Online Safety
Account recovery attempt history after receiving unexpected security notice emails
Checking Your Email for Signs of a Real Security Notice
An unexpected email about a security notice or account recovery arrives. The first step is to check the sender’s address and the message content. Official security notices usually come from a verified domain tied to the service, not a random address. Look for spelling errors, generic greetings like “Dear User,” or links that do not match the official website. These are common signs of a phishing attempt rather than a real recovery notice. An email asking you to click a link and enter your password or personal details should not be interacted with.
Instead, open a browser and go directly to the service’s official login page by typing the address yourself. Check the account’s security or activity section for any recent recovery requests. A recovery attempt appearing that was not made may mean the email is real, but verification through the official site is still necessary rather than the email link.

Reviewing Account Activity for Unauthorized Recovery Attempts
After confirming the email is from a legitimate source, log into the account through the official website or app. Navigate to the security, activity, or login history section. Look for entries labeled “account recovery,” “password reset,” or “security change.” Compare the time, date, and location of each attempt with your own actions. A recovery request from an unfamiliar device or location means someone may have tried to access the account.
An unauthorized recovery attempt found in the logs means the password needs to change immediately using the official password change page. Enable two-factor authentication if it is not already active. Review the recovery email and phone number to confirm they are still correct and have not been changed. These steps help prevent further unauthorized attempts and secure the account before any real damage occurs.

Using a Quick Checklist to Decide Your Next Action
Each row in the table below gives a clear condition and a safe next step based on what appears in the email and account activity. Move from uncertainty to a concrete step without guessing.
An email that passes the sender check but shows nothing unusual in the activity log means you should monitor the account for a few days. A recovery contact that has been changed without knowledge requires quick action to regain control and report the incident to the service’s support team.
| What to Check | Visible Sign or Label | Next Action |
|---|---|---|
| Sender address | Mismatched domain or misspelled name | Do not click any link; visit the official site directly |
| Account activity log | Recovery attempt from unknown device or location | Change password and enable two-factor authentication |
| Recovery contact details | Changed email or phone number you did not update | Revert changes and contact official support |
Securing Your Account and Reporting the Incident
An unauthorized recovery attempt confirmed requires immediate steps to lock down the account. Start by signing out of all active sessions from the security settings. This forces any unauthorized user to log in again, which they cannot do without the new password. Then review and remove any unfamiliar devices or apps that have access to the account. After securing the account, report the incident to the service’s official support channel. Provide the email received, the time of the unauthorized attempt, and any visible details from the activity log.
Support teams can investigate further and may add extra monitoring to the account. Keep a record of your own actions, such as the password change time and the support ticket number, in case you need to refer back later.