Account Recovery Fraud
An attack that exploits a service's account-recovery mechanisms — such as security questions, backup email, or customer-support calls — to gain access without the real credentials.
Also known as: account recovery hijack, support social engineering
Last reviewed: 10 June 2026
Account recovery systems are designed to help legitimate users who forget their passwords, but they create an alternative access path that criminals can exploit. Security questions (mother's maiden name, first pet, hometown) are particularly weak because the answers are often publicly available on social media or in data-broker records. Customer-support agents, trained to be helpful, can sometimes be social-engineered into bypassing standard verification.
High-profile account compromises have been achieved purely through social engineering of support staff: providing enough personal information to pass identity verification questions and requesting a password reset to an attacker-controlled email address. SMS-based recovery codes are also vulnerable to SIM-swapping. Some platforms allow attackers to add a 'trusted recovery contact' during normal access, then use that backdoor later.
Consumers can improve recovery security by using made-up, memorable answers to security questions (treating them as additional passwords), ensuring recovery email addresses and phone numbers are themselves strongly secured, and enabling alerts for any account-recovery activity. Removing a phone number from recovery options on high-value accounts and relying on backup codes instead reduces SIM-swap recovery risk.