Hacked web-based email accounts are nothing new, but I hadn’t encountered this particular trick before: on discovering that his email had been hacked, the victim changed all the passwords but still couldn’t get any email. Emails sent to his address didn’t bounce; they just disappeared.
Turns out that whoever compromised his email account added a rule: if any incoming email contained his email address in the To: or CC: field, it deleted it.
Clever.