From then on, every question in your signup process for the attacker's service is actually a password reset question from your email provider.
Sadly, it's quite clever.
I've been very distrustful of security questions ever since someone pointed out to me that they're essentially plain text passwords with a clue provided.