Account Recovery Security

What You'll Learn

• Identify social engineering red flags in account recovery requests, including emotional pressure and excessive familiarity
• Apply a structured identity verification checklist before resetting any credentials or granting access
• Recognize how attackers use open-source intelligence (OSINT) to answer security questions and bypass recovery flows
• Escalate suspicious recovery requests to security teams with proper documentation
• Evaluate self-service recovery configurations for weaknesses like guessable security questions and unprotected backup emails

Training Steps

1. A Busy Monday Morning

   Welcome to Crescent Healthcare Systems! You are Alice, a patient care coordinator who manages sensitive patient records and appointment schedules. It's Monday morning and you have a full day of patient consultations ahead. You sit down at your home office desk and prepare to log into the patient management system.

2. The Unexpected Password Reset

   Before you can even open your browser, a notification pops up on your desktop. A new email has arrived - a password reset request for your work account. Strange. You didn't request a password reset. But lately IT has been rolling out new security policies, so perhaps this is part of that.

3. The Pressure to Act

   The email looks official. The logo seems right, and the message is urgent - account suspension would mean you couldn't access patient records all day. You need to reset your password quickly before your first patient consultation. There's no time to investigate.

4. Entering Current Credentials

   The password reset page loads. It asks for your current password to verify your identity before allowing you to set a new one. This seems like a reasonable security measure - after all, anyone could click a reset link.

5. The Error Message

   After submitting, the page displays an error: 'Unable to process request. Please try again later or contact IT Support.' Frustrated, Alice closes the browser and decides to try the regular login page instead. At least she knows her old password still works.

6. A Troubling Discovery

   Twenty minutes later, Alice receives a flood of email notifications. Password changed. Recovery email updated. Security questions modified. She tries to log in with her old password. Access denied. She tries the new password she just set. Also denied. Her account has been completely taken over.

7. Realizing the Attack

   Alice's heart sinks. The email from IT Security confirms her worst fears - her account has been completely compromised. The password, recovery email, and security questions were all changed by someone else.

8. Analyzing the Phishing Email

   Now Alice looks back at the original password reset email with fresh eyes. What warning signs did she miss?

9. Checking the Link

   The email contained a link to reset the password. Let's examine where that link actually leads.

10. Contacting IT Security

    Alice needs to act fast. She picks up her phone to call IT Security using the number from her contacts - not any number from the suspicious emails.