PanicStation.org
UK USA
uk Work & employment crises asked to share work login • share work password request • someone asked for my login • approve mfa prompt not mine • unexpected mfa push notification • mfa prompt spam at work • mfa fatigue push bombing • 2fa prompt i did not request • work account social engineering • phishing message from it • boss asked for my password • colleague asked for login details • verification code request at work • approve sign-in request • work email hacked concern • work account takeover fear • fake helpdesk call • suspicious teams slack message

What to do if…
you are asked to share your work login details or approve a multi-factor prompt you did not initiate

Short answer

Do not share your login details and do not approve the prompt. Treat it as a likely account-takeover attempt and contact your organisation’s IT/service desk or security team via a trusted channel immediately.

Do not do these things

  • Do not tell anyone your password, “temporary password”, one-time code, or backup/recovery codes — even if they claim to be IT, a manager, or a supplier.
  • Do not approve an MFA / “verify sign-in” / “number matching” request you didn’t start, even “just to make it stop”.
  • Do not click “approve” because the message looks familiar (e.g., Microsoft/Google branding) — attackers copy this.
  • Do not continue the conversation in the same channel that contacted you (replying to the email, clicking their “helpdesk” link, calling back their number).
  • Do not try to “fix it quietly” if you already shared/approved — delays can make a breach worse.
  • Do not forward suspicious work emails outside your organisation if your policies prohibit it.

What to do now

  1. Stop the request immediately.

    • If it’s an MFA push: tap Deny/Reject (or ignore it) and do not interact further.
    • If it’s a person asking: say “I can’t share login details” and end the call/chat.

  2. Switch to a trusted channel and report it right away.
    Use your company intranet, known service desk number, or security mailbox (not the one provided in the suspicious message). Tell them:

    • what you were asked to do (share login / approve prompt),
    • when it happened,
    • how you were contacted (email/phone/chat), and
    • whether you clicked, typed anything, or approved anything.

  3. If you already shared details or approved a prompt, say so clearly.
    Ask IT/security to take urgent actions such as: password reset, session/token revocation, forced sign-out, account lock, and log review. (They’ll know what applies in your environment.)

  4. From a known-safe device, secure your work account as instructed by IT/security.
    If your organisation allows you to act immediately before they respond, typical safe actions include:

    • changing your password via your normal company sign-in page/app, and
    • checking for obvious account changes (unexpected recovery email/phone, unusual “devices”, new email inbox rules/forwarding).

  5. Preserve the evidence without spreading it.
    Take screenshots of the message/prompt (including sender/address, time, and any request text), and keep the email/chat/caller details. Send these to IT/security through your normal internal process.

  6. If it was a phone call, verify internally before speaking further.
    If someone claimed to be IT/support, hang up and call your service desk using a number you already have (badge, intranet, staff directory). Do not use a number they gave you.

  7. If you received a suspicious email or text and your organisation permits external reporting, report it safely.

    • You can forward suspicious emails to the UK’s Suspicious Email Reporting Service at report@phishing.gov.uk (only if your employer’s policy allows).
    • Suspicious texts can be forwarded to 7726 (free) (again, only if appropriate for your situation/device).

  8. If there’s any sign of wider impact, escalate internally.
    Examples: colleagues received the same request, unusual payroll/bank change emails, unexpected mail sent “from you”, or files changed. Ask your manager to support escalation, but keep the primary response with IT/security.

What can wait

  • You do not need to work out “who did it” or prove it’s malicious right now.
  • You do not need to send warnings to the whole company yourself — let IT/security handle comms to avoid panic and false alarms.
  • You do not need to decide today whether this becomes a disciplinary or HR matter — the priority is containing risk.
  • You do not need to rewrite passwords everywhere immediately — focus first on the work account that was targeted and follow your organisation’s incident steps.

Important reassurance

This is a very common tactic (phishing/social engineering and repeated MFA prompts). Feeling pressured or doubting yourself is exactly what attackers rely on. Denying the prompt and reporting quickly is the right response — even if it turns out to be a false alarm.

Scope note

These are first steps to stabilise the situation and limit damage. Your organisation may have specific incident, HR, and data-protection processes that take over after the initial report.

Important note

This guide is general information, not legal or professional advice. Follow your employer’s IT/security policies and instructions; if guidance conflicts, prioritise your organisation’s official incident process.

Additional Resources
Support us