Fake Spotify Password-Reset Phishing
Scammers send emails mimicking Spotify's password-reset notification to trick users into clicking a link that leads to a fake Spotify sign-in page harvesting account credentials.
Part of: Fake Password Reset Scams
Last reviewed: 7 June 2026
Spotify's password-reset email is a familiar format for millions of subscribers. When a reset is requested, Spotify sends a link to the registered email address that expires after a short time. Scammers replicate this format to send fake reset notifications that create two compelling reasons to act: either the reset is real and someone is attacking your account, or it is a mistake that must be corrected.
In both cases, the scammer's framing pushes the recipient toward clicking a link rather than going directly to the Spotify app or website. This click is the moment the credential harvest occurs.
Spotify accounts linked to social logins (Facebook, Google, Apple) add an extra layer of risk: a victim who enters their Google credentials on a fake 'Log in with Google via Spotify' page may lose access to far more than their music library.
How this scam works on the Spotify brand
Spotify sends genuine password-reset emails from [email protected] with a time-limited link pointing to spotify.com/password-reset. The email notes that if the user did not request a reset, they can ignore the email and their password will remain unchanged.
Fake reset emails deviate from this safe pattern. They add an urgent 'If this was not you, secure your account immediately' link that leads to a phishing page. Some versions send a fake reset email and then immediately send a 'new sign-in detected' email — a one-two combination designed to maximise anxiety and urgency.
After the victim enters their credentials on the fake sign-in page, they may be asked for their two-factor code if Spotify has that feature enabled, then redirected to the real Spotify site to mask the theft.
Common red flags
- Sender is not [email protected]
- The email adds an urgent 'secure your account' call-to-action rather than simply saying to ignore the email if unintended
- The reset or secure-account link does not point to spotify.com
- No sign-in or reset activity appears in your Spotify account when checked directly
- The email arrived at an unusual time when you were not using Spotify
- A follow-up 'new sign-in' email from the same sender arrives moments later
How to protect yourself
- If you receive an unexpected Spotify reset email, go directly to spotify.com and change your password there — do not click the email link
- Check your Spotify account security settings at spotify.com/account for any unrecognised activity
- Link Spotify to a dedicated email address to reduce exposure to phishing
- Disconnect social logins from Spotify if you do not rely on them, to limit the blast radius of a compromised Spotify account
- Report any suspicious Spotify emails to [email protected]
How to report it
- Forward the phishing email to [email protected]
- Report to the FTC at reportfraud.ftc.gov (US) or Action Fraud actionfraud.police.uk (UK)
- Submit the phishing URL to Google Safe Browsing at safebrowsing.google.com/safebrowsing/report_phish
- If your account was accessed, change your Spotify password immediately and revoke app permissions at spotify.com/account/apps
Frequently asked questions
What should I do if I receive a Spotify password-reset email I did not request?
Go directly to spotify.com and change your password as a precaution — do not click the link in the email. A genuine reset link expires quickly and is harmless to ignore. Changing your password via the official site invalidates any reset link in circulation.
Are Spotify accounts linked to Google or Facebook at greater risk from this scam?
They can be. If the fake reset email or sign-in page requests Google or Facebook credentials rather than a Spotify-specific password, the attacker gains access to those broader accounts, not just Spotify. Always check the URL when completing a social login flow.
How do I verify that a Spotify security email is genuine?
Check the sender address — it should be [email protected]. Then log in to spotify.com directly to see if any security-relevant activity appears in your account settings. If nothing unusual is visible, the email was likely a phishing attempt.