Dormant Email Accounts: How Attackers Turn Forgotten Inboxes Into Wire Fraud
A dormant email account left sitting in your environment is not a housekeeping problem — it is an open door with a welcome mat. The FBI’s Internet Crime Complaint Center (IC3) reported that Business Email Compromise (BEC) attacks caused adjusted losses of more than $2.77 billion in 2023 — and the 2024 IC3 report confirmed BEC has held its position as the costliest cybercrime category the FBI tracks, year after year. What those headline numbers don’t show is the attack surface behind the losses: forgotten inboxes belonging to employees who left a year ago, accounts tied to vendors who were never fully offboarded, and shared mailboxes that outlived their purpose. This post breaks down exactly how attackers find, access, and profit from dormant email accounts — and what a well-run IT environment does to stop it.
- What the FBI IC3 Data Actually Shows
- Why Dormant Accounts Are the Preferred Entry Point
- The Attack Chain: From Stale Credential to Wire Transfer
- Who Is Most Exposed
- Real-World Scenarios
- Building a Defense Posture That Closes the Door
- What to Ask Your IT Firm Right Now
- The Identity Lifecycle Imperative
What the FBI IC3 Data Actually Shows
The FBI IC3 2024 Internet Crime Report (covering calendar year 2023, published April 2024) documented 21,489 BEC complaints resulting in over $2.77 billion in adjusted losses. That is the adjusted figure — after financial institutions recovered some funds. The gross amount attempted was considerably higher. For context, BEC losses exceeded the combined losses from ransomware, data breaches, and tech support fraud in the same year — by more than three times.
The 2025 IC3 report (covering 2024) had not been released at the time of writing, but FBI mid-year advisory updates and private sector threat intelligence firms — including Mandiant, Abnormal Security, and Cofense — all point in the same direction: BEC volume is rising, average transaction size is growing, and compromising legitimate inboxes rather than spoofing external addresses is now the dominant tactic.
The reason is straightforward. When an attacker sends email from a spoofed domain, modern email security systems can flag it. When that same attacker sends from a real, long-established inbox inside your environment — one your CFO has exchanged dozens of messages with over the years — every trust signal points the wrong way. The email looks right. The history is there. The display name is familiar. The only problem is that the person who owned that account left the company fourteen months ago, and their dormant email account was never disabled.
Why Dormant Email Accounts Are the Preferred Entry Point

Attackers follow the path of least resistance, and dormant email accounts offer structural advantages that active accounts simply don’t.
No one is watching the inbox. When an attacker logs into an active employee’s account, behavioral signals — login time, location, device fingerprint — can trigger an alert. The employee might notice unexpected sent items or calendar changes. Dormant email accounts generate none of that. There is no one to notice. Logins from foreign IP addresses at 3 a.m. produce no ticket, no call, no raised eyebrow.
Passwords rarely change after departure. Most small businesses don’t enforce password rotation on dormant email accounts they plan to keep “just in case.” In many cases, the password set during onboarding is still active two years after the employee left. If that employee reused the same password on a personal account that was later involved in a credential breach — and the IC3 report explicitly notes credential stuffing as a BEC enabler — the attacker now holds valid credentials to an inbox no one is monitoring.
Multi-factor authentication is often missing on legacy accounts. Organizations that roll out multi-factor authentication typically do so for active users at rollout time. Accounts that predate the rollout — or that were excluded because “they don’t really log in” — often remain single-factor indefinitely. That makes dormant email accounts an even softer target than newly created ones.
Dormant email accounts carry years of organizational context. An inbox active for three years before going dark contains vendor payment details, wiring instructions, contract templates, org chart information, and the tone and style of internal communication. An attacker doesn’t need to guess how your CFO writes. The drafts folder holds a dozen examples.
The Attack Chain: From Stale Credential to Wire Transfer
This is not a single event — it is a patient, multi-stage operation that can unfold over weeks before a dollar moves.
Stage 1 — Credential acquisition. The attacker obtains a username and password through one of three routes: a prior data breach where the user reused credentials (available on dark web marketplaces for under $10 per record), a phishing campaign targeting the former employee’s personal accounts, or brute-force against weak passwords on dormant email accounts with no lockout policy.
Stage 2 — Silent reconnaissance. Once inside, the attacker does not act immediately. They read. They map the org chart from the inbox directory. They identify who handles accounts payable, who approves transfers, who communicates with the company’s bank or primary vendors. They look for upcoming transactions — a real estate closing, a pending vendor invoice, a scheduled wire. This phase can last days or weeks inside the dormant email account.
Stage 3 — Rule injection. The attacker sets forwarding rules or filters that silently copy incoming emails to an external address or suppress specific replies. The account’s former owner no longer exists as an active employee. The IT team, if not actively auditing mailbox rules on dormant accounts, won’t see it either.
Stage 4 — Conversation insertion. The attacker impersonates the dormant account holder — or pivots from that account to impersonate a vendor or executive — and inserts themselves into an active financial conversation. The most common pivot: posing as a vendor requesting a banking detail change immediately before an invoice is due.
Stage 5 — Fund diversion. The fraudulent wire or ACH transfer is initiated. IC3 data shows average BEC transaction values in the range of $125,000 to $130,000 — large enough to cause real damage to a small business, small enough that it sometimes falls below the threshold triggering enhanced bank verification.
Who Is Most Exposed to Dormant Email Account Attacks
The organizations most exposed to this attack vector share a cluster of characteristics that have nothing to do with industry and everything to do with IT maturity.
- Companies with fewer than 100 employees where HR offboarding is handled informally — a manager submitting a help desk ticket, or no formal IT notification at all.
- Organizations that use shared inboxes or role-based addresses (billing@, info@, ap@) that survive employee turnover without any associated identity review.
- Businesses where the owner or founder’s account accumulates vendor relationships and financial authority over many years — creating the most valuable possible target for a patient attacker.
- Companies that migrated to cloud email platforms but left legacy on-premises dormant email accounts in a “we’ll deal with that later” state, creating a shadow directory that is rarely audited.
- Organizations that expanded quickly and contracted just as fast — hiring surges followed by layoffs — leaving behind a graveyard of provisioned dormant accounts.
Small businesses are disproportionately represented in IC3 BEC complaints not because they are less careful than enterprise organizations, but because they have less infrastructure dedicated to the identity lifecycle. An enterprise has an identity governance platform, a privileged access management system, and an HR-to-IT integration that deprovisions accounts on an employee’s last day. A 30-person company has a shared spreadsheet and the best intentions.
Real-World Scenarios
The following are composite scenarios drawn from publicly reported incident patterns, not specific named clients.
- A construction subcontracting firm loses $210,000 after an attacker compromises the dormant email account of a former project manager. The attacker spends eleven days reading email before sending a single message — a request to the owner to update bank routing information for a subcontractor the firm had worked with for years. The owner complied because the email came from a known internal address.
- A nonprofit with a 12-person staff discovers six months after a bookkeeper’s departure that her dormant email account was never deprovisioned. An attacker had used it to intercept and redirect three grant disbursement notifications. The loss is not recovered because the organization’s cyber insurance policy required verified identity management controls that were never in place.
- A professional services firm finds that a former partner’s dormant email account — active for nine years before his departure — had been silently forwarding all incoming messages to an external Gmail address for four months. The attacker never sent a single email. They only read. The information harvested was used in a spear-phishing campaign targeting the firm’s largest client.
Building a Defense Posture That Closes the Door
The controls required to address dormant email accounts are not exotic. They are the operational fundamentals that separate organizations with security built into their day-to-day workflows from those that treat it as an annual checkbox. CISA’s Business Email Compromise prevention guidance identifies identity hygiene as a top-tier control, and the specifics below align with that guidance.
Immediate account deprovisioning tied to HR events. The moment an employee’s last day is confirmed, the account should be disabled — not deleted, disabled. Disabling preserves mailbox contents for legal and business continuity purposes while removing the active credential as an attack surface. This must be a defined step in the offboarding workflow, not an ad hoc request.
Quarterly audits of active accounts versus active employees. Every account in your directory should map to a person currently employed or a business function currently in use. Orphaned dormant email accounts should be disabled within the same audit cycle. This is not a complex operation — it is a recurring calendar event with a defined owner.
Multi-factor authentication with no exceptions. Every account in the environment — active and, critically, any account being kept live for any reason — should require a second factor to authenticate. If an account cannot support multi-factor authentication for a legitimate reason, that reason should be documented and reviewed, not simply accepted as permanent.
Mailbox rule audits. Email platforms like Microsoft 365 and Google Workspace provide administrator-level visibility into all mailbox forwarding rules. Automated alerts for new forwarding rules — especially rules forwarding to external domains — should be standard configuration in any well-managed environment. This single control would have interrupted the attack chain in the majority of BEC scenarios involving dormant email accounts.
Conditional access policies based on location and device. Even with valid credentials in hand, an attacker can be stopped if conditional access policies require authentication from a known device or within an expected geographic range. A login from a residential IP in Eastern Europe at 2 a.m. using a credential dormant for nine months should fail — or at minimum trigger an alert — before access is granted.
Financial verification controls that live outside email. Because BEC is fundamentally a social engineering attack delivered through email, the most reliable final defense is a verification step that doesn’t rely on email at all. Any banking detail change request — regardless of who it appears to come from — should require a phone call to a known number to confirm. This is a process control, not a technology control, and it costs nothing to implement.
For organizations with a mature cybersecurity program, these controls are already in place and reviewed regularly. For organizations managing IT reactively, the gap between what is in place and what is needed is often larger than a single audit reveals. Explore our managed IT services to see how proactive identity lifecycle management gets embedded into your day-to-day operations.
What to Ask Your IT Firm Right Now
If you manage or advise a small business, direct the following questions to whoever is responsible for your IT environment — whether that is an internal IT person, an outside firm, or a mix of both. The answers will tell you a great deal about your actual exposure to dormant email accounts and the risks they carry.
- Can you show me a list of every enabled email account in our environment, and confirm that each one maps to a current employee or active business function?
- What is our documented process for disabling dormant email accounts when an employee leaves? Who owns that step, and how quickly does it happen after the departure date?
- Are multi-factor authentication requirements enforced on 100 percent of accounts, including shared mailboxes and role-based addresses? Are there any exceptions, and if so, why?
- Do we receive alerts when a new mailbox forwarding rule is created — especially one forwarding to an external address? When were those alerts last reviewed?
- Do we have conditional access policies that would flag or block an authentication attempt from an unfamiliar location or device?
- When was the last time we audited our user directory against our current employee roster?
A competent IT firm should answer every one of these questions with specifics — not generalities. If the answer to any of them is “we’d have to check on that,” you have found a gap that warrants immediate attention. BEC attacks are patient, methodical, and increasingly automated. The dormant email account no one is watching is exactly the one attackers are looking for.
The Identity Lifecycle Imperative
Dormant email accounts don’t become a liability overnight. They accumulate gradually — one departed employee, one forgotten vendor login, one shared inbox that no longer has a clear owner. The risk builds quietly, in the background, until an attacker finds the open door. By then, remediation almost always costs more than prevention would have.
Identity lifecycle management — systematically provisioning, reviewing, and deprovisioning dormant email accounts throughout their entire lifespan — is not a complex or expensive discipline for most small and mid-sized businesses. It requires a defined process, a responsible owner, a recurring audit schedule, and the organizational will to enforce it consistently.
According to NIST’s Identity and Access Management guidelines, timely deprovisioning of user accounts is one of the highest-impact, lowest-cost controls available to any organization regardless of size. The businesses that get through this threat landscape without losses are not the ones that got lucky. They are the ones that treated dormant email accounts and identity lifecycle management as non-negotiable operational disciplines long before any attacker came looking — because by the time someone finds the open door, closing it quickly is rarely enough.
Want a Walkthrough of Your Own Setup?
Twenty minutes on the phone with our team gets you specific recommendations you can use immediately — whether you hire us or not. No pitch, no pressure, just an honest read on where your business stands.