Phish of the Week 11th of June

# Phish of the Week

# phishing

Temu Password Reset Misuse

Mette Luntama

Phish of the Week: Callback Phishing via Temu Password Reset

This Phish of the Week features a callback phishing attack that abuses a legitimate Temu password reset notification. Temu is a widely used shopping platform with a large global user base, making it a credible vehicle for phishing lures. What makes this attack particularly effective is that the email itself is real — it is a genuine Temu system notification, not a spoofed message. The attacker has simply found a way to smuggle a malicious phone number into it.

How the attack works:

The recipient receives what appears to be a standard Temu password reset email. The email looks entirely legitimate: it comes from a real Temu sender address, uses official Temu branding, and contains a genuine password reset code.

However, the attacker has triggered the password reset request themselves and abused Temu's account name field to inject a malicious phone number into the notification. The email body reads: "Hi Not You? Call us Now: [MALICIOUS PHONE NUMBER]" — framing the phone number as a customer support contact for anyone who did not request the reset.

The reset button in the email leads to the legitimate Temu website. The button is not the attack vector. The goal is solely to get the recipient to call the attacker-controlled phone number.

Once the target calls, the attacker most likely poses as customer support and attempts to extract sensitive information or account credentials through social engineering.

Why the attack works:

This attack is effective precisely because the email is genuine. It passes every technical check — the sender domain is real, the branding is authentic, and the content mirrors what a legitimate password reset notification looks like. There is nothing that would immediately signal that something is wrong.

The choice of lure is deliberate. A password reset email the recipient did not initiate is inherently alarming — it implies someone may be trying to access their account. That anxiety can push people to act quickly without stopping to verify. The framing plays into this perfectly: "Hi Not You? Call us Now" feels helpful rather than threatening, positioning the injected phone number as a natural next step for anyone who is confused or concerned.

Callback phishing moves the attack off email entirely. Once the target is on a phone call, there are no links to scan, no attachments to flag, and no technical safeguards in place — only a human attacker using social engineering, ready to exploit the caller's distress and urgency.

How to spot similar attacks

An unexpected password reset email you did not request is worth treating with suspicion, even if it looks completely legitimate

A phone number appears embedded mid-sentence in what should be a greeting or account reference field — an unusual placement that suggests the content has been injected rather than generated by the system

The email contains actionable instructions — such as a phone number to call — that go beyond what a standard automated reset notification would include

The phone number in the email is not found anywhere on the official platform's website or support pages

What is Phish of the Week?

Phish of the Week is a weekly content initiative by Hoxhunt's Threat Operations team. Each week, we highlight a current phishing trend or notable real-world attack, covering what the threat is, how it works, and what to watch for to spot similar attacks in the future. The goal is to build consistent recognition of evolving phishing themes and tactics over time.

Comments (0)

Popular

Table Of Contents