Real Password Reset Email vs Password Reset Phishing
Distinguish a genuine password reset email from a phishing email designed to steal your credentials.
Last reviewed: 1 June 2026
Password reset emails are ordinary and mostly harmless, and receiving one does not mean you have been hacked. A genuine reset arrives right after you asked for it, comes from the service's own domain, asks only that you choose a new password, and gives you a modest window such as thirty or sixty minutes in a neutral, unexcited tone. Reset phishing is effective because it borrows the language of protection. It arrives unrequested, tells you someone has been trying to get into your account, and offers a button that feels like the responsible thing to press. The distinction to hold on to is that a genuine reset never asks for your current password, and you never need the emailed link at all in order to secure an account.
Side-by-side comparison
| Real password reset | Reset phishing | |
|---|---|---|
| Trigger | You requested it, or a legitimate security system detected unusual activity | Arrives without you requesting it, or claims unusual activity requiring immediate action |
| Sender domain | Exact official domain; no subdomains with random strings | Lookalike domain or a legitimate-looking display name hiding a different address |
| Link destination | Link goes to the service's own domain; visible on hover | Link goes to a lookalike domain or redirect service |
| Information requested | Only asks you to set a new password — no current password, no card details | Asks for current password, personal details, or payment to 'verify identity' |
| Expiry | Link expires in a fixed window (typically 30–60 minutes) with a neutral tone | Extreme urgency; threatens account deletion if not acted on within minutes |
Common red flags
- Reset email you did not request, combined with urgency
- Sender domain is a slight variation of the real service
- Link URL on hover shows a different domain
- Request for your current password to confirm identity
- Threat to permanently delete your account if you do not act immediately
Verification steps
- If you did not request a reset, ignore the email and log into the account directly to check security
- Hover over the reset link before clicking to verify the destination domain
- If you did request a reset, navigate to the service directly and initiate a fresh reset rather than clicking the email link
- Enable multi-factor authentication on important accounts to limit the impact of stolen passwords
What not to do
- Don't click a reset link in an email you didn't request without verifying the domain
- Don't enter your current password on any page reached from a reset email
- Don't ignore an unsolicited reset — change your password directly as a precaution
A safe response
Take the pressure out first, because an unrequested reset email cannot change anything on its own. Leave it alone, open the service by typing its address or using the official app, and sign in normally. From there, change your password and turn on two-factor authentication. If your sign-in fails, use the reset flow you started yourself from that page. If you already entered details on a linked page, change that password immediately everywhere you reused it, then check the account for new forwarding rules or recovery addresses and remove anything you do not recognise. If payment details are involved, ring your bank on the number on your card.
Frequently asked questions
I keep getting reset emails I never asked for. Is my account under attack?
Repeated resets usually mean either someone is entering your email address into the login page, or you are being sent phishing in bulk. Neither changes your password by itself. Sign in directly, change your password to something unique, and enable two-factor authentication, which stops a stolen password on its own from being enough. Check the account's recent activity too. If the flood continues, most services have a way to report it from inside your account settings.
I clicked the link and typed my old password before I realised. What now?
Move quickly and calmly. Go to the real site yourself and change that password, then change it anywhere else you used the same one, because reuse is what turns one leak into several. Turn on two-factor authentication, then look for anything added to the account: new recovery emails, forwarding rules, linked devices, or app passwords. Remove what you do not recognise. If financial accounts share that password, tell your bank as well.
Should I be worried if I receive a reset email I didn't request?
Treat it as a signal that someone attempted to access your account. Change your password directly via the official site and enable two-factor authentication. Do not click the link in the email.