'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you get a flood of password reset messages for accounts you did not request
Short answer
Don’t click anything in the messages. Lock down your email account first (new password + MFA), then look for the one real security alert hidden in the flood.
Do not do these things
- Do not click reset links, “verify” buttons, or “unsubscribe” links inside the emails.
- Do not approve any unexpected MFA push notifications.
- Do not give a one-time code to anyone who contacts you “to help”.
- Do not delete everything blindly if you can help it — attackers sometimes use the flood to bury a real alert (like a password change or purchase).
- Do not turn off MFA to reduce prompts.
What to do now
-
Create a calmer 2-minute window
- Silence notifications briefly so you don’t act on impulse.
- Open your email provider only via the official app or by typing the address yourself.
-
Secure your email account first (the account that unlocks other accounts)
- Change your email password to a long, unique one.
- Turn on MFA (authenticator app or security key if available).
- Sign out of other devices/sessions and review recent sign-ins for anything unfamiliar.
-
Check for mailbox tampering that hides evidence
- Review mail rules/filters and forwarding settings.
- Remove any forwarding address or “auto-delete/auto-archive/mark as read” rule you didn’t create.
-
Identify the high-risk account(s) and verify the safe way
- Search your inbox for:
password changed,security alert,new login,new device,purchase,order,recovery,verification code. - Start with accounts that can cause immediate harm: email provider, banks/cards, PayPal/Apple Pay/Google Pay, mobile carrier, Apple/Google/Microsoft, and any account with saved payment methods.
- Search your inbox for:
-
For each important service: bypass the email and check directly
- Go to the service by typing the URL yourself or using the official app.
- Check recent logins/devices and recovery info (email/phone).
- If anything is off: change the password and enable MFA on that account.
-
Report suspected phishing
- Use the “Report spam/phishing” feature in your email provider.
- Forward phishing emails to reportphishing@apwg.org.
- Report phishing to the FTC at ReportFraud.ftc.gov.
-
If you lost money, sent a code, or an account was taken over
- Contact your bank/card issuer immediately using the phone number on the back of your card (or inside the official app).
- File a report with the FBI’s Internet Crime Complaint Center (IC3) if you believe you’re a victim of cyber-enabled fraud or phishing.
What can wait
- You don’t need to fix every single email right now.
- You don’t need to close old accounts today.
- You don’t need to determine exactly how your email got targeted before securing your email and key services.
Important reassurance
A reset email often only means someone knows your email address. The main risk is being rushed into clicking a link, approving an MFA prompt, or sharing a code. Securing your email and checking accounts directly (not via the emails) is the safest path.
Scope note
This guide covers first steps to stop immediate harm and prevent lockouts. If you confirm account takeover or financial fraud, follow the provider’s recovery process and consider additional identity-protection steps.
Important note
This is general information, not legal, financial, or professional cybersecurity advice. If you’re unsure whether a message is real, treat it as suspicious and access accounts only through official apps or addresses you type yourself.
Additional Resources
- https://www.cisa.gov/secure-our-world/recognize-and-report-phishing
- https://consumer.ftc.gov/articles/how-recognize-avoid-phishing-scams
- https://reportfraud.ftc.gov/
- https://apwg.org/reportphishing
- https://www.ic3.gov/
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/spoofing-and-phishing
- https://www.proofpoint.com/uk/blog/email-and-cloud-threats/subscription-bombing-hides-real-cyberattacks