'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you are asked to share your work login details or approve a multi-factor prompt you did not initiate
Short answer
Do not share your login details and do not approve the prompt. Assume it may be phishing or repeated push prompts meant to pressure you, and contact your company’s IT/help desk or security team using a trusted method immediately.
Do not do these things
- Do not share your password, MFA code, “push” approval, backup codes, or recovery info — even with someone claiming to be IT, HR, your manager, or a vendor.
- Do not approve an MFA push/verification prompt you didn’t initiate, even “to clear it” or because you’re busy.
- Do not click links or install “support” software sent by the person who contacted you.
- Do not continue the conversation in the same channel that contacted you (replying to that email, clicking their ticket link, calling their callback number).
- Do not delay reporting because you’re embarrassed or unsure — speed matters.
- Do not wipe devices or delete messages unless your IT/security team tells you to (it can remove evidence they need).
What to do now
-
Stop and refuse the request.
- If it’s an MFA push: tap Deny/Reject (or ignore it).
- If it’s a person: say “I can’t share login details or approve prompts I didn’t start” and end the interaction.
-
Report it through a trusted company channel immediately.
Use your known help desk number, internal portal, or corporate directory — not any contact info in the suspicious message. Tell them:- what you were asked to do,
- when it happened,
- how you were contacted, and
- whether you clicked/typed/approved anything.
-
If you already shared or approved, treat it as urgent and say so plainly.
Ask IT/security to immediately secure the account (password reset, forced sign-out, token/session revocation, account lock, log review). This is routine for them — the key is speed and clarity. -
From a known-safe device, take the safest immediate account steps you can.
If you’re allowed to act before IT responds, typical safe steps include:- changing your password using your normal corporate sign-in page/app, and
- checking for obvious account changes (new recovery email/phone, unfamiliar devices, unexpected email forwarding/inbox rules).
-
If you think a device might be compromised, stop using it and follow IT/security instructions.
If you clicked a link, opened a strange attachment, or installed something, tell IT/security. If your policy allows, they may ask you to disconnect from the network or power down — don’t guess; follow their steps. -
Capture evidence and send it to IT/security via your normal process.
Take screenshots of the prompt/message (timestamps, sender, request text, phone number/chat handle). Don’t forward suspicious links broadly; let security handle analysis. -
If you’re not in a workplace with responsive IT (or this hit a personal account used for work), use established reporting routes — only if your employer’s policy allows external reporting.
- Forward phishing emails to reportphishing@apwg.org.
- Forward phishing text messages to SPAM (7726) (on a US mobile device).
- Report scams/phishing to the FTC at ReportFraud.ftc.gov.
-
If there’s financial loss or a clear cyber-enabled fraud incident, consider reporting to the FBI’s IC3.
Use the official site ic3.gov (type it directly in your browser). Keep your employer informed if it relates to work systems or funds.
What can wait
- You do not need to prove it was malicious before reporting — “something felt off” is enough.
- You do not need to message everyone yourself — IT/security can notify affected teams without spreading a bad link.
- You do not need to decide now whether this becomes an HR issue — first priority is account containment.
- You do not need to overhaul every password immediately — focus on the targeted work account and follow incident guidance.
Important reassurance
These requests are a common social-engineering tactic. Attackers rely on urgency and authority to make people comply. Denying the prompt and reporting through a trusted channel is the correct response — even if it turns out to be a false alarm.
Scope note
These are immediate stabilization steps. Your organization may have specific incident response, HR, compliance, and notification procedures that follow.
Important note
This guide is general information, not legal or professional advice. Follow your employer’s IT/security policies and directions, especially during an active incident.