Fake Password Reset Scams
Bogus 'reset your password' or 'unusual login' messages that capture credentials and codes.
Last reviewed: 1 June 2026
What this scam is
Fake password reset scams send messages claiming you requested a reset or that there was an unusual login, linking to a fake page that captures your current password and any one-time code — enabling account takeover.
How it works
You receive a 'reset your password' or 'verify this login' message. The fake page asks for your existing credentials and a code. Sometimes the scammer triggers a real reset and asks you to read out the code 'to cancel it'.
Common red flags
- Reset/login alerts you didn't initiate
- Requests for your current password or a one-time code
- Someone asking you to read out a code 'to cancel' a reset
- Links to non-official domains
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
We detected a login from a new device. To secure your account, confirm the 6-digit code we just sent.
Payment methods used
- Account takeover
- Downstream theft
Who is usually targeted
- Account holders of all kinds
What to do immediately
- Never share one-time codes with anyone, ever
- If unsure, go to the service directly and reset from there
- Enable app-based 2FA and review account security
Evidence to preserve
- The message and link
- Sender/caller details
- Screenshots
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
Should I ever share a one-time code?
No. One-time codes are for you alone. No legitimate company, bank, or support agent needs you to read out a code — anyone asking is trying to take over your account.