Fake Password Reset Scams
Bogus 'reset your password' or 'unusual login' messages that capture credentials and codes.
Last reviewed: 1 June 2026
What this scam is
Fake password reset scams send messages that mimic the security notifications of banks, online platforms, and workplace services, claiming that you — or someone else — has requested a password reset, that an unusual login has been detected, or that your account needs verification. The messages link to a fake page or connect you with a caller who then extracts your current credentials, your new password, or the one-time code sent to your phone.
These scams are specifically designed to exploit the moments when you are most likely to act without thinking: when you are told there is a security threat to your account. The irony is that the very action the scam leads you to take — 'securing' your account — is what compromises it.
A particularly effective variant involves the attacker triggering a real password reset on the genuine site. Your real account then sends you a genuine one-time code. The scammer calls and asks you to read out the code 'to confirm you are the account owner' or 'to cancel the reset'. If you comply, they use the real code to complete the password reset and lock you out.
How it works
The most common route is a phishing message — email, SMS, or notification — claiming that suspicious activity has been detected on your account or that a password reset was requested. The message creates urgency: act now or your account will be locked, or the unauthorised access will continue.
A link leads to a page that looks identical to the real service's login. The page prompts you to enter your current credentials 'to verify your identity before resetting'. These are captured. The page then generates a fake 'code sent to your phone' screen and waits for you to enter the one-time code it claims to have sent — but which was actually triggered on the real site by the attacker in parallel. Entering the code hands the attacker everything they need.
In the phone call variant, a caller posing as a bank or platform representative says they have detected suspicious activity and need to verify your identity. They ask you to confirm your current password or to read out a code that 'we just sent you'. The code was sent by the genuine service because the attacker triggered a real reset or login attempt.
In both cases, the critical moment is the request for a one-time code. Codes are designed to be used only once and only by the person who owns the account. No legitimate organisation ever needs you to share or read out a code to them.
Why this scam works
The scam exploits a genuine security context — password resets and unusual login alerts are real things that happen. When you receive what looks like one of these notifications, the trained response is to act on it quickly to protect your account.
The one-time code trick is especially powerful because the code is genuine — it was sent by the real service. You hold something legitimate in your hands, which makes the scenario feel credible. The framing that sharing the code 'cancels' the threat reverses the actual meaning of the action: sharing the code is what enables the threat, not what stops it.
The urgency of the scenario suppresses the pause that might otherwise lead you to question the request. A window closing, an account being locked, or an unauthorised login continuing all create pressure to comply first and think second.
A typical pattern
A person receives a text message saying their bank account has been accessed from an unrecognised location and to click a link to secure it. Moments later, they receive a real one-time code from their bank. Then their phone rings — a caller saying they are from the bank's fraud team. The caller says the code was sent to verify the person's identity before blocking the fraudulent access. The person reads out the code. The caller uses it in real time to reset the account password and gain access.
Common red flags
- A password reset or security alert you did not initiate
- Request for your current password to 'verify your identity'
- Someone asking you to share or read out a one-time security code
- Claim that sharing a code will 'cancel' or 'block' a reset you did not request
- Login or reset alert followed immediately by a phone call asking for verification
- Link to a login page on a non-official domain
- Pressure to act within minutes before the threat escalates
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
We detected a login from a new device. To secure your account, confirm the 6-digit code we just sent you.
Unusual login attempt detected. Click here to verify your identity and secure your account: [fake link].
A password reset was requested for your account. If this wasn't you, call [phone number] immediately.
Security alert: Your account has been compromised. Enter your current password here to protect it: [fake link].
This is the fraud team. We need to verify your identity. Can you please read out the code we just sent to your phone?
Your account password will be reset in 10 minutes. If you did not request this, click here to cancel: [fake link].
Common variations
- Phishing page variant — link leads to a fake login page requesting credentials
- Real code phone variant — attacker triggers a genuine reset and calls to collect the code
- Code cancellation trick — scammer claims sharing the code will block the reset
- Fake unusual login SMS — smishing message with link to fake verification page
- Reverse social engineering — victim calls the 'support number' on the fake alert and is led through the same process
- Workplace account variant — targets company login credentials using fake IT security alerts
How to verify before you act
The universal rule is: never share a one-time code with anyone who asked you for it. One-time codes are generated for you to use yourself, not to read out to another person. No bank, platform, or support team has a legitimate reason to ask for your code.
If you receive a password reset notification you did not initiate, go to the service directly — not via the link in the message — and change your password from a known-good page. If a reset was triggered without your knowledge, this is a sign someone may have your email address and is probing accounts, which warrants reviewing your security across platforms.
If you receive a phone call immediately after receiving a one-time code, treat this as a strong signal that the call is fraudulent. The coincidence of a code arriving at the same moment a caller appears is not a coincidence — the caller triggered the code.
Verify any security alert by logging into the service directly using a bookmark or typed address.
Payment methods used
- Account takeover leading to financial theft or identity fraud
Who is usually targeted
- Account holders of all platforms — banking, email, social media, and workplace services
What to do immediately
- Never share a one-time code with anyone — hang up or close the message
- Go to the service directly using a bookmark or typed address to check whether any action is actually needed
- If you shared a code, change your password on the real service immediately from a clean device
- Check your account for any unauthorised changes — new recovery addresses, forwarding rules, new payees
- Enable app-based two-factor authentication to replace SMS-based codes where possible
- Report the incident to the platform and to your national fraud reporting body
How to prevent it
- Never share or read out a one-time code to anyone under any circumstances
- Go directly to a service via its official app or typed address — never via a link in a security alert
- Treat any call that arrives immediately after receiving a one-time code as fraudulent
- Enable app-based or hardware 2FA, which is harder to relay in real time
- Use a password manager so you cannot be tricked into entering credentials on a fake page
- Regularly review your account recovery settings and remove unrecognised entries
Evidence to preserve
- The full message and sender details
- The URL of any page you were directed to
- The phone number of any caller
- Screenshots of the fake page or messages
- Account activity logs showing recent access
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Should I ever share a one-time code?
No. One-time codes are for you alone. No legitimate company, bank, or support agent needs you to read out a code — anyone asking is trying to take over your account.
I received a real code from my bank — could that mean the alert was genuine?
The code being real does not make the caller genuine. Scammers trigger real codes from real services and then call to collect them. A code from your bank is only for you to use on the bank's own site.
What if I enter my current password on a 'verification' page?
Change your password on the real service immediately, using a bookmark or typed address — not any link. Enable two-factor authentication. Check for unauthorised activity on the account.
I initiated a real password reset — could messages about it be scams?
A genuine reset email from a service you contacted contains a link to their real domain. The test is to check the domain in the link carefully before clicking. Even then, navigating directly rather than via the link is safer.
How is this different from regular phishing?
The distinguishing feature is the exploitation of your own one-time codes — either by capturing them via a fake page or by calling to collect them after triggering a real one. The code-sharing element is specific to this attack type.
I shared a code and now I am locked out — what should I do?
Use the service's account recovery process immediately. Report to the platform's support team, your bank (if financial accounts are involved), and your national fraud reporting authority. Act quickly — accounts can be used or sold within minutes of takeover.