account takeover fraud and it cost Americans $2.7 billion last year alone. What should really bother you: 81% of victims said they thought they were “quite careful” about security beforehand. (Their words, not mine).

BE AWARE OF EMAILS FROM EXTORTION SCAMS CLAIMING YOUR DATA IS STOLEN

Three movements. No excuses

1. Get a real password for your email right now.

If your email password is less than 16 characters or is reused elsewhere, change it today. I use NordPass ($1.43/month) to generate passwords that look like a cat walking across my keyboard. You remember a master password. He takes care of the rest. That’s the whole point.

2. Activate two-factor authentication. But not the text message version.

Two-factor means that even if someone steals your password, they still won’t be able to get in without a second code. Good. But here’s what most people don’t know: SMS text codes can be hijacked using something called a SIM swap attack. A criminal calls your cell phone provider, sweet-talks to a customer service representative, and transfers your phone number to your device. Now your “secure” text codes go directly to them.

Wear Google Authenticator instead. It generates codes on your physical phone, not through your carrier. Go to your email account’s security settings and change SMS verification to an authenticator app. It takes five minutes.

NEW EMAIL SCAM USES HIDDEN CHARACTERS TO PASS FILTERS

3. Audit all apps connected to your inbox.

Every time you clicked “Sign in with Google” to access some website or app, you gave that app a key in your email. Some of those apps can read your messages. Some may send emails impersonating you. I did this audit last year and found 34 apps with access to my Gmail. Thirty-four. There were apps that I had completely forgotten about that still had the master key for everything.

Go here right now: myaccount.google.com > Security > Third-party apps with account access. Revoke anything you don’t recognize or actively use. Missing.

Your bank has a fraud department. Your credit card has zero liability protection. Your email? No one is covering that but you.

Twenty minutes. Three movements. Lisa wishes she had done it on a boring Sunday afternoon instead of a panic-filled Tuesday night.

CLICK HERE TO DOWNLOAD THE News APP

Your inbox is a fortress or an open door. There is no middle ground. And unlike the front door, this one doesn’t even need a lock. Just strong security.

Kim Komando is America’s digital goddess and is heard on 510 radio stations nationwide. For more tips on staying safe online, visit Komando.com.