Phishing techniques: Expired password/account

Daniel Brecht
April 16, 2020 by
Daniel Brecht

Nowadays, a fair number of phishing attacks have been linked to expired password scams. This is a tactic used to steal identifying information and account access by luring users into entering their credentials in a webmail or webpage able to collect them. Every computer or mobile user of the internet can be a potential victim.

Best Reviews, a site that guides consumers on best products (including best password management apps) and services, points out that fake password reset emails are actually one of the oldest internet scams.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

The scheme is actually effective as it bets on the fact that users are very often asked to update their passwords periodically; therefore, these requests can seem legitimate. There are, however, ways for users to recognize the scam and defend their system.

What does an expired password phishing scam look like?

Phishers sometimes craft emails that seem to be from a genuine service or website, requesting that users change their password as soon as possible before it expires. This tactic can scam unwary users.

The scheme is familiar. Phishers distribute a malicious link or attachment to extract login credentials and account info directly from the user so as to gain privileged access to secured data. The message is often urgent and pushes the target to act quickly.

Let’s see a few examples. The following (shared by Imperva) illustrates a common phishing scam attempt:

  • A spoofed email ostensibly from is mass-distributed to as many faculty members as possible
  • The email claims that the user’s password is about to expire. Instructions are given to go to to renew their password within 24 hours

Once the user clicks on the link, different actions can occur. For example:

  • The user is redirected to a page that looks like part of the site. This is actually a bogus page where both new and existing passwords are requested. The old, original password is hijacked and quickly used by the attacker to gain access to the account and network
  • The link lands the user on the actual password renewal page. In the background, it loads a malicious script that hijacks the user’s session cookie, results in a reflected XSS attack and opens the account to the attacker

Here is a copy of what fake email text might look like in a phishing attack (as shared by the Police Federal Credit Union). Here, the user is lured by providing even a temporary password. Again, the tone is urgent.

Dear User,

This notification is mailed to you concerning your online banking user password has been expired.

Create a new user password by following these steps:

  • Log into your online banking by our secure link for Expired Password (link removed) and entering the temporary password below. Your temporary password is: vn#E
  • You will then be prompted to change your password.

This temporary password will expire in 24 hours.

While all of these tactics are annoying, phishing makes the practice worthwhile for scammers. In fact, a phisher’s main attack vector for such a scam consists of simply sending emails stating that “your password will expire and be changed unless you login and confirm that you want to keep it the same”; the subject is often a line like “Account Update” to attract attention immediately. The message may appear to originate from a reputable source (e.g., a major credit card company) and often from an account used daily by the user.

Other emails, instead, ask for users to enter the last password they remember. According to Slawomir Grzonkowski, Principal Research Engineer at Symantec Ltd., the password recovery scam that consists of typing your login or username and password is designed to trick users into handing over account access info. This can also be done simply through social engineering or by the attacker disguising himself as a trustworthy entity.

Phishers do, indeed, have many tricks up their sleeves to deceive you. This includes running scams and attacks through your mobile phone. And because cellphones are often registered as an additional form of verification, the user does not suspect foul play when receiving a warning via SMS.

The phisher often interacts with the targets and even makes further requests or sends the victim a message such as “Thank you for verifying your Google account. Your temporary password is [TEMPORARY PASSWORD].”

How to avoid phishing

Phishing attempts are often clever, and it can be hard to spot the scam in between the so many legitimate emails or SMSs that we all receive every day. So how can users defend themselves? Though phishing attacks are becoming increasingly difficult for even trained and knowledgeable users to detect, it’s still possible to not fall victim to such scams.

In addition to making sure your browser is up to date and has pop-ups disabled, include anti-phishing security features. Learn to recognize the most common signs of a malicious email and refrain from responding to text messages or opening webmail attachments asking for account numbers and passwords.

Security awareness training is, however, the best defense for users. They can learn to take countermeasures to protect themselves against fraudulent attempts by phishers trying to obtain sensitive information. In a company setting, class training, simulation exercises, tip-of-the-day messages, posters and more can be effective education.

Users should learn the importance of creating complex passwords and to never follow links when asked to update information. The best course of action is to use a web browser to independently access the site that appears to have sent the email or verifying information from there. If the URL doesn't match the address of legit business it could be a phishing attempt. It is also possible to verify the legitimacy of the request by contacting the alleged sender by phone.

At the end of the day, it’s important to take all the necessary steps not to take the bait and report the incident. A suspected, fraudulent email should be hard-deleted after having reported it to the company anti-spam department. Complaints can be sent to FTC at and the webmail can be forwarded to the Anti-Phishing Working Group:

Developing employees: Phishing awareness

With many internet users being vulnerable to phishing account scam emails, it really comes down to awareness. A number of government websites and private organizations offer phishing recognition training.

The FTC, for example, has information on recognizing and avoiding scams with a number of tips and actions users can take to protect themselves. There are also programs that companies can use to help develop their staff such as the Infosec IQ phishing simulator. Basically, it’s important to test each person’s susceptibility to phishing and understand if they overlook deceptive cues.


Phishing attacks are successful because they target basic human natural responses. It’s important to strengthen the “human firewall” by implementing phishing countermeasures and introducing employees to the best practices for identifying and mitigating phishing.

Phishing schemes conducted through webmail or popups requesting password updates are especially effective. Stealing the credentials on one site can actually have even wider consequences, as users often reuse passwords or use a variant of them between different online accounts.

Taking everything into account, can you spot an email phishing scam and password fraud and avoid them? If the answer is no, then there’s no better time to learn to be very cautious about any requests that might ask to “verify your account” or “confirm your password.”

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.


Daniel Brecht
Daniel Brecht

Daniel Brecht has been writing for the Web since 2007. His interests include computers, mobile devices and cyber security standards. He has enjoyed writing on a variety of topics ranging from cloud computing to application development, web development and e-commerce. Brecht has several years of experience as an Information Technician in the military and as an education counselor. He holds a graduate Certificate in Information Assurance and a Master of Science in Information Technology.