You should generally always force users to confirm email address changes (by ticking the
emailchangeconfirmation checkbox in
Settings > Site administration > Security > Site policies) via an extra step where a confirmation link is sent to the user.
See also
