Are you already a target for online fraud and don't know it?

Recently, one of our clients experienced a sophisticated online fraud attempt and, fortunately, they were not harmed financially. Their instinct to pick up the phone and check with us directly made all the difference. However, the investigation that followed reveals just how vulnerable most people's digital lives can be, and how much can be put at risk when an email account falls into the wrong hands.

This guide explains what happened, what it means, and most importantly what every one of us should be doing to stay safe. It is written for anyone who uses email, a smartphone, or any online account. No technical knowledge is assumed.

CONTENTS

1. What happened when a client’s email account was hacked?

2. Why your email account is the master key.

3. How do criminals get into your email account?

4. What happens once a criminal has access to your email account?

5. How to use passwords correctly.

6. Two-factor authentication.

7. Passkeys: taking secure access to the next level.

8. Understanding your accounts and how they interact.

9. Malware: what it is and what it does.

10. How to spot online scams and the different tactics they use.

11. Your action checklist.

12. A final note.

13. What’s next.

A client received an email that appeared to come from their AV Trinity adviser. It was well-written, personally addressed by name, used the adviser’s correct name and job title, and contained our genuine email footer at the bottom. It recommended a specific investment product with attractive projected returns and invited the client to open an attached file and links.

Luckily, the client had the good sense to contact us directly to verify before doing anything. They had not clicked any links or opened any attachments. That caution almost certainly protected them from significant harm.

When we investigated, we found the email had not been sent from our systems at all. It had been sent from a fraudulent domain: a web address almost identical to ours, with a single letter changed in a way that is very easy to miss at a glance (they used an ‘l’ rather than an ‘i’). The scammer had registered this fake address specifically to impersonate us.

More concerning was the question of how the scammer knew so much. They knew the client’s name. They knew their adviser. They had a copy of a real AV Trinity email footer. The answer, established during our investigation, was that the client’s own personal email account had been compromised. Someone had been logging in remotely, reading years of correspondence, and used what they found to construct a highly convincing, targeted attack.

By the time the client tried to report the original email to the police, the messages had vanished from their inbox, sent items and recently deleted folders. The attacker was still actively logged-in the email account; had seen we were investigating and was deleting the evidence to cover their tracks.

Unfortunately, this type of highly specific, high-effort attack is becoming more common and it can happen to anyone whose email account is not properly secured.

Your email account is the single most important thing to protect online, but most people do not fully appreciate why.

Consider everything connected to your email address: your bank, your pension provider, your investment accounts, your HMRC account, your online shopping, your utility bills, your insurance, your NHS login, your GP records. If you forget the password to any of these services, you click ‘Forgot my password’, and a reset link is sent to your email.

This means that whoever controls your email account effectively controls everything connected to it. They do not need to know your banking password. They simply reset it using access to your inbox.

It doesn’t end there either.

Years of email correspondence contain an extraordinary amount of personal and financial information: account numbers, adviser names, pension values, property details, solicitor letters, medical correspondence, and family details. A criminal who gains access to your inbox does not just have your email. They have a detailed map of your entire financial life.

There is a common misconception that criminals try to guess passwords one at a time, a patient hacker at a keyboard trying combinations until something works. It does not happen like that.

Automated software can make millions of password attempts per second. A password such as ‘Whiskers123’ or ‘Smith1962’ offers almost no resistance. Names, words, dates, and simple variations are cracked within seconds or minutes.

Credential stuffing: the most common method.

Over the past decade, hundreds of major companies have suffered data breaches: retailers, social media platforms, entertainment services, professional networks. When these breaches occur, vast databases of usernames and passwords are leaked and sold on criminal marketplaces.

If you have ever used the same password on more than one service, there is a real possibility that password has already been stolen from somewhere. Criminals buy these databases and automatically try every combination against every major service (email, banking, Amazon, PayPal) until something opens.

This is why using the same password across multiple accounts is so dangerous. A breach at a service you barely remember signing up for can become the entry point for everything else.

Once a criminal has access to your email account, the damage unfolds quickly and systematically.

First, they read. Years of emails give them your full financial picture: who you bank with, who manages your investments, who your solicitor is, your approximate wealth, your address, your family situation. They may spend days gathering information before acting.

Then they act. Common next steps include:

• Resetting passwords on connected accounts (banking, investments, PayPal, Amazon) by using your email to receive the reset links.

• Locking you out by changing your email password and recovery details so you cannot regain access.

• Impersonating you by sending emails in your name to your bank, your family, or your financial advisers.

• Deleting evidence: removing emails that might help you or investigators understand what has happened.

• Using your trusted relationships: in our client’s case, this meant sending convincing scam emails to their contacts using details gathered from the inbox.

• Targeting you further: they now know your phone number, your address, your adviser’s name. Expect follow-up calls from people pretending to be your bank, HMRC, or a financial firm.

A useful analogy: if someone stole your house keys, you need to change all the locks.

The aim is straightforward: make it impossible for a criminal to access your email account, even if they already have a password you once used somewhere else.

Use a different password for every account.

This is the single most important rule. If every account has its own unique password, a breach at one service cannot open any other. That single change dramatically reduces your exposure.

Use strong, random passwords.

A strong password is long (at least twelve characters), contains a mixture of upper and lower case letters, numbers, and symbols, and bears no resemblance to any word, name, or date connected to you. Something like 7#mQpLx2!nRv is strong. Something like Tunbridge1986 is not.

The difficulty, of course, is that no human being can remember dozens of long, unique, random passwords. This is where a password manager comes in.

Make sure you use a password manager.

A password manager is a secure application (think of it as a locked safe) that stores all your passwords in one place. You only ever need to remember one master password to open the safe. When you visit a website or open an app, the password manager fills in your login details automatically.

The idea, and this surprises many people, is that you should not know what your passwords are. They should be long, random strings generated by the password manager itself, impossible to guess, impossible to remember, and completely different for every account. That is not a vulnerability. It is the whole point.

Well-regarded password managers include 1Password, Bitwarden (which has a free option) and Dashlane. Your device may also offer a built-in option: Apple Passwords on iPhones, iPads, and Macs, and Google Password Manager on Android devices and in Chrome. Either is a reasonable place to start.

Check whether you have already been compromised.

The website haveibeenpwned.com allows you to enter your email address and see whether it has appeared in any known data breach. It is a free, legitimate service run by a respected security researcher. If your email address appears, change the passwords for all accounts that used that address. Start with your email password itself.

Use different email addresses for different purposes.

It is also worth using different email addresses and services for different purposes. For example, you could have:

• One for your online shopping.

• One as your main address for banking etc.

• Another you use for signing up to email newsletters and the like.

Some systems, like Apple’s iCloud+ ‘hide my email’, allow you to generate pseudo email addresses that forward mail to your main account, so the internet never has to know your real email address at all. 

Even a strong, unique password can theoretically be stolen, for example by malicious software that records what you type. Two-factor authentication (also called 2FA or multi-factor authentication) means a password alone is not enough to log in. You also need a second piece of evidence: typically a code sent to your phone, or generated by an app.

Think of it as a second lock on the door. Even if a criminal somehow obtains your key, they cannot get through without the second lock.

To enable two-factor authentication, go to the security settings of any account and look for the option labelled ‘Two-factor authentication’, ‘2FA’, or ‘Multi-factor authentication’. Enable it on your email account first, then on your banking and financial accounts.

A note on text message codes.

The most common form of two-factor authentication sends a short code by text message. This is far better than nothing. However, a type of attack called SIM swapping can sometimes allow criminals to convince a mobile network to transfer your phone number to a SIM they control, which lets them intercept these codes. For higher-value accounts, an authenticator app such as Google Authenticator, Authy, Microsoft Authenticator and 2FAS are all more secure.

Alongside passwords and two-factor authentication, there is a newer approach worth knowing about: passkeys. If you use an iPhone, iPad, or Mac, you almost certainly already have the technology in place to use them. Many major services now support them, including Apple, Google, Amazon, and a growing number of banks and financial platforms.

A passkey replaces your password entirely. Instead of typing a string of characters, you authenticate by using Face ID, Touch ID, or your device PIN. Your phone or computer holds a cryptographic key that proves your identity to the website without transmitting anything a criminal could intercept or steal.

From a security perspective, passkeys address several problems at once. There is no password to be leaked in a data breach, because there is no password to steal. There is nothing for a phishing email to capture, because you never type anything. And the passkey is bound to the specific website it was created for, so a fake website designed to look like your bank cannot use it.

The UK’s cyber chiefs are keen on everyone migrating to passkeys, as discussed in this BBC Article.

The attack methods described earlier in this guide - credential stuffing, SIM swapping, phishing - do not work against passkeys.

How passkeys work on Apple devices.

On an iPhone or Mac, when you set up a passkey for a website or app, your device creates a pair of cryptographic keys. One stays on your device, stored securely in the device’s hardware and protected by your biometrics. The other is shared with the website.

When you log in, Face ID or Touch ID confirms it is you, and the two keys verify each other. Nothing is typed, nothing is transmitted that could be intercepted, and nothing is stored on a server that could be breached.

Apple stores passkeys in iCloud Keychain, which means they sync automatically and securely across all your Apple devices. If you set up a passkey on your iPhone, it will also be available on your Mac and iPad without any additional steps.

What this means in practice.

Passkeys are not yet universally supported. Many services still require traditional passwords, and you will continue to need a password manager for the accounts that have not yet adopted them. However, the direction of travel is clear: the major technology companies, financial institutions, and standards bodies are all moving towards passkeys as the standard approach to authentication over the coming years.

If a service you use offers the option to set up a passkey, it is worth doing so. The process typically takes less than a minute: you will be prompted during login or in the account’s security settings, your device will confirm your identity with Face ID or Touch ID, and the passkey is created. From that point, you will never need to type or remember a password for that service again.

One of the most common sources of confusion, particularly for people who have been online for many years, is the difference between all the various accounts they have accumulated across different devices and services.

Your email address and your device account are not the same thing.

Many people have an email address they have held for a long time: a Hotmail, BT, Tiscali, or Yahoo address set up years ago. They may also have a separate Apple or Google account they created when they first bought a smartphone. These are entirely different things, and each needs to be independently secured.

Apple ID and iCloud: three things, not one (plus a note on Google accounts).

If you use an iPhone, iPad, or Mac, you have: an Apple ID. This is the account that controls your device, your app purchases, and your iCloud storage. Your Apple ID uses an email address as its username, but that email address might be a Hotmail, a Gmail, or (confusingly) an iCloud address. The email address is simply a label. The Apple ID is the account itself that links to iCloud.

A common source of confusion: Your Apple ID might use your old Hotmail address as its username. If you also used the same password for your Hotmail account, that means your Hotmail password is, in effect, the key to your Apple account, iCloud photos, and everything on your iPhone, iPad and Mac.

If a criminal gains access to an Apple ID, they can access everything stored in iCloud; which means your photos, contacts, messages, and documents, all without ever physically touching the device.

The same can be said for Google accounts. You may use a Google email address as your username, but it may also use your main email address from another provider.

This can be quite confusing, and as digital services have grown over the years, the way you have set things up can complicate matters. 

What lives in the cloud, and what lives on your device?

’The cloud’ simply means a server owned by Apple, Google, Microsoft, or another company: a computer in a data centre that stores your information. When your phone backs up automatically overnight, it is sending a copy of your photos, contacts, and messages to these servers.

This matters for two reasons. First, if a criminal gains access to your Apple ID or Google Account, they may be able to access everything backed up to the cloud without ever touching your physical device. Second, if your device is infected by malicious software that encrypts or deletes your files, that damage can be automatically synchronised to the cloud backup, overwriting the safe copy.

Securing your cloud accounts is therefore just as important as keeping your physical device safe.

Your accounts are often on all your devices and synchronised via the cloud.

To further complicate matters, there is a common misconception about the separation of different devices. Your laptop will likely be signed-in to various email and software accounts, as will your phone – there is no distinction. They pull information for your accounts down and send it back up again. This synchronises your data across your devices and there is very little in the way of data that lives on a single device these days compared with data in the cloud. If your accounts are compromised on one device, they will be compromised on others.

Malware is malicious software installed on a device without the owner’s knowledge. It can arrive via email attachments, links to fraudulent websites, downloads from unofficial sources, or, in more targeted attacks, through vulnerabilities in outdated software.

Once installed, malware can:

• Record every key you press, including passwords, and transmit them remotely to criminals.

• Take screenshots of your screen and send them without your knowledge.

• Give criminals full remote access to your device, allowing them to use it as if they were sitting in front of it.

• Encrypt all your files and demand a ransom payment to restore access (this is called ransomware).

• Use your device to send spam or attack others, without your knowledge.

Is Apple safer than Android and Windows?

Apple devices (iPhones, iPads, and Macs) have historically offered a more controlled security environment than Android or Windows devices. Apple reviews every app before it appears in the App Store, and the operating system is designed to limit what applications can access. This reduces the risk, but it does not eliminate it. More recently, the EU has declared the App Store as a monopoly and is forcing Apple to open up their devices to other, third party app stores - what this will mean for digital security remains to be seen.

Android is a more open system, which creates greater exposure, particularly if apps are installed from sources other than the official Google Play Store. Windows computers remain the most commonly targeted platform, primarily because of how widely they are used.

Whatever device you use, the most important protections are the same:

• Keep your operating system and all apps updated, as updates frequently fix known security weaknesses that criminals actively exploit.

• Only download apps from official stores: the Apple App Store or Google Play.

• Do not open email attachments you were not expecting, even from people you know.

• Do not click links in emails or text messages unless you are certain of the source.

• If you are offered software to download by someone who has called you, do not proceed.

Phishing emails

A phishing email is designed to trick you into clicking a link, opening an attachment, or entering your details on a fake website. They are increasingly convincing. Many now use correct names, accurate branding, and personal details obtained from earlier breaches.

Warning signs to look for:

• An unexpected request to ‘verify’, ‘confirm’, or ‘update’ your account details.

• Urgency: ‘Your account will be suspended within 24 hours unless you act now’.

• The sender’s email address contains a subtle error: a letter swapped, a character added, or an unusual domain name.

• Links that, when you hover your cursor over them without clicking, show a different web address to what is displayed.

• Attachments you were not expecting, particularly documents, spreadsheets, or compressed files.

• Investment recommendations arriving out of the blue by email, especially those promising unusually high or guaranteed returns.

Checking the sender’s email address.

The name displayed in an email, for example ‘Jane Thompson’ or ‘Barclays Bank’, is easily faked and means nothing on its own. What matters is the actual email address. You can see it by clicking or tapping on the sender’s name. Look carefully at the domain: the part after the @ symbol. info@avtrinity.com is genuine. info@avtrlnity.com is not. In the fraudulent version, the letter ‘i’ in Trinity has been replaced with the letter ‘l’. It is very easy to miss.

Phone scams

Once criminals have read your email correspondence, they know who you trust. Expect calls from people claiming to be your bank, HMRC, your financial adviser, or a utility company. They may sound professional and may know personal details, because they have read your emails.

A genuine bank or regulated financial firm will never:

• Ask for your full password or PIN over the telephone.

• Ask you to transfer money to a ‘safe account’ to protect you from fraud.

• Ask you to download software onto your computer.

• Pressure you to act immediately without time to think or verify.

If you have any doubt, end the call, wait several minutes, and call back using a number you find yourself from the organisation’s official website, not a number given to you during the call.

Text message scams.

Text messages work the same way. Fraudulent texts frequently claim to be from a delivery company, your bank, or HMRC, and contain a link to click. Treat any unexpected text message with a link as suspicious, regardless of how convincing it looks. When in doubt, go directly to the organisation’s website by typing the address yourself.

The steps below are listed in priority order. If you are unsure where to begin, start at the top.

Priority 1: Do this as soon as possible.

1. Change your email password to something long, unique, and random. Use a password manager to generate it, or choose a passphrase of four or more unrelated words of at least sixteen characters total with no personal connection. 

2. Install a password manager and begin creating unique passwords for your most important accounts. Apple’s own passwords app is https://support.apple.com/en-us/120758 and Google’s is https://passwords.google/

3. Enable two-factor authentication on your email account. Go to your email provider’s security settings and switch it on. Use an authenticator app rather than text message if the option is available.

4. Visit haveibeenpwned.com and enter your email address. If it appears in any known breach, change the passwords for all accounts that used that address.

Priority 2: This week.

1. Check your email account’s security settings for any recovery email addresses or backup phone numbers you do not recognise. Remove anything unfamiliar immediately.

2. Check your email account’s inbox rules for any automatic forwarding or redirect rules you did not create.

Priority 3: This month.

1. Work through your other online accounts and update each to a unique password stored in your password manager.

2. Make sure all your devices are running the latest software updates. Phones, tablets, and computers all need to be kept current.

3. Review what is stored in your Apple ID or Google Account, and confirm those accounts are secured with strong passwords and two-factor authentication.

4. Consider whether a long-standing email address that may have been compromised in past breaches should be replaced with a fresh address, set up securely from the start.

The client at the centre of this story was not harmed financially. They picked up the phone rather than clicking a link. That single instinct, to verify directly before acting, made all the difference.

No legitimate financial adviser, bank, or regulated firm will ever pressure you into making a financial decision by email alone, or send you an unsolicited investment recommendation asking you to respond immediately. If you ever receive an email making a financial recommendation or requesting financial action that has not been discussed with you in person or over the phone first, please call us before doing anything else.

We are always happy to verify whether a communication is genuine. It takes thirty seconds, and it may matter a great deal.

Taking steps to protect your online accounts is a sensible use of an afternoon. Taking steps to protect your financial future takes a little longer, but the consequences of leaving it unattended are considerably more significant.

AV Trinity is a Chartered Financial Advice firm based in Tunbridge Wells. We offer a free initial consultation to anyone who wants to understand their financial position and explore what good advice looks like for their circumstances.

We work with clients across the UK. Locally, we advise clients throughout Kent and East Sussex, including Tunbridge Wells, Sevenoaks, Maidstone, Tonbridge, Crowborough and Eastbourne.