Why You Should Never Click ‘Reset Password’ in Your Inbox (and What to Do Instead)

A password reset email can look legitimate, but you need to be vigilant. Here’s how to stay safe.

BY REUT HACKMON, FOUNDER, GUARDIANCE GROUP

Gif: Inc.; Photos: Getty Images

Most password reset emails look completely legitimate. We see them quite often, usually with a convincing reason from a service we trust. Resetting the password immediately feels like the responsible thing to do.

But what seems like a healthy security habit can easily become a convenient vehicle for manipulation, especially when it turns into a routine task that we perform automatically without much thought.

That’s exactly what attackers rely on.

The real risk of clicking a password reset email

To be clear, if you’ve just navigated to a website, realized you needed to reset your password, and then made that request, you’re fine. The issue is when you get one of these emails out of the blue.

How Anthropic's Claude AI Became a Co-Founder

The problem begins the moment you click the link inside the email.

Attackers frequently send emails that look almost identical to legitimate password reset notifications from well-known services. The branding, wording, and formatting appear identical, and the message usually asks for a simple action: Reset your password to secure your account.

The link provided in the message, however, may lead to a fake website designed to look exactly like the real login or reset page. When users submit their credentials there, the information is sent directly to the attacker’s servers.

© Inc.com