5 ways to prevent password reset attacks

Have you ever opened your inbox to find a password reset email that you didn’t request? It’s an unsettling sign someone else tried to get into your account and can cause mild panic (at least it does for me). Most of the time, the attempt fails. But when attackers succeed, the consequences can be serious: full account takeover (ATO), stolen data, and financial fraud. 

According to a recent report, nearly 1 in 4 password reset attempts is now fraudulent. Fraudsters know that if they can hijack the password reset process, they don’t need to steal your password — they can just replace it. With businesses expected to lose $91 billion to ATO fraud by 2028, the risks of password reset attacks are severe. This post breaks down how these attacks work and the practical steps you can take to stop them.

What is a password reset attack?

A password reset attack is when a fraudster exploits the password recovery or “forgot my password” process to take over an account. They request a password reset for a username or email, then hijack recovery emails, intercept SMS codes, or trick support staff so they can set a new password and lock the real user out.

How password reset attacks work

Password resets are designed to be simple: When a user asks for help, the website or app confirms who they are, then issues a link or code so they can choose a new password. Attackers exploit this flow in several ways:

1. Bots submit large volumes of reset requests, often against email addresses or usernames that they have either stolen or accessed from personal information leaked in a data breach. 
2. Attackers intercept or reroute the reset link or code. Examples include using SIM swapping to capture codes sent by SMS, taking over the email account to capture links sent by email, or exploiting “change recovery info” features to swap in their own phone number or email address.
3. Attackers impersonate users to trick customer service agents into resetting the password. They provide stolen personal data or answers to password recovery questions easily guessed from the user’s public information. They may even use a deepfaked voice or video. 

After setting a new password, attackers often immediately update the password recovery details and change the MFA to use a new phone number or email. This secures their control and delays detection. 

The business impact of password reset abuse

Password reset abuse carries real business consequences. Beyond the support cost of handling urgent account lockout requests, each successful attack can result in financial losses when attackers exploit stored balances, payment details, or loyalty programs. The stakes are even higher when corporate accounts are compromised; an IBM report puts the cost of a single data breach from password-related attacks at $4.4 million.

Account takeovers destroy customer confidence at the individual level, while news stories of breaches can have a huge reputational impact. Password attacks also create compliance and regulatory risk if personal data or financial information is exposed through compromised accounts. Regulators have levied 9-figure fines for such breaches, and in one six-month period, U.S. companies paid over $150 million in class-action settlements for data breaches. 

5 strategies to prevent password reset attacks

1. Detect unusual reset behavior

Watch for patterns that are highly unlikely for real users but common for bots, such as the following: 

• High volume: Bots may use the same device to try dozens or hundreds of reset requests against different usernames or emails.
• Unnatural cadence: Look for requests firing at machine-perfect intervals instead of the pace at which a human would normally navigate the password reset flow.
• Direct API hits: Check for requests that bypass the normal reset UI and instead work programmatically through API calls.
• Suspicious sequencing: A human won’t typically request a password before trying to log in or immediately after creating their account, so these patterns may indicate bot activity. 

2. Separate MFA changes and password recovery

In the case of a password reset attack, MFA should protect accounts from ATOs. Unfortunately, attackers can find ways to bypass it. Here are some tips to defend against this threat:

• Always implement MFA on password reset flows. Some systems don’t require MFA after a password reset, and simply log in the user — or attacker — directly. Make sure to avoid this flow. 
• Never bundle MFA changes into password resets. Treat adding or removing MFA factors as a separate, high-risk action. Attackers shouldn’t be able to convince support staff to change MFA as part of the reset attack. 
• Require step-up verification for MFA changes. Enforce an existing factor (like an authenticator app) or a stronger identity check before allowing updates.
• Monitor and alert on MFA updates. Notify the account owner immediately if MFA is changed or removed.

3. Harden recovery channels

When users reset their password, they typically get a reset link or code via email or SMS. Unfortunately, both of these channels can be compromised without the user noticing. Attackers can steal email logins via credential stuffing, and intercept SMS through SIM swaps, SIM cloning, and even malware. 

To better secure the recovery flow, add checks that verify identity through a separate channel, like a push notification or backup email. And just as you would with MFA changes, flag changes to password recovery details — they should be treated as high-risk events and require additional verification.

4. Protect customer support

Customer support is a common weak link, since agents are trained to help customers regain access quickly. Fraudsters exploit this with impersonation and social engineering.

To reduce the risk, don’t rely only on easily stolen details like name, address, or date of birth — or the answers to security questions that are easily guessed with details gleaned from social media accounts. And be careful about allowing customers to use their voices or phone cameras for authentication, as these biometrics can be convincingly faked using AI, with real consequences to businesses and individuals.

Finally, consider requiring step-up approval for sensitive accounts, as not all accounts should be treated equally. Resetting a regular streaming account is low-stakes; resetting an admin or financial account should require stronger, layered verification. 

5. Use device intelligence to strengthen resets

Attackers can rotate IP addresses, spoof browser details, and even take over MFA, but the device itself leaves behind a consistent, unique fingerprint. By tying reset attempts to device intelligence, you can spot patterns that traditional checks miss.

You can spot bot activity, unusual amounts of requests coming from one device, or resets from an IP that doesn’t match the user’s typical geolocation, to shut down fraud before it results in account takeovers. And you can adapt your responses so that low-risk resets on devices already associated with the account can go through smoothly, while resets from unrecognized or high-risk devices trigger step-up checks. 

Keeping resets safe

Password resets will always be an attractive target for attackers. By hijacking the recovery process, they can bypass the need to guess or steal a password and move straight to full account takeover. The consequences are serious: financial loss, regulatory risk, and lasting damage to customer trust.

The best defense is layered, combining stronger recovery design with smarter detection to block attackers while keeping resets easy for real users. To learn more about how Fingerprint’s device intelligence platform can help protect against password reset attacks, contact us for a demo.