Is this security alert real or phishing?

A security alert can be genuine, fraudulent, or a genuine alert triggered by someone else trying to access your account. You do not need to decide which one it is by trusting the message. The safer approach is to investigate through a separate path that you control.

Do not enter a password or verification code on Login.com. We cannot verify individual accounts or messages. The steps below help you check the situation through the relevant service itself.

Do not use the message as your doorway

Avoid clicking links, downloading attachments, replying, or calling a number contained in the alert. Even a convincing message can lead to a lookalike site or a person pretending to be support. Instead, open the service’s official app, use a trusted bookmark, or type its known web address yourself.

Once there, check recent sign-ins, security activity, notifications, or account settings. If the service sent a real alert, the same event is often visible inside the account. The absence of an in-account notice is not conclusive, but it is an important signal.

Warning signs inside the message

  • Pressure or threats: claims that you must act immediately or your account will be closed.
  • Requests for secrets: demands for a password, verification code, recovery code, payment-card details, or remote access to your device.
  • An unexpected attachment: especially a file presented as a security report, invoice, or account form.
  • A mismatched destination: the visible link text names one site, but the actual destination is different.
  • Unusual sender details: a misspelled domain, a free email account, or a reply-to address unrelated to the claimed organization.

None of these signals works perfectly on its own. Real security messages can be poorly written, and sophisticated phishing can look polished. That is why the independent-check method matters more than appearance.

What if the message includes a verification code?

A code you did not request may mean that someone entered your email address or phone number while attempting to sign in. It does not necessarily mean they have your password, but it deserves attention. Do not share the code with anyone, including someone who contacts you claiming it was sent by mistake. Open the official service directly and review account activity and security settings.

If the activity was not yours

Change the account password through the official app or site. Use a unique password that you do not use elsewhere. Review active sessions and sign out unfamiliar devices. Check whether the recovery email, phone number, mailing address, or multi-factor authentication settings were changed. Look for new forwarding rules, connected applications, payment methods, or transactions.

If the same password was used on another service, change it there too. If the account involves money, medical information, work systems, or identity documents, contact the organization through a verified channel and preserve screenshots or message headers for your records.

If the activity was yours

Legitimate alerts can be triggered by a new phone, a browser update, cleared cookies, travel, a privacy network, or a different internet connection. Confirm that the time, location, device, and action are reasonably consistent with what you did. Approximate locations can be wrong because they are inferred from an internet address rather than precise device location.

Report the suspicious message carefully

Many services provide an official phishing-reporting address or an in-app reporting feature. Find that information on the organization’s own site, not inside the suspicious message. Your email provider may also offer a “Report phishing” control. Reporting helps improve filtering, but do not forward sensitive codes or personal information more widely than necessary.

Last reviewed: July 14, 2026. This guide provides general information and cannot authenticate a specific alert.