This week I received an email from a friend’s account. It was an investment pitch: a Series A round of five million dollars, with a PDF attachment and a link to documents. The message came through infrastructure authorized for his domain, passed the server’s cryptographic checks, and landed in my inbox without any filter flagging it. It was, technically, credible.
It wasn’t. The account was compromised.
I confirmed it on the phone within minutes. But before that call there was a short analysis - reviewing the technical fingerprint of the email itself, comparing it with an earlier message from the same person, looking at where the link pointed - that confirmed the suspicion without needing to open anything. I don’t open attachments I don’t know. Full stop.
I share this experience with one purpose only: that it doesn’t happen to someone else. That the reader walks away with two or three new habits that save them a scare, a financial loss, or worse.
Why your email account is the master key
Email isn’t just a messaging channel. It’s the master key to your digital life. When an attacker takes over your inbox, they get three things at once:
-
The directory of people who trust you. Your contact list is a list of potential victims, because any outgoing message from your mailbox arrives carrying the trust accumulated over years of relationship.
-
The channel through which every other password is reset. Bank, social media, work platforms, cloud services. Every one of those services has a “forgot my password” button that ends up sending a recovery link to your email. If your email is taken, everything else is exposed too.
-
The voice the attacker can speak in without raising suspicion. Your writing style, your signature, your real address, your company branding. All of it is inherited by the attacker the moment they get in.
That is why many fraud cases ending in real losses do not start with a dramatic hack, but with a reused password or a verification code handed over to the wrong site. ENISA’s Threat Landscape is a useful reminder of the bigger picture: social engineering, phishing and credential abuse remain central parts of digital risk. The defense is not only technical. It is also behavioral: verify through a second channel before acting.
What to look at and why: the four signals
Every email travels with an invisible “technical fingerprint” that any email provider lets you inspect. In Gmail it is called “Show original”; in Outlook, “View message properties.” That fingerprint is the equivalent of the post-office stamp on a paper letter: it tells you where it came from, which servers it passed through, at what exact time, and from what kind of program. Comparing that fingerprint between two messages from the same sender - one legitimate, one suspicious - exposes things the body of the email does not show.
These were the four signals in this case, side by side:
| What to look at | Legitimate email (months ago) | Suspicious email (this week) |
|---|---|---|
| What the thread replies to | A previous message of mine, in a coherent conversation | A message from a domain with no apparent relation to the sender - a technique known as thread hijacking |
| Time zone of the send | Central Europe - consistent with the sender’s usual pattern | A time zone inconsistent with the sender’s usual pattern |
| Where the link points | Not applicable: it was a personal email | A page hosted on Adobe Portfolio, a platform for showcasing creative work |
| Type of distribution | A message addressed directly to me | A bulk message to a list, with me on BCC |
Any one of these on its own can be explained. The four together cannot. The time zone, for example, does not prove anyone’s physical location by itself: it can depend on the mail client, a setting, a server or an automation. It is a weak signal. It becomes stronger when it lines up with the rest.
The link deserves a separate note. A real investment round is normally not hosted on a creative portfolio platform. It lives in a corporate data room, on the law firm’s portal, or at minimum on a domain owned by the issuing entity. A “fund” name appearing on a designer portfolio platform is enough to discard the email without opening anything else.
How the analysis was done, step by step
[1] EMAIL ARRIVES
↓ Subject: "Series A 5M USD". PDF attachment. Link.
↓ Sender: real account, known for years.
↓
[2] OPEN THE EMAIL'S TECHNICAL FINGERPRINT
↓ "Show original" in Gmail.
↓ The domain checks pass:
↓ this does not look like an outside spoof,
↓ but like a message sent through authorized infrastructure.
↓
[3] COMPARE WITH A PREVIOUS EMAIL FROM THE SAME SENDER
↓ Thread: the new one replies to an unrelated domain. ⚠
↓ Time zone: the new one breaks the usual pattern. ⚠
↓ Distribution: the new one is bulk mail, not a conversation. ⚠
↓
[4] CHECK WHERE THE LINK POINTS (without clicking it)
↓ Points to a creative portfolio platform. ⚠
↓
[5] CALL THE CONTACT ON A PHONE NUMBER YOU ALREADY HAVE
→ Confirmation: he did not send that email.
→ His account is compromised.Total time: under five minutes. The point is not speed; it is order. Each step reduces uncertainty before touching anything dangerous.
If you’re the one compromised
Here the scenario flips. If at any point you suspect that your own Gmail, Outlook, iCloud or Microsoft 365 account is being used by someone else, there is an order that matters more than speed.
Step 1 - Sign out of every active session, before changing anything else. In Gmail go to myaccount.google.com/security and check the “Your devices” section. For Microsoft, go to account.microsoft.com/devices. You will see a list of phones, computers and browsers where your account is currently signed in. Sign out of every device you do not recognize. This kicks the attacker out of the mailbox while you handle the rest calmly.
Step 2 - Change the password, but do not reuse one. A practical note here: your own browser already has a built-in password generator and manager, free, with nothing extra to install. Both Chrome and Microsoft Edge offer the same thing: when you sign up for a site or change a password, the browser suggests a long, unique password, stores it encrypted, and fills it in for you next time. This solves the single most common personal-security problem: using the same password across multiple sites. When any service suffers a breach - and you should assume any service can - the leaked password should not open your email and your bank too. If every site has a unique password generated by the browser, that chain is broken.
Step 3 - Revoke anything that may have been authorized from inside. This is the step most people forget. Changing the main password does not invalidate two things: “app passwords” - special keys for older programs that do not support modern verification - and permissions granted to “third-party applications” you authorized at some point, such as an app that asked for calendar access or another one that asked to read your mail. If the attacker knew what they were doing, they may have authorized an innocently named app to maintain access even after you changed the password several times. The same security section in Google or Microsoft has lists of everything connected. Review and revoke anything you do not recognize.
Step 4 - Check filters and forwarding rules. The classic pattern is to create an automatic rule that forwards to an external account every email containing words like invoice, wire, transfer, or factura, and then deletes it from your mailbox so you never see it. If your account was compromised for a week, assume that rule may have existed and look for it. Rules live in your mail settings: in Gmail under “Filters and Blocked Addresses”; in Outlook under “Rules.”
Step 5 - Get official help if you need it. In Spain, INCIBE runs the 017 helpline, free and confidential, and also provides a fraud-reporting channel. In the United Kingdom, the NCSC accepts suspicious emails at report@phishing.gov.uk. In the United States, the FTC and CISA accept equivalent reports. In the Dominican Republic, the National Cybersecurity Center (CNCS / CSIRT-RD) provides a channel to report cyber incidents, and the National Police allows virtual complaints, including cybercrimes and fraud.
Closing the door for real: passkeys
The strongest recommendation from the world’s main cybersecurity agencies boils down to one word: passkeys.
It is worth understanding why, in plain language, before getting to how to enable them.
A traditional password is a secret you memorize and type into a text field. The problem: if someone shows you a fake page called, say, gmaiil.com - with two i’s instead of one - and you type your password there without noticing, the attacker captures it and uses it on the real gmail.com. Your eye did not catch the difference. This happens constantly.
A passkey works differently. When you create one on gmail.com, your device stores a unique cryptographic key that stays bound to the real domain. If you land on the fake page gmaiil.com, your browser simply does not present the key, because the domain it sees does not match the one stored. The page may look visually identical to the real one, may fool your eye perfectly, but it cannot fool the browser. That is the difference. With a passkey, the decision of “is this legitimate or not?” no longer depends on you noticing. The system makes it for you, silently.
That matters a lot in 2026 because automated fake pages can now relay passwords and one-time codes to the real service in real time. CISA recommends using the strongest MFA option available and treats phishing-resistant MFA - such as FIDO/WebAuthn, the technical family behind many passkeys - as the level organizations should aim for. The UK’s NCSC goes further for everyday users: it recommends passkeys as the first choice wherever they are available, and two-step verification where they are not.
This does not mean SMS or authenticator apps are useless. They are still far better than using only a password, and you should keep using them where passkeys are not available. What has changed is the order of preference. If a service supports passkeys, use them. If it does not, use a unique password generated by a password manager and keep two-step verification enabled.
The good news is that enabling a passkey requires installing nothing. The fingerprint, face recognition or PIN you already use to unlock your device can also work as a passkey on services that support it:
- On Windows, this works through Windows Hello and Microsoft’s passkey system.
- On Mac, iPhone or iPad, through Touch ID or Face ID, with syncing through iCloud Keychain when it is enabled.
- On Android, passkeys can be saved in Google Password Manager or another compatible manager, and unlocked with the device screen lock.
A practical note: if your passkey lives only on one device, register at least two - for example, one on your laptop and one on your phone - so you do not get locked out if you lose one of them.
A few weeks ago I wrote about another security case - the McKinsey AI platform incident - where the root pattern was the same: highly sophisticated technology compromised by a human decision or a basic oversight. The layer that fails is almost never the last one.
What comes through other channels
Email is just one path. The same defensive logic applies to everything else.
Calls from unknown numbers. Both iPhone and Android can silence them automatically. On iOS it is in Settings → Apps → Phone → Silence Unknown Callers; on Pixel Android, in Settings → Caller ID & spam. The rule, recommended by the FCC among other authorities, is simple: do not make decisions on a call you did not initiate. If someone says they are from your bank, hang up and call back using the number on the back of your card. This has become more important with AI-generated or AI-manipulated calls: the FTC warns that scammers can clone a family member’s voice and use it to request money in a fake emergency.
SMS and messages with links from people you do not know. Treat them as hostile by default. The professional rule is not to click links received by SMS or messaging apps if you were not expecting them. And one point worth burning into memory: do not confirm banking transactions from a link received by SMS or email. If something urgent appears to come from your bank, open the official app you already have installed, or call them yourself using the number on the back of your card. In the United Kingdom, suspicious texts can be forwarded for free to 7726. In the United States, the FTC also recommends forwarding unwanted or suspicious texts to 7726 when your carrier supports it. In Spain, use INCIBE’s official channels: the 017 helpline, its form, or its fraud-reporting channel.
WhatsApp and the code scam. INCIBE documented in March 2026 a real WhatsApp account-theft case where the victim handed over a code. An increasingly visible variant abuses the linked-devices feature: the attacker guides you into entering a code or pairing a device that is not yours. Your WhatsApp may keep working normally, but your conversations can be mirrored to a third party. The defense is simple: never enter a verification or device-linking code because a website, call or message asks you to. Devices are only linked when you decide to do it from inside WhatsApp. And it is worth occasionally checking Settings → Linked Devices and signing out anything you do not recognize. CERT-In has also warned about abuse of the linked-devices feature.
Permissions and APK files on Android. In 2026, CERT-In warned about Android malware campaigns delivered through messages containing .apk files or links to download supposedly legitimate apps. Once installed, those apps can request sensitive permissions, read SMS messages, steal credentials and facilitate unauthorized transactions. The practical advice does not change: install apps only from official stores and keep installation from unknown sources disabled. Never install an .apk that arrives through WhatsApp, SMS, Telegram or a random website.
The rule that wraps up all the others
If you ask me for one sentence to take away from all this, it is this: always verify through a second channel before acting on anything important.
An email asking for an urgent transfer: call the person on their mobile. A message from a relative saying their phone was stolen and they need money: call them on the number you already have saved. A message or call claiming to be your bank: hang up and call the bank yourself using the number on the back of your card.
Passwords get reused. SMS-based two-factor verification can be intercepted. The most sophisticated technical systems in the world cannot compensate for a hasty decision. But a minute’s pause, a call to a number you already know, is worth more than every technical control put together.
Passkeys are now one of the strongest technical defenses available to everyday users because they are bound to the real domain, and a fake site cannot consume them. But their real value is in what they make possible: freeing you from having to guess whether a page is legitimate. While they spread to every service you use, the second human channel remains your best tool.
Trusted sources and resources
If you want to dig deeper, these are official references and trusted guidance resources:
- 🇩🇴 Dominican Republic - National Cybersecurity Center (CNCS / CSIRT-RD) and Yo Navego Seguro - tools, guides and educational portal.
- 🇪🇸 Spain - INCIBE: 017 helpline and fraud reporting - free and confidential cybersecurity support.
- 🇬🇧 United Kingdom - NCSC: phishing and reporting guidance - what to do when faced with suspicious emails, texts, calls and websites.
- 🇺🇸 United States - CISA: More than a Password, FTC: fraud reports and FCC: unwanted calls.
- 🇪🇺 European Union - ENISA: Threat Landscape 2025 - annual threat report.
By: Cesar Rosa Polanco - Written from a real experience, with artificial intelligence used as an editorial support tool.
