How a retiree avoided $47K in scam losses with one email-alias change
Retirees are the most-targeted scam demographic
Margaret's daughter is a financial advisor and gave her the wake-up: in 2024, the FBI's IC3 report found that Americans over 60 lost $2.8 billion to crypto-related and email-vector scams. Australia's and New Zealand's regulators reported similar patterns. The average retiree-victim loss was around $47,000 — not enormous individually, but life-altering for someone on a fixed pension.
Margaret had used the same Gmail for everything since 2009 — her bank, her superannuation provider, her pension fund, her doctor's portal, the local council, her late husband's life-insurance account, the kids' school fundraiser, and 30+ retailers from her years of online shopping. Every time one of those services got breached, her address went into a phishing list specifically targeted at retirees with assets. By 2025 she was receiving multiple convincing scam attempts per week — fake bank fraud alerts, fake superannuation requests, fake government tax warnings.
Her daughter helped her sit down with a checklist on a Saturday afternoon. The migration to aliases took about three hours; it remains the best three hours either of them spent that year.
The setup: separate aliases for finance, health, and shopping
- Bought a simple custom domain (
<family-name>.kiwi). Pointed MX at EmailAlias.io Premium. - Created three tiers of aliases: high-value (bank, pension, super, life insurance, government services) on dedicated unique addresses; mid-value (doctor, dentist, pharmacy, council) on their own aliases; low-value (retailers, newsletters, kids' fundraisers) on a single bulk alias.
- Updated every high-value and mid-value account with the new alias. Configured exposure-detection alerts on every high-value alias — any spam at all is a signal worth investigating.
- Daughter set the destination to a hardened ProtonMail account with hardware 2FA. Margaret only sees her primary inbox for personal correspondence; financial alerts arrive on her phone via push.
What changed
The financial-phishing volume to Margaret's primary Gmail dropped to effectively zero within six weeks. The scams that used to convincingly mention her bank by name now arrive at a Gmail that's not the bank's email — making them obviously fake to her, where before they were genuinely difficult to distinguish.
Six months after the migration, one of her high-value aliases — the pension fund — started receiving a single phishing email. It was specifically targeted, using her name, knowing she was retired and a widow. She forwarded it to her daughter, her daughter contacted the pension fund (who confirmed a small data leak via their member-services portal), the pension fund issued a public notice. Margaret rotated that alias and the issue was over. The same email landing on her primary Gmail, two years earlier, might have been the start of a $47K conversation.
The biggest change for her isn't financial — it's emotional. She no longer braces every time she opens her inbox. The trust she had in email when she set up her account in 2009 is back, because the aliases do the work of distinguishing real mail from fake mail before it reaches her.
What this would have cost without aliases
The headline number — $47K average loss per retiree-victim, multiplied by the rate at which retirees in Margaret's threat profile get successfully targeted (roughly 1 in 12 over a 5-year window based on the IC3 dataset) — works out to an expected loss of nearly $4,000 per year of unprotected exposure for her demographic. The full lifetime cost of EmailAlias.io Premium ($48/year) is less than 2% of that expected loss. The risk-adjusted return on an email alias for retirees is one of the strongest privacy investments measurable.
Beyond the dollar figure, scam losses for retirees frequently trigger downstream costs that don't show up in the IC3 report: depleted retirement savings that force a return to part-time work, family relationships strained by loss attribution, mental-health impact from being targeted. The losses that are recoverable financially are often not recoverable in those other dimensions. Aliases are upstream prevention, which is always cheaper than recovery.
What she tried first
Margaret's first attempt at addressing the phishing problem was the obvious one: marking each phishing email as spam in Gmail. That filtered known senders but not the constantly-rotating new ones. Spam-marking is a reactive tool against an opponent who iterates faster than the filter learns. It was never going to work as her primary defense, and it didn't.
Her daughter suggested switching to a new Gmail address entirely — a fresh start with no prior exposure. They considered it briefly and rejected it: changing the email on 40+ accounts would have been a multi-day project, and the new Gmail would inevitably get exposed again over time as new services leaked. Aliases solved both problems simultaneously: per-service unique addresses meant any single leak was contained, and the migration was a one-time three-hour Saturday afternoon, not a 40-account multi-day project.
The day-2 operational reality
The day-2 reality for Margaret is that she barely interacts with the system at all. Her daughter checks the exposure-detection dashboard once a month as part of their regular family-call routine; if anything's noisy, they discuss it together. Margaret herself sees only her primary inbox, which is now quiet enough that real bank alerts stand out clearly.
The setup intentionally puts the operational complexity on her daughter, not on Margaret. This is a common pattern for retiree alias setups: the technical layer is managed by an adult child or financial advisor; the retiree gets the benefit (clean inbox, obvious phishing) without the burden (dashboard auditing, alias rotation). For families where this kind of distributed management is realistic, it's a strong model.
Lessons for setting this up yourself
- Have a tech-comfortable family member or financial advisor co-manage the alias system. Many retirees will not maintain a complex setup alone.
- Tier aliases by risk. High-value financial accounts get unique aliases; low-value retail can share a single bulk alias.
- Set the destination inbox to one with hardware 2FA. Aliases are only as secure as where they forward to.
- Don't migrate everything at once. Top 5 high-value accounts first; the rest can wait or happen during the next monthly audit.
- Set up exposure-detection alerts that route to the co-manager, not the retiree. Signal-handling shouldn't be the retiree's job.
“I treat my bank's email address like I treat my house key — it goes to one place and one place only. The bank has its alias; nobody else has it.
Frequently asked questions
Can a non-technical retiree use an email alias for retirees themselves?
If the setup is configured by someone else and the alerts route to that someone else, yes — the retiree just uses email normally, and the aliases work invisibly. The pattern most working families use is to have an adult child or financial advisor handle the configuration and monitoring; the retiree benefits without managing the system.
What if I forget which alias goes with which account?
The dashboard lists every alias with the label you (or your helper) assigned to it. The alias name itself (e.g. bank-anz@<domain>) is also self-documenting. The labeling and naming convention is the second-most-important setup decision after the domain choice.
Do I need to change my actual primary email address?
No. Aliases sit in front of your existing email address — your bank, doctor, etc. send mail to the alias, and the alias forwards to your real inbox. Your existing Gmail keeps working for personal correspondence; only the high-value accounts get migrated to aliases. The migration is additive, not destructive.
Help a parent or grandparent set this up in an afternoon
EmailAlias.io's free tier covers 10 aliases — enough for the high-value accounts. Premium adds custom domains and exposure detection for the whole stack.