Your Email Address Is Not Your Identity. You Just Think It Is.

The $15.6 billion mistake hiding in plain sight, and why fixing it starts with questioning the premise.

Every morning, hundreds of millions of people prove who they are to their bank, their employer, their insurance company, their investment platform. They do it with the same mechanism they've used for decades: an email address and a password. The system sends a link. The link arrives. The system says: identity confirmed. Access granted.

It sounds reasonable. It is, in fact, one of the most expensive security mistakes the digital economy has ever made, and it is still being made, at scale, right now.

Email was invented in 1971. It was a messaging protocol, designed to move text between computers. It was not designed to verify identity, authenticate users, secure financial transactions, or serve as the gatekeeping mechanism for the most sensitive data in the modern world. And yet, somewhere between the convenience of the consumer internet and the pressure to grow fast, that is exactly what it became.

The logic made sense at the time. Email was universal, free to deploy, and frictionless. Unlike traditional usernames, email addresses couldn't be duplicated. So, they became the default identifier across virtually all online services — banking, healthcare, e-commerce, government portals, streaming, social media. Today, the average person has accounts with 80 to 100 online services and uses the same email address for 60 to 70 percent of them.

That concentration is not just a design choice. It is an attack surface of historic proportions.

The problem runs deeper than stolen passwords. It runs deeper than phishing. The real vulnerability is structural: businesses adopted email as an identity layer once, at product launch, under growth pressure, and then almost never revisited that decision. The security debt accumulated silently. Email addresses in user databases aged. Some got abandoned. Some got compromised. Some were reassigned to entirely different people. The service had no idea. It kept sending password reset links and transaction approvals to addresses it had validated, in some cases, years ago.

Here is what a single email verification at account creation actually tells you: that this address existed and was accessible on one specific day. It tells you nothing about whether it is compromised right now. Nothing about whether it belongs to a fraud network. Nothing about whether it is a disposable address engineered to age into appearing legitimate. Nothing about whether anything has changed in the months or years since the account was opened.

The numbers confirm it. Account takeover attacks surged 250% year-over-year, with 99% of monitored organizations targeted and 62% successfully breached. Credential stuffing — the automated recycling of stolen email-password pairs across banking portals and e-commerce platforms — recorded 26 billion attempts per month. Phishing attacks exploiting email-based authentication surged 4,151% following the widespread adoption of AI generation tools.

And sitting at the center of nearly every incident in that landscape: an email address that someone, somewhere, assumed was still good.

Multi-factor authentication was supposed to fix this. And it helps — but it doesn't solve the underlying problem. Most MFA implementations route their authentication flows through the same email addresses. SIM swap fraud jumped 1,055% in 2024, undermining SMS-based MFA. MFA fatigue attacks are documented at enterprise scale. In 2024, 85% of organizations targeted by account takeover attacks had bot detection in place. Sixty-two percent were still successfully breached. The authentication events were hardened. The email address underneath them was not.

There is a second dimension that rarely gets discussed: addresses that were never legitimate at all. The disposable email industry — services that let users create unlimited temporary inboxes in seconds, receive a verification email, and discard the address — reached $1.36 billion in market size in 2024. In high-risk sectors like e-commerce promotions and gaming, fake signups using synthetic or disposable addresses can outnumber legitimate registrations by as much as 120 to 1. These addresses pass every standard validation check. The only way to identify them is through continuously updated behavioral intelligence, the kind a one-time check at account creation will never surface.

The case studies are not theoretical. In 2024, over 500,000 Roku accounts were compromised through credential stuffing. Norton, a company that sells security software, had to notify customers that attackers had successfully accessed their Password Manager vaults through the same email-password combination that protects every other account. Business Email Compromise resulted in $2.77 billion in reported losses to the FBI in 2024, with the actual figure likely exceeding $5 billion when unreported incidents are included.

These are not edge cases. They are the predictable, documented outcome of treating a communication channel as an identity system.

The solution is not to abandon email. Email will remain the internet's primary communication identifier for the foreseeable future. The solution is to stop treating a one-time email validation as a durable identity claim. Every high-stakes action, password reset, payment method change, large transaction, new device login, represents a new moment of trust extension that deserves a fresh evaluation of whether that trust is still warranted.

The organizations ahead of this threat are not the ones who added more friction on top of email authentication. They are the ones who started questioning the premise underneath it.

The full picture — the mechanics of how email became the digital economy's most consequential vulnerability, the case studies that should have changed everything, and what a continuous intelligence approach actually looks like, is documented in “The Lying Gatekeeper”, a new special report from myNetWatchman.