How to Avoid an Account Recovery Scam

Desperate times can lead to desperate mistakes.

Don't let your panic open the door to scammers.

An individual sitting in front of a PC computer screen displaying the message 'Recovery Failed.' In the background, a hacker is peeking around a door, creating a sense of tension and vulnerability. — (Image: DALL-E 3)

By far the number one topic on Ask Leo! (as measured by page and video views) is what to do if you’ve lost your password and can’t log in to a service you rely on. Google tops the list, but the problem applies equally to other online services like Outlook.com, Facebook, and more.

There are several reasons you might find yourself in that position, but they’re all made worse by the desperation that can result when account recovery mechanisms don’t seem to work.

And there are many scammers out there ready to take advantage of your panic.

Account recovery scams

Failed account recovery is one of the most frequent issues posted to Ask Leo!. Google, Outlook.com, and Facebook are common services involved. When recovery fails, it’s easy to become more vulnerable to scams. To avoid getting scammed, follow recovery steps carefully, keep your recovery info updated, use two-factor authentication, and always be on the lookout for scammers.

Why account recovery might not work

You can’t log in, so you use “forgot my password” or other recovery techniques, and nothing works. There are several reasons that might be.

You didn’t follow the account recovery process carefully and completely, examining all the options offered along the way.
You didn’t have account recovery information (such as alternate email addresses or alternate phone numbers) configured for the account.
You had account recovery information set up, but it’s out of date; you no longer have access to the recovery email address or phone.
Someone has so thoroughly hacked your account that they changed all the information that might be used for recovery.

I don’t mean to blame the victim, but’s important to understand the actions that can cause a failure to recover your account.

Now you’re worried and frustrated. What next? You might turn to the internet and search for help. It’s important to be careful if you do.

Search cautiously

I’m tempted to say not to search for help at all, but that’s not practical.

There are good sources of help — sites and individuals, including myself, who may cover something you’ve overlooked or weren’t aware of or may just help you understand the bad news that you’re out of luck. Hopefully, they’ll include information on how to avoid the situation in the future.

A One-Step Way to Lose Your Account Forever

I see people lose access to their most important accounts all the time. It's often their own fault that they can't regain access.

But there are also scammers. So. Many. Scammers.

You need to be exceptionally careful when you search for help. The search results will contain items that look like legitimate ways to contact the company you’re interested in but will connect you with scammers instead. They’ll pretend to be the company and pretend to help you — usually at some financial cost or by requiring that you hand over other account or personal information.

Remember, most free services do not have phone numbers you can call. Go to the website of the company in question and carefully navigate their site (and only their site) for your support options.

Ignore the comments

Scammers continually insert comments on discussion forums, comments and posts on social media, account-recovery videos 1, and articles with promises of help.

Account recovery comment spam. — Comment spam from a video about account recovery. (Screenshot: askleo.com)

There are a couple of red flags that help identify scam/spam comments.

Fake testimonials: lavish thanks to some recovery service for having helped.
Indirect reference: a company or username and the instructions to look them up, often on another service such as Instagram.

To be clear: these are fake. They will not help you recover your account. They do not have access to any more tools or techniques than you do. At best, they’ll take your money and disappear. At worst, they’ll convince you to supply information about other online accounts or credit card credentials, leading to significantly more damage.

Do this

Of course, the best way to avoid these support scams is to prevent the need for that kind of support in the first place. When it comes to account recovery, this is in your control. There are two things you should do so you don’t lose access to your accounts in the first place.

Add two-factor authentication.
Keep your recovery information up-to-date.

Together, those actions help secure your account and allow you to recover should you ever need to. But above all, don’t expect or rely on customer support for free accounts; and don’t trust the comments and thinly veiled ads that scammers run.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Download (right-click, Save-As) (Duration: 7:29 — 6.9MB)

Subscribe: RSS

Footnotes & References

1: It’s a constant battle on my YouTube channel.

4 comments on “How to Avoid an Account Recovery Scam”

Just a heads up about recovering a Microsoft account. If a user gets to the point of using their recovery code, Microsoft imposes a thirty day waiting period before the user can get back in.
I discovered this the hard way when an individual had locked himself out of his computer with too many incorrect attempts using a PIN and his password for his Microsoft account.
I was able to make an image of his computer’s hard drive using Macrium Reflect and then mounting that image on a virtual machine on mine. Surprisingly (for me) I was able to find his password, then used it to log into his account on line. Once I made the changes to his recovery phone number and email, a message showed up from Microsoft that I wouldn’t be able to log in for 30 days. Sure enough, 30 days later he was able to login.
This individual has suffered a series of strokes, which has affected his ability to recall his PIN at times and his coordination to some extent when typing it in. I set up his account recovery plans on all his accounts when we were back into them, this time using a password manager to manage them.
After going through all that, I made sure everyone in the household with an account of any type had recovery plans in place and how to find them. It is a lot easier to do ahead of time and not resort to Hail Marys, hoping something worked.

I’m a long time LastPass user. When I learned of the data breach, I started going through all my Internet accounts to change and lengthen my password (from 12 to 16 characters), and to check that I had 2FA enabled on each account. For the few accounts I found that didn’t offer/support 2FA, I looked for a replacement, and took steps to delete/close the account and all information it held. My logic was/is that if the service doesn’t care enough about my account security to support/offer 2FA, I don’t want to trust them with my information/data. There was one account that had no mechanism to close/delete the account, and no contact information listed, so I changed my username to anon, and my email address to IQuit@rightnow.com. The site wanted my real name, so I changed it to Anonymously Yours, then I removed it from my LastPass vault and never looked back. As one of my annual routines, I go through all my Internet accounts to weed out any I no longer use/want, and to confirm that they all have 2FA enabled. To this day, one of my main criteria for setting up an Internet account with any service is to check that it supports 2FA. If not, I cancel the setup operation and look elsewhere for a similar service that does support/offer 2FA. I also take pains to set up an alternate email address (I use one of two addresses for that purpose), and record all account recovery information (including brief usage instructions), then add it to the account’s item in my LastPass vault, in the notes area. This way, if I ever have to recover an account, I know exactly where to look for what I’ll need. By checking all my Internet accounts annually, and setting up (and recording) all available account recovery options when I create an account, then moving that information into the account’s item in my LastPass vault, I ensure that I can recover any account I have, no matter what happens. The only way all this could fail would be if LastPass abruptly disappeared from the Internet/stopped doing business, and I don’t see that happening anytime soon. To handle that remote possibility, I also export my LastPass date annually, and save it in my OneDrive vault, with the year added to the file name, so I know what I’m looking at later.

Ernie (Oldster)

Ernie

Mark Jacobs (Team Leo)
September 18, 2024 at 9:02 am
“The only way all this could fail would be if LastPass abruptly disappeared from the Internet/stopped doing business”
If LasrPass goes out of business, the program and local vault should still work and give you tome to import your vault into a new password manager.There are other things that can go wrong, so backing up you password vault is also an important protectection agains loss. If you aren’t the only person with access to your computer, it’s also a good idea to encrypt yout vault backup. An encrypted .zip file is fine for that.
Reply

I have read this with interest as recently lost £300 before I smelt a rat. What accounts are we talking about here, is it email accounts or all the websites that I have joined, even if it was a one off purchase.