In the past 24 hours, I’ve received 26 security alerts from Microsoft, each containing a different one-time login code for my Microsoft account.
Each email reads, “We’ve received your request for a single-use code to use with your Microsoft account.” They go on to state, “If you didn’t request this code, you can safely ignore this email. Someone else might have typed your email address by mistake.”
The idea that someone mistakenly typed my email address 26 times in quick succession, overnight while I was asleep, stretches credulity to the breaking point. Is it not more plausible that this is someone (or something) attempting to gain unauthorised access to my account?
The dismissive tone of Microsoft’s alert does a disservice to its users. By suggesting that these repeated login attempts are most likely the result of an innocent typo, they downplay the very real possibility of a malicious attack. The email subject line “Your single-use code” does nothing to suggest this is something important requiring immediate attention.
At a time when cyber threats are on the rise and becoming increasingly sophisticated, such alerts need to reflect the reality of the situation rather than appease the user with explanations that describe an unlikely situation.
One or two attempts by someone mistakenly typing my email address might be credible, but 26 in quick succession?
It’s not just Microsoft; other services like Spotify are guilty of this as well.
I’ve highlighted just two companies from my own experience. This is only the tip of the iceberg, though. All organisations should take a more proactive stance in educating and protecting their users rather than offering blanket assurances that there’s nothing to worry about. At a minimum, they should encourage users to take action if they receive multiple unsolicited login attempts.
A More Effective Security Alert
Instead of dismissive messaging about someone “mistakenly typing” your email address, companies should frame their alerts to inform and empower the user. Here’s a suggestion for Microsoft for more effective wording:
Subject: Security Alert: Multiple Unsuccessful Login Attempts on Your Microsoft Account
Body:
Dear [User’s Name],
We have detected multiple unsuccessful login attempts to your Microsoft account using single-use codes within the past 24 hours.
If you did not initiate these requests, this could indicate that someone is trying to gain unauthorised access to your account.
Here’s what you can do to secure your account:
- Change your password immediately. If someone is attempting to access your account, they may have partial information.
- Enable two-factor authentication (2FA). This adds an additional layer of security.
- Review your account activity. Check for any signs of unauthorised access.
- Contact Microsoft Support if you have concerns about your account’s security.
Your security is our top priority. Please take action to ensure your account remains safe.
Stay safe,
The Microsoft Account Team
Note that the subject line starts with ‘Security Alert’. By framing the email this way, Microsoft acknowledges the possibility of a deliberate attack, encourages proactive measures, and provides clear steps for the user to secure their account. This approach is far more effective than dismissing the situation with the assumption of a simple, innocent typo.
Why Companies Should Do Better With Security Alerts
Ignoring the possibility of a security threat isn’t just negligent – it actively places users at risk. Users should be encouraged to take control of their security with the support and guidance of the platforms they use. Companies should acknowledge the potential risks instead of providing a false sense of security, and offer practical advice.
Security is a shared responsibility between users and service providers. By improving their alerts and taking potential threats seriously, companies like Microsoft and Spotify can empower their users to protect themselves in an increasingly risky digital landscape.
Related Reading:
(Image at top via Adobe Stock.)
