Fake Revolut Password Reset Phishing
Criminals send emails mimicking Revolut's password-reset notification format, claiming the victim's PIN or passcode was just changed and providing a link to 'undo the change' that leads to a credential-harvesting page masquerading as the Revolut app login.
Part of: Fake Password Reset Scams
Last reviewed: 7 June 2026
Revolut uses a combination of a PIN, biometric authentication, and device-specific login rather than a traditional username and password. Phishing campaigns targeting Revolut users often mimic the format of security-change notifications, which Revolut does send when account settings are updated, to create a pretext for clicking a reversal link.
The fake email states that the account's PIN or security settings were changed from a new location and that if the victim did not authorise this change, they should immediately click a link to undo it. The alarm this creates — particularly the implication that someone has already changed the PIN — motivates rapid action without careful verification.
The destination page is a realistic replica of Revolut's app login flow, presented in a browser, that asks the victim to enter their phone number, then the code Revolut sends, and then to set a 'new PIN' to restore access. Each step harvests a different piece of information, and the sign-in code step gives the attacker simultaneous access to the real account.
How this scam works on the Revolut brand
Revolut's actual security-change notifications are sent from @revolut.com and reference the device name where the change was made. Revolut's primary authentication is device-based: losing or resetting access on one device is managed through a re-verification flow within the app itself, not through a clickable email link.
The fake notifications often contain the victim's first name, sourced from a prior data breach. This personalisation makes the alert feel targeted and genuine. The email may also include a location reference (e.g. 'from a device in a specific city') — details sometimes inferred from IP-address geolocation data.
Some campaigns follow up the fake email with a fake SMS claiming the PIN change has already taken effect and that immediate action is required. This multi-channel pressure reduces the victim's time to think and verify through the official app.
Common red flags
- An email claiming your Revolut PIN or passcode was changed, with a link to reverse the change
- Sender address is not @revolut.com
- The reversal link does not go to app.revolut.com or revolut.com
- You are asked to enter your phone number and an OTP from Revolut on a page reached from the email
- A 'new PIN' entry step that claims to restore access — this is credential collection
- A follow-up SMS pressing you to act within minutes or 'lose permanent access'
- No corresponding change notification appears in the Revolut in-app activity log
How to protect yourself
- Open the Revolut app directly to check whether any setting was genuinely changed
- Do not click any link in a Revolut security-change email — verify in the app first
- If you see an unauthorised change in the app, contact Revolut through in-app chat immediately
- Enable biometric authentication to make PIN theft alone insufficient to access your account
- Review your Revolut security log (Profile > Security) regularly for unexpected changes
- Check your Revolut linked email address is correct and secure — attackers may try to change it first
- Report suspicious emails to Revolut through in-app chat and to your national cybercrime unit
How to report it
- Report through Revolut in-app chat: Profile > Help > Chat with us
- In the UK, forward phishing emails to [email protected]
- Report to Action Fraud at actionfraud.police.uk (UK) or the FTC at reportfraud.ftc.gov (US)
- Submit the phishing domain to your national cybercrime reporting service
- If account changes were made, use the in-app dispute and account-lock features immediately
Frequently asked questions
Does Revolut send email notifications when your PIN is changed?
Revolut sends security-change notifications from @revolut.com for certain account changes. If you receive one and did not make the change, open the Revolut app immediately — do not click the email link — and check your security settings and activity log.
What should I do if I entered my phone number and OTP on a fake Revolut page?
Open the Revolut app and immediately review recent activity and linked devices. Remove any devices you do not recognise (Profile > Devices). Contact Revolut through in-app chat to report the compromise and request a security review.
Can Revolut access be restored without clicking an email link?
Yes. Revolut account recovery uses the official app and is guided through a secure in-app flow. If you are locked out of the app, contact Revolut through the support form at revolut.com — there is no need to click a link in an email.