We Detected Unusual Login Activity Means They Detected Your Wallet

"We detected unusual login activity on your account. For your protection, please verify your identity within 24 hours or your account will be permanently deactivated." The email looks like it's from Google, Microsoft, Apple, Facebook, or your bank. The logo is right. The formatting is professional. There's a big blue button that says "Verify Now."

Don't click it.

Account verification and password reset scams are the most common phishing attack on the internet. They work because they mimic a process you've done dozens of times. The difference is that the real process protects you, while the fake one hands your credentials to an attacker.

How the Scam Works

Fake security alerts constantly flood federal complaint databases. "Unusual sign-in activity detected on your Microsoft account," "Your Google password will expire in 24 hours," "We noticed a login from a new device in Russia," "Your Apple ID has been locked for security reasons," "Action required. Confirm your email address to avoid account closure." Every variant follows the same playbook.

The email creates two emotional responses simultaneously. Fear that someone may have accessed your account, and urgency to act now or lose access. This combination overrides the skepticism that would normally make you pause.

The "Verify" or "Secure My Account" button leads to a website that's a near-perfect copy of the real login page. Thousands of these URL patterns hit threat intelligence feeds daily. accounts.google.com.secure-verify.xyz isn't actually google.com. login.microsoftonline.com.account-verify.net isn't actually microsoft.com. appleid.apple.com-verification.com isn't actually apple.com.

The page looks identical to the real thing. Same logo, same layout, same fonts. When you enter your username and password, they go directly to the attacker. Many phishing pages then redirect you to the real site so you don't even realize what happened.

With your credentials, attackers access your email, which is the master key to every other account since password resets all go through email. They lock you out by changing your password and recovery options. They access financial accounts linked to that email. They send phishing emails from your account to your contacts, who are more likely to trust messages from you.

Stolen credentials get sold on dark web marketplaces within hours, often bundled with thousands of others. The going rate is usually a few dollars per account.

Sophisticated phishing pages now capture two-factor authentication codes in real time. You enter your password on the fake page. The attacker enters it on the real page. The real site sends you a 2FA code. You enter it on the fake page. The attacker enters it on the real site. They're in. This happens in seconds, which is why time-based codes and especially SMS codes can be intercepted by real-time phishing kits. Hardware security keys like YubiKey are the only method immune to this attack because they verify the actual domain.

Check the sender's actual email address. Click or tap the sender name to reveal the real address. Google emails come from @google.com or @accounts.google.com. Microsoft uses @microsoft.com or @accountprotection.microsoft.com. Anything else is fake.

Hover over the button or link without clicking. The URL preview should show the service's actual domain. If the domain before the first slash isn't exactly accounts.google.com or login.microsoftonline.com, it's a phishing page.

Check the URL after you land on the page. If you did click, look at the address bar before entering anything. The domain must exactly match the service. One extra word, a hyphen, or a different extension means it's fake.

Go directly to the service instead of clicking any link. Open a new browser tab and type the service's URL yourself, or use a bookmark. If there's a real security issue with your account, you'll see it when you log in directly.

Generic greetings are red flags. Real security alerts from Google, Microsoft, and Apple typically address you by name or show partial account information. Scam emails often say "Dear User" or "Dear Customer."

Watch for disproportionate threats. "Your account will be permanently deleted in 24 hours" screams fake. Major platforms don't delete accounts with 24-hour ultimatums. Real account deactivation processes take weeks or months and involve multiple notices.

Real Google security alerts come from no-reply@accounts.google.com, show the device type, location, and time of the sign-in, link to myaccount.google.com, and include your name and partial email address. Microsoft uses account-security-noreply@accountprotection.microsoft.com, includes specific activity details, and links to account.microsoft.com. Apple sends from no-reply@email.apple.com or appleid@id.apple.com, references your Apple ID by name, and links to appleid.apple.com. Facebook and Instagram use security@facebookmail.com or no-reply@mail.instagram.com. You can verify alerts by checking Settings > Security > Recent emails in the app.

If You Already Clicked

If you received a suspicious email, don't click any links. Go directly to the service's website and check your account security settings. If there's no alert in your account, the email was fake. Report the email as phishing in your email client. Search the sender domain in our database to see if other people have reported it.

If you entered your credentials on a suspicious page, change your password immediately by going directly to the real site. Enable two-factor authentication if it's not already on. Check your account's recent activity. Google, Microsoft, Apple, and Facebook all show recent sign-in locations and devices. Revoke any sessions you don't recognize.

Check your email's sent folder and forwarding rules. Attackers often set up auto-forwarding to maintain access even after you change your password. Change passwords on other accounts that use the same or similar password. Monitor for unusual activity across your accounts for the next few weeks.

If your account was taken over, use the service's account recovery process. Google recovery is at accounts.google.com/signin/recovery, Microsoft at account.live.com/password/reset, Apple at iforgot.apple.com. Contact the service's support if recovery fails. Alert your contacts that your account was compromised so they don't fall for messages sent from it.

Account verification scams succeed at scale for several reasons. Everyone has accounts. Unlike scams that target specific demographics, everyone has a Google, Microsoft, Apple, or social media account. The scenario is plausible because account breaches really do happen and security alerts really do get sent. The scam is indistinguishable from reality until you check the details.

The action is familiar. You've clicked "Verify" and entered your password on legitimate alerts before. The scam asks you to do something you've done many times. One email account unlocks everything since compromising your primary email gives attackers access to every service connected to it through password reset flows.

Report phishing emails to help providers block the sender and take down the phishing page. Forward to Google at phishing@google.com, Microsoft at phish@office365.microsoft.com, Apple at reportphishing@apple.com, the Anti-Phishing Working Group at reportphishing@apwg.org, and the FTC at ReportFraud.ftc.gov.