Fake Bank Password Reset Phishing
Criminals send emails or texts mimicking bank password-reset notifications, claiming the victim's online banking password was just changed by an unknown device and instructing them to click a link to 'undo the change' — delivering them to a credential-harvesting page.
Part of: Fake Password Reset Scams
Last reviewed: 7 June 2026
Banks send genuine password-change confirmation emails as a security measure, alerting customers when their password is updated. Fraudsters copy the format of these notifications exactly, except that instead of confirming a change the victim made, the message claims an unauthorised change just occurred and provides a link to revert it.
The psychological trigger is different from a typical phishing email: the victim is not asked to log in for a positive benefit, but to undo a harmful action that supposedly already happened. This creates alarm rather than curiosity, and alarm causes faster, less careful clicking. The victim feels they must act immediately to prevent permanent access loss.
The fake 'undo' or 'secure my account' link leads to a bank-branded phishing page that asks for the current username and password, ostensibly to verify identity before reverting the change. Some pages then ask for the new password 'to ensure continuity' — providing the attacker with both the old and new credentials simultaneously.
How this scam works on the Your Bank brand
Real bank password-change notifications are purely informational — they do not contain a link to undo the change. If you did not make a password change and receive a genuine notification, the correct action is to call your bank directly or visit the branch, not to click a link in the notification.
Fake notifications are often sent as SMS messages because SMS spoofing can make them appear in the same thread as genuine bank messages. The message may include the last four digits of the victim's account number — information available from prior data breaches — to add authenticity.
Some sophisticated campaigns follow up the fake SMS with an automated phone call from a spoofed bank number, saying 'We detected an unusual password change — please stay on the line for a security specialist.' The combined pressure of an official-looking text and a live call substantially increases victim compliance.
Common red flags
- Notification claiming your bank password was just changed, with a link to undo it
- Sender address or SMS shortcode does not match your bank's known contact details
- Link in the message goes to a domain other than your bank's official website
- A follow-up call comes immediately after the text, maintaining urgency
- The page you reach via the link asks for your current or new password
- Notification arrived at an unexpected time — middle of the night, before business hours
- You cannot find a corresponding security alert when you log in to the bank app directly
How to protect yourself
- Do not click any link in a password-change notification — log in to your bank directly to verify
- Call your bank's fraud line using the number on the back of your card if you are concerned
- Change your actual online banking password immediately if you did not initiate the change
- Enable security alerts through your bank's official app so you see real changes in real time
- Use a password manager to generate and store a unique, strong password for online banking
- Enable two-factor authentication on your bank account to prevent credential theft alone being sufficient
- Forward suspicious SMS messages to 7726 (SPAM) in the US and UK
How to report it
- Call your bank's fraud line using the number on the back of your card
- Forward smishing texts to 7726 (SPAM) in the US and UK
- Report phishing emails to your bank's security team (address listed on the bank's official website)
- Report to the FTC at reportfraud.ftc.gov or Action Fraud at actionfraud.police.uk
- Submit the phishing URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish/
Frequently asked questions
What does a genuine bank password-reset notification contain?
A real bank password-change notification confirms a change that has already been made and typically advises you to call the bank if you did not make the change. It does not contain a clickable 'undo' link — banks want you to call them, not click an email link, for security reasons.
If I receive an unexpected bank password-change notice, does that mean I was hacked?
It may mean someone obtained your username and password and changed it, or it could be a fake notification. Log in to your bank through the official app or website immediately. If access is blocked, call the bank — do not click any link.
How can SMS messages appear in my real bank's text thread?
SMS spoofing allows attackers to set the sender name to a bank's display name (e.g. 'HSBC' or 'Lloyds'), which phones display in the same conversation thread as real messages from that sender. The thread position does not guarantee authenticity.