How to Secure Your Email Account in 15 Minutes
Your email account is the skeleton key to your digital life. Password resets for banking, social media, shopping, and every other account funnel through your email inbox. A compromised email account doesn't just expose your messages — it gives attackers a pathway to every account connected to that email address. Google's security team found that a compromised Gmail account leads to an average of 3.4 additional account takeovers within 48 hours.
Securing your email takes 15 minutes and provides disproportionate protection across your entire digital footprint.
Got a suspicious email security alert? Paste it into our free scanner →
Minute 1-3: Check for Unauthorized Access
Before changing anything, check whether someone already has access to your account.
Gmail: Scroll to the bottom of your inbox and click "Details" in the lower-right corner. This shows all recent sessions — their IP addresses, locations, and devices. If you see sessions from locations you don't recognize, click "Sign out all other web sessions."
Outlook: Go to account.microsoft.com → Security → Sign-in activity. Review the list for unfamiliar locations or devices.
Yahoo: Go to login.yahoo.com → Account Security → Recent activity. Check for sessions you don't recognize.
Also check your email forwarding settings. A common attack technique is to add a forwarding rule that silently copies all incoming mail to the attacker's address. In Gmail: Settings → Forwarding and POP/IMAP. In Outlook: Settings → Mail → Forwarding. Remove any forwarding rules you didn't set up.
Minute 3-6: Update Your Password
Your email password should be the strongest password you have. Use a passphrase of 5+ random words or a 20+ character random string from your password manager. This password must be unique — never used on any other account, ever.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
If you're using the same password for email as for anything else, change it right now. A breach of any other service instantly compromises your email, which then compromises everything else.
Minute 6-10: Enable Two-Factor Authentication
This is the most important step. Enable 2FA using an authenticator app (not SMS if possible).
Gmail: myaccount.google.com → Security → 2-Step Verification. Choose "Authenticator app" and scan the QR code with Authy or Google Authenticator.
Outlook: account.microsoft.com → Security → Advanced Security Options → Two-step verification. Set up Microsoft Authenticator or another authenticator app.
Yahoo: login.yahoo.com → Account Security → Two-step verification. Yahoo supports authenticator apps and security keys.
ProtonMail: Settings → Security → Two-factor authentication. ProtonMail strongly recommends TOTP authenticator apps.
Save your backup codes in your password manager or a secure physical location. These are your recovery lifeline if you lose access to your authenticator app.
IsThisAScam's 6-layer detection system specializes in identifying phishing emails — the primary way email accounts get compromised. Regular scanning of suspicious messages adds another layer of protection beyond technical security measures.
Minute 10-12: Review Connected Apps and Permissions
Over the years, you've probably granted dozens of apps and services access to your email account through "Sign in with Google" or "Sign in with Microsoft." Each connected app is a potential attack vector.
Gmail: myaccount.google.com → Security → Third-party apps with account access. Remove anything you don't actively use.
Outlook: account.microsoft.com → Privacy → App access. Review and remove unnecessary connections.
Be ruthless. If you haven't used an app in the last 6 months, revoke its access. You can always re-authorize it later.
Minute 12-15: Set Up Recovery Options
Proper recovery options prevent permanent lockout while making it harder for attackers to take over your account.
Add a recovery phone number: Use your actual mobile number. This is used for account recovery if you lose access to your authenticator app. Yes, this technically creates a SIM-swapping risk, but the recovery benefit outweighs the risk for most people — especially combined with authenticator-based 2FA.
Add a recovery email address: Use a separate email account (not the one you're securing) as a recovery address. Ideally, this recovery email also has strong 2FA enabled.
Review security questions: If your email provider uses security questions, don't answer them truthfully. "What was your mother's maiden name?" is easily researched. Use random answers stored in your password manager. Treat security questions as additional passwords.
Ongoing: Recognize Email Phishing
Even with perfect technical security, you remain the weakest link. Phishing emails designed to capture your login credentials are the most common way email accounts are compromised. Key habits:
- Never click login links in emails — always go directly to the provider's website
- Be suspicious of any email creating urgency about your account
- Verify unexpected security alerts by logging in directly, not through email links
- Report phishing: in Gmail, click the three dots → "Report phishing." In Outlook, select the message → "Report" → "Phishing"
For a deeper dive into recognizing phishing, read our complete phishing guide. For broader account protection, see our guides on creating strong passwords and enabling 2FA everywhere.
Received something suspicious? Check it now for free →