Skip to content
Credential phishing

Account Locked Phishing Email

The email claims your account is locked, suspended, or has suspicious activity. The login button leads to a fake page that steals credentials and sometimes OTPs.

Common script

What the message or call may sound like

Your account has been locked due to unusual activity. Sign in within 24 hours to restore access.
Mechanism

Why this scam works

People react quickly when they believe email, banking, work, or social access is at risk.

Red flags

Stop when you see these signals

  • Sender domain does not match the real service
  • Login button goes to a lookalike or short URL
  • Urgent deadline
  • Requests for password, OTP, backup codes, or recovery email
  • Generic greeting and unusual attachments
Do now

If this is happening to you

  1. Do not click the email button.
  2. Open the service by typing the official website or using the app.
  3. Change password if you entered it.
  4. Review sessions, recovery options, and forwarding rules.
Do not
  • Do not paste backup codes into a link from email.
  • Do not trust display names.
  • Do not forward the email to others as a warning without context.
Save evidence
  • Full sender address
  • Message headers if available
  • URL behind the button
  • Login alerts and session screenshots
Prevent repeat risk
  • Use a password manager to detect fake domains.
  • Enable 2FA and login alerts.
  • Bookmark important services.
Run a check

Use Kaval on this pattern

Answers

Common questions

Can an email display name be trusted?

No. Display names are easy to fake. Check the real sender address and destination URL.

What if I entered my password but not OTP?

Change the password immediately from the real site, log out other sessions, and review recovery settings.

Guides