Account Recovery Phishing is a type of attack used by scammers to gain unauthorized access to user accounts. Attackers send emails or text messages claiming that you need to reset your password or provide personal information to verify your account. These account recovery messages and websites often appear to come from genuine companies, but if you look closely, they are fake.  

Kasada, a cybersecurity company specializing in account-takeover attacks, observed in its 2025 report, “a 250% increase in account takeover attacks […] resulted in over 6 million compromised accounts, affecting large brands across several industries, including retail, hospitality, travel, entertainment, and food and beverage.” While not all these attacks involved Account Recovery Phishing, this highlights the growing risk of account compromise, including threats that exploit password reset flows. The FBI reported in a recent Security Alert that account takeover fraud has already caused losses exceeding US$262 million in 2025.  

Why Is This Relevant?  

The holiday season creates prime opportunities for cybercriminals to launch phishing attacks. During this time, people’s attention and online activity change significantly. Many spend more time shopping online, logging in to banking apps, delivery services, and social media, making each login a potential target. 

Additionally, holiday activities such as shopping, travel, and family gatherings make people busier and more stressed, increasing the likelihood of overlooking warning signs in emails.  

Common Signs of an Account Recovery Phishing Attempt 

Phishing emails are designed to look like official communications from trusted sources, but there are usually clues that reveal they are fake. These are some of the most common signs of a phishing attempt that targets your password: 

1. Receiving unsolicited password recovery requests by email or text asking you to reset your password without initiating it yourself is the main warning sign. These messages may also claim your account has been compromised or that your password will expire soon. 

2. Account recovery emails that use generic greetings such as “Dear User” or “Dear Customer” instead of your name are suspicious. Legitimate companies typically have your contact details and will address you by your name for more personal communication. 

3. The use of urgent or threatening language can create panic and push you to act quickly without carefully verifying the message. Legitimate companies will not demand urgent action on this type of message. If you feel rushed or pressured, stop and evaluate the situation carefully. 

4. Account recovery emails that include suspicious attachments are a clear sign that something is not right. Legitimate password reset notifications typically do not include attachments, so any email with them should be treated with caution, as it may contain malware. 

5. The sender’s email address does not match the company domain, which is typically an indicator that the message is fake. Password reset messages are only sent from verified company domains. 

6. Misaligned logos, incorrect brand colors, low‑resolution images, or anything that looks unfamiliar are signs of fraudulent emails or websites. 

How to Protect Yourself  

A password reset request is a critical security measure and should not be taken lightly or ignored. If a security-related communication is received, it should be reviewed carefully. The following are tips to verify the authenticity of this type of notification, and additional advice to be better protected. 

1. Verify The Email Domain. 

When receiving a password request notification, pause and review that the sender’s email address is authentic and comes from the expected source. For example, Microsoft will not send emails from a Gmail account. Also, watch for subtle changes in the domain or intentional misspellings. For example, support@google.com is not the same as support@googIe.com where the lowercase “l” is replaced by an uppercase “i”.  Adding hyphens and dots is also common to trick the user.  

2. Look Closely at The Link. 

Cybercriminals often hide malicious links behind buttons or text. Hover over links without clicking to reveal the actual URL and inspect it closely to see where it really leads. Another tactic to hide links is the use of URL shorteners. Genuine companies typically do not use shortened URLs for password reset links, so be cautious. 

Even better is to avoid clicking the link directly and instead go to the website or the service’s application. Request a new password through the official “Forgotten password” feature.  

3. Use a Unique Password. 

Do not reuse passwords across multiple sites and services. Create a unique password for each account. This way, if one service is compromised, your other accounts remain secure. It is also highly recommended to use a password manager to store and manage your passwords. 

4. Use Multi-Factor Authentication. 

Review your accounts and enable Multi-Factor Authentication (MFA). Although attackers can sometimes bypass MFA during Account Recovery Phishing attacks by tricking users into providing their verification code, it still adds an additional layer of protection for your accounts. 

5. Protect Your Sensitive Information. 

Never provide sensitive information such as passwords, verification codes, or your Social Security Number, via email or text message. Reputable companies will not ask you to provide sensitive information over insecure channels. 

What to Do if You Think Your Account Has Been Compromised? 

In case your account has been compromised, the first step is to try to recover it through the official password reset process. If you are unable to regain access, contact customer support and notify them about the incident. This is especially important for financial institutions or e-commerce platforms, where they can freeze any activity, restore access, review transactions, and monitor the account for further abuse. 

Review purchase history, messages, login logs, account changes, and connected services. Document anything suspicious with screenshots and timestamps. Even if you cannot access the compromised account, you may still review email notifications, transaction and login attempt alerts, and messages from the service provider.  

Finally, it is highly recommended to submit a report through the Internet Crime Complaint Center (IC3), especially if the compromised account involves financial transactions or the exposure of sensitive information. 

Although this type of phishing is not new, it continues to be highly effective. Always verify any account recovery requests and practice strong security habits. 

Author: The Safeguards Consulting, Inc. Cybersecurity Team