Is it safe to click the link in an unexpected password-reset email?
An unexpected password-reset email you did not request may indicate someone is trying to access your account. Do not click the link — instead, log in directly through the official site and change your password from there.
Last reviewed: 10 June 2026
Explanation
Password-reset emails come in two categories: those you requested and those you did not. An unexpected reset email could mean several things: someone is testing your email address against accounts on the service, someone is actively attempting to take over your account, or in rare cases, it is a phishing email using the reset email format to harvest credentials.
Clicking a genuine reset link you did not request does not by itself cause harm — it would require additional steps to complete the reset. But the problem is distinguishing a genuine reset email from a convincing fake. Phishing emails mimicking password-reset notifications are extremely common and can be pixel-perfect copies of the real thing.
The safe response is to not click any link in the email. Instead, navigate directly to the service's official website or app, attempt to log in with your current credentials, and if successful, visit security settings to confirm no changes have been made. If the reset was an attempt to take over your account, your password should still work.
If you cannot log in using your current credentials, the account may already be compromised. Use the service's official account recovery process, not any link in an email, to regain access.
Common red flags
- You receive a reset email for a service you did not attempt to access
- The email comes from a domain that does not exactly match the service's official domain
- You receive multiple reset emails in succession — possibly an automated takeover attempt
- The 'from' address looks legitimate but clicking 'reply' shows a different address
- The email asks for more than just clicking — it requests your current password or security questions
What to do now
- Do not click the link in the email
- Go directly to the official site and log in with your current credentials
- If you can log in, check security settings for any unauthorised changes
- Change your password immediately to a strong, unique one
- Enable two-factor authentication if not already active
- If you cannot log in, use the official site's account recovery process
Frequently asked questions
I clicked the link but did not enter anything — is my account at risk?
If the link led to a genuine reset page and you did not complete the reset, your account password remains unchanged. If the link led to a phishing page and you entered information, change your password immediately and report the phishing site.
Should I be worried if I receive many reset emails for different accounts?
Multiple reset emails across services may indicate your email address is being used in automated credential-testing attacks, or that your data is in a breach database. Check your email in a breach notification service and enable two-factor authentication on key accounts.