Password Recovery Scam: A Smart Technique To Gain E-mail Access

On a busy morning you receive a text message in your inbox saying “There has been an unauthorized activity on your e-mail account. Please reply with verification code.” What will you do next? It’s obvious that you will send a reply with a verification code which you have received at the same time.

What happens then will not be so hard to imagine because whatever process occurred in your message box was nothing but a very successful attempt of spear- phishing attack.

Spear Phishing attack is more qualified version of phishing attacks. It can strike in many facets such as e-mail spoofing, victim distinguishing, email personalization, business person impersonation and many more such tactics to enter or to get the access of the individual or the organization.

Password Recovery Scam is one of them. Nowadays almost every e-mail providers have the option of mobile verification code in order to recover the forgotten e-mail ID or the password. It also keeps the account safe from unauthorized access for example, in G-mail where there is two step verification processes. But instead of helping, these password recovery codes verifications are opening the gates for the intruders to outbreak.

password recovery

Image Credit:

Beware that in this type of scam, one has to have your e-mail ID and your phone number. That means a person familiar to you might be involved.

So, the intruder having your e-mail ID first tries to login into your account but without the correct password that is not possible. Thereafter entering your e-mail ID, he/she clicks on the Forgot password/ “Need help” link.

gmail signin

trouble in signin

Though being many password recovery options available the intruder skips them all in order to get to the verification code step.


As soon as he/she selects the option “a text message (SMS)”, you receive a six digit verification code on your phone. Intruder then sends a text message from a private phone to you saying something like “there has been an unauthorized activity on your email account” and asks you to reply with a six digit verification code send by Gmail which you just have received. You count it as a real message from Gmail authority and reply with the code.


This verification code is then used by the intruder to gain access to your e-mail account.

password reset

Also if this doesn’t work in one instance, the intruder tries to communicate to you saying “We still detect an unauthorized login from your account. A new verification code is sent you please respond with it in order to secure you Google account.”

Worst is they can modify your personal settings like adding an alternate e-mail ID so that each mail’s copies get reverted to that ID. A temporary password will also be sent to you. All such things happening so precisely leads you to believe that the whole process was legitimate.

In this case, the attackers might not be interested in financial stealing but they are more focused on gathering essential data which will affect the victim’s career or personal life.

A user should monitor email account on daily base to prevent such type of intervention. Always suspect such kind of messages and do not respond with statistics instantly. Try to reach the concerned E-mail provider authority before taking any step. However the actual E-mail providers will only send you the text message and will never ask you to reply back.


As we have seen in the above discussion, the password recovery scam is one of the successful techniques of spear phishing scam. The basic intend of such scam is to get the hold on intellectual property, financial data, military secrets and other private information. Therefore, it is quite essential not to respond such emails that ask for private information, bank details or any information. Traditional security won't stop such scams so user awareness and email security can stop users from becoming target to hackers.