'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
you get repeated password reset emails for work accounts you did not request
Short answer
Don’t click anything in the emails. Contact your company IT/security team through a trusted channel right now so they can verify the reset activity and secure your account.
Do not do these things
- Do not click reset links or open attachments in the emails.
- Do not use phone numbers, chat links, or “helpdesk” contacts shown in the email (they can be part of a scam).
- Do not approve MFA prompts or share verification codes with anyone unless you initiated the sign-in.
- Do not forward potentially sensitive work emails to personal/external addresses unless your company policy explicitly allows it.
- Do not assume it’s harmless “spam” until your IT/security team confirms.
What to do now
-
Pause and avoid the links.
Treat repeated reset emails as a sign someone may be trying to access your account, or trying to trick you into a fake login page. -
Report it to IT/security using a known-good method.
Use your normal helpdesk number, your internal portal, or your company chat channel you already trust (not anything inside the email). Provide:- the affected account(s)
- when it started and frequency
- the sender name/address shown and subject lines
- whether you clicked anything or entered credentials
-
Ask IT/security to take containment actions now.
Ask them to:- review sign-in logs and password reset events
- force sign-out / invalidate sessions and tokens if available
- confirm MFA status and remove any unknown MFA methods
- check for mailbox tampering (forwarding, rules, delegated access)
- check for suspicious “connected apps”/consents if supported
- check whether other employees are seeing the same thing (broader attack)
-
Only change your password via the official portal if permitted and IT/security hasn’t told you to pause.
From a device you trust, use your organization’s official sign-in page (not the email link). If your org requires IT/admin-driven resets or asks you to wait while they investigate, follow their direction. -
Look for stealthy changes attackers often make (if you have access).
Check your email/security settings for:- auto-forwarding to an unfamiliar address
- inbox rules that auto-delete or hide messages
- unfamiliar “connected apps” with mail access
-
If you interacted with the email, escalate immediately.
If you clicked a link, entered your password, or approved a prompt:- tell IT/security explicitly (don’t downplay it)
- follow their steps for password reset, MFA reset, and device checks
- assume your credentials may be compromised until proven otherwise
-
Protect business processes that can be exploited fast.
If your role touches payments, purchasing, payroll/HR changes, or customer data, tell your manager you’ve reported a potential account-security incident—so any urgent requests “from you” are verified out-of-band today and high-risk changes are double-checked. -
Preserve evidence without spreading it.
Keep the emails and note timestamps. Let IT/security collect headers or copies using your company’s approved process.
What can wait
- You don’t need to figure out whether it’s a real reset or a fake today—IT/security can confirm.
- You don’t need to report to law enforcement unless there’s confirmed fraud/loss or your company asks you to. If money was sent/changed, payroll details were altered, or sensitive data may have been exposed, escalate immediately through your company incident process and follow their guidance on reporting (for example, IC3 for business email compromise losses).
- You don’t need to do a full device overhaul right now unless IT/security identifies signs of compromise.
Important reassurance
Repeated reset emails don’t automatically mean someone is in your account—often it’s password testing or phishing. The key is not to “help” the attacker by clicking links, and to let IT/security validate and shut down any access attempts.
Scope note
This guide covers first steps to stabilize the situation. Your organization may have mandatory incident reporting steps; follow them once you’re connected to IT/security.
Important note
This is general information, not legal advice or a substitute for your employer’s security policies. If you believe your account may be compromised, follow your organization’s IT/security instructions first.
Additional Resources
- https://www.cisa.gov/secure-our-world/recognize-and-report-phishing
- https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks
- https://consumer.ftc.gov/articles/how-recognize-avoid-phishing-scams
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/spoofing-and-phishing
- https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise
- https://www.ic3.gov/CrimeInfo/BEC
- https://learn.microsoft.com/en-us/defender-office-365/responding-to-a-compromised-email-account