Introduction
To understand why email privacy matters, it helps to think like an attacker. What happens after your email address falls into the wrong hands?
Cybercriminals have developed sophisticated playbooks for weaponizing email addresses. According to Verizon's 2024 Data Breach Investigations Report, 68% of breaches involved the human element — often a social engineering attack that started with an email address. The average cost of a social engineering attack in 2024 was approximately $130,000 per incident.
Here's how attackers use email addresses in social engineering — and how to disrupt their playbook.
Phase 1: Reconnaissance
The attacker starts with your email address and enriches it:
Cross-referencing breach databases. They check your email against known breach databases. Each breach reveals additional data: passwords, names, addresses, purchase history.
Social media lookups. Your email is used to find your LinkedIn, Facebook, Instagram, and other profiles. These reveal your employer, job title, location, interests, friends, and recent activities.
Data broker queries. Data brokers sell detailed profiles linked to your email. For a few dollars, an attacker can learn your income, home value, family members, and purchasing habits.
Dark web marketplaces. Confirmed, active email addresses are traded on dark web forums. A validated email with associated personal data can sell for $10–$100 depending on the profile depth.
Phase 2: Targeting
With a complete profile, the attacker chooses an attack vector:
Spear phishing. A personalized email referencing your actual employer, role, or recent purchase. AI makes these emails nearly indistinguishable from legitimate messages.
Business Email Compromise (BEC). If the attacker identifies colleagues from your LinkedIn profile, they may impersonate a senior executive and request an urgent payment or data transfer. IBM's 2024 Cost of a Data Breach Report found that BEC attacks account for 6% of all breaches with an average cost of $4.89 million.
Credential stuffing. The attacker tries the email with a known password from a previous breach against other services (banking, email, social media).
Account recovery attacks. With enough personal data, the attacker may attempt to socially engineer customer support into resetting your account credentials.
Phase 3: Exploitation
Once the attacker has access:
Account takeover. They change the password and recovery options, locking you out.
Lateral movement. They use your compromised email to reset passwords on other services.
Impersonation. They send emails to your contacts, impersonating you to request money, gift cards, or sensitive information.
Credential harvesting. They use your account to send phishing emails to your contacts, expanding their reach.
How Disposable Email Disrupts the Kill Chain
Prevents reconnaissance. A disposable address has no breach history, no social media linkage, and no data broker profile. The enrichment phase yields nothing.
Prevents targeting. Without a behavioral profile, the attacker can't craft a convincing spear phishing email. The targeting phase is blind.
Limits blast radius. Even if a disposable address is compromised, there are no other accounts to pivot to. The attacker gets one empty inbox and nothing more.
Expires the target. If the attacker collects a disposable address from a breach, the address is likely already expired by the time they try to use it.
The Expira Connection
Expira breaks the social engineering kill chain at the very first step. By using disposable addresses for low-value interactions, you prevent the data accumulation that makes social engineering effective.
Conclusion & CTA
Social engineering is the most common and most effective attack vector. It starts with a single piece of information: your email address.
Don't give attackers a starting point. Use Expira for every sign-up that doesn't need permanent access to your inbox.
Sources: Verizon 2024 DBIR; FBI IC3 2024 Internet Crime Report; Barracuda Spear Phishing Report Vol 6; Palo Alto Networks Unit 42 2025 Incident Response Report