The pattern
You get a text, email, or pop-up: 'Suspicious login detected. Verify now or your account will be suspended in 24 hours.'
The link goes to a page that looks identical to the real thing. The URL is slightly off: coinbase-secure.com, apple-id.net, paypa1.com.
How to verify in 10 seconds
- Never click the link in the message
- Open a NEW tab, type the URL yourself (coinbase.com, apple.com)
- Log in there — if there's a real alert, it will be in your account
- If you already clicked: change your password from a clean device, revoke active sessions, enable hardware 2FA