7 Things To Do After Receiving A ‘password Reset’ Email You Didn’t Request
Contents
Imagine chilling on your couch, lost between doomscrolling and notifications from your friends. There aren’t many things that can spoil your mood. However, you open Gmail on your Android phone and see an email with the subject line, “Password reset request for your account.” You didn’t initiate this, and wonder if this is a harmless glitch or someone trying to hijack one of your accounts.
Cybercriminals often use unsolicited password reset emails to exploit unsuspecting users. Such emails could be a phishing attack or an alert from a service you use. Both are bad, and ignoring them could lead to stolen data, drained bank accounts, or compromised social media profiles. Here are seven essential steps to take immediately after receiving a password reset email you didn’t request.
Related
World Password Week 2025: AP’s expert tips to stay safe online
The words we trust — and the risks we forget — in our online lives
7 Don’t click anything in the email
Source: Justin Ward / Android Police
Before diagnosing the problem, take a minute to understand what you are dealing with. Even if the email looks convincing (it has the company’s logos and everything), it could be a trap with fake links. Phishing emails often lead to fake login pages that steal your credentials or install malware like keyloggers on your device. Even if the email warns that your account is “at risk,” resist the urge to act impulsively.
First, check the sender’s email address. Legitimate emails come from familiar domains. For example, an alert from Google comes from accounts.google.com, not from something like google-support.biz. For popular websites, look up the email IDs to see if other users reported it.
If you conclude that it is unsafe, report it. In the Gmail app, tap the overflow menu (the three dots) and select Report phishing to flag the email. You can take it a step further by enabling safe browsing: Go to Chrome Settings > Privacy and Security > Safe Browsing and select Enhanced protection to block malicious sites before you visit them.
Scammers can come up with elaborate plans to get information. For example, in 2024, a phishing attempt mimicked PayPal password reset emails, tricking users into sharing their passwords with a fake site.
6 Check your account activity
Source: Lucas Gouveia/Android Police | leolintang/Shutterstock
If the email is from a genuine source, someone may be trying to get into one of your accounts. Checking recent activity helps you confirm whether your account is under attack and identify the source.
Start by accessing your security dashboard. For Google, open the Google app or go to myaccount.google.com in a browser. Under Security, review Your devices and Recent security activity. Look for red flags such as unfamiliar devices (for example, an iPhone you don’t own) or logins from odd locations (such as a city you’ve never visited or don’t currently reside in). For non-Google accounts (like banking or social media), open their official apps or websites and review login history or security logs.
If you spot something fishy, look for a “Secure your account” option to initiate a recovery process, to verify your identity, and review other settings. Remove any devices you no longer use or identify.
Most apps offer a sign-in notification, where you get an alert and an email each time the account is logged in. This enables you to immediately find out if someone else is using your account.
If you use a VPN frequently, cross-reference login locations with your server list to avoid false alarms.
5 Change your passwords
Source: Android Police / Joshua Sharpe
Unrecognized login attempts are a signal to change your password, even if no unauthorized access was confirmed. Updating your password to something new, strong, and unique can be a powerful way to stop attackers in their tracks, especially if they made some progress guessing or stealing your old one.
When choosing a new password, follow the best practices. Aim for 12 to 16 characters, and mix uppercase, lowercase, numbers, and symbols. Avoid simple details like personal info, pets’ names, or birthdays.
If you use a password manager, it suggests strong passwords. Android has one built-in and can be accessed by going to Settings > Google > Autofill > Passwords to generate and save a secure password. You are prompted when you set up a new password. Alternatively, download Bitwarden or 1Password from the Play Store or App Store to safely manage all passwords. Also, do not reuse passwords across services.
4 Enable two-factor authentication (2FA)
Two-factor authentication is one of the most powerful ways to secure an account and ensure nobody else gets in. It adds a second verification step alongside your password to access the account. This usually comes in the form of a one-time password sent via email or SMS, but some services accept authentication keys (dedicated 2FA apps).
Given a choice, opt for app-based authentication as SMS-based 2FA can be vulnerable to SIM-swapping attacks, or when you lose your phone. Google Authenticator and Authy are the two commonly used apps.
Backup codes for 2FA are available and should be stored safely. You could create an encrypted note in Google Keep or write them down in a secure offline location.
If this sounds cumbersome, use Android’s Smart Lock to streamline 2FA prompts on trusted devices but disable it on public and shared devices.
3 Scan your device for viruses
Unsolicited password reset emails could indicate that your device is infected with malware, such as a keylogger. Android and Windows devices are generally more susceptible to this, especially if you sideloaded apps or clicked random links.
On Android devices, run Google Play Protect for free by going to Settings > Security > Google Play Protect > Scan to check for harmful apps. For a deeper scan, install an app like Malwarebytes or Bitdefender.
It’s also useful to review installed apps frequently and uninstall anything unfamiliar, untrusted, or unused. It’s also advisable to keep an eye on app permissions to see if any app is trying to access something that it doesn’t require.
Lastly, ensure your phone’s OS is up to date. This generally takes care of major security vulnerabilities and other shortcomings that could affect devices at scale.
2 Report the incident
Reporting such emails and alerts helps stop the attack from further damage as well as protects others. It also alerts services about potential breaches and improves their blocklisting filters.
In Gmail, you can find the Report phishing option under the overflow menu of any email. Using these trains and improves Google’s filters. If it is more genuine, report it to the targeted service (your bank or social media) via their website or app.
If you suspect a broader scam, report it to the authorities, such as the FBI’s IC3 at ic3.gov, and file a complaint. Be sure to take screenshots of all evidence before deleting the email.
Related
1 Continue monitoring your accounts
After you have taken these steps, you can take a sigh of relief, but not for long. Even after your accounts are secure, stay vigilant for signs of attacks. Scammers evolve fast, and it’s imperative to stay informed.
Regular monitoring of accounts for unauthorized actions, changes, or transactions can be helpful. Enable real-time alerts for all banking and payment apps. Run virus scanners and breach checkers to see if your passwords are at risk. Lastly, be aware of the latest happenings in the world of cybersecurity.
The more digital our lives get, the higher the potential risk.
So long, scammers
While such password reset requests are unsettling, they are an opportunity to strengthen your defenses. Following these steps ensures your personal information, money, and device remain safe while weathering attacks. Remember: Your digital presence is only as strong as its weakest link.
