Reports of phishing email apparently sent through misused ISP credentials have highlighted a serious risk: compromised email accounts can make fraudulent messages look more credible.
The key lesson is that avoiding only obviously suspicious senders is no longer enough.
When attackers use familiar service names or real-looking mail accounts, recipients are more likely to think the message may be legitimate.
The safer habit is to rely on fixed access routes and verification steps before entering any information.
What the current alert shows
The Council of Anti-Phishing Japan has published an emergency alert about phishing email believed to have been sent through unauthorized use of domestic ISP credentials.
The council lists subject lines impersonating credit cards, online shopping, and delivery problems, and warns users not to enter information through links in those messages.
KDDI’s public notice says unauthorized access was confirmed against a mail system provided for ISP operators, and that up to 14.22 million mailbox-related email addresses and passwords may have been leaked across six affected mail services.
That figure is presented as a maximum while investigation continues, but it is a serious warning for anyone who reuses email passwords on other services.
The danger is that urgency can look natural
Japan’s National Police Agency explains that many phishing cases impersonate mobile carriers, delivery companies, and financial institutions, then lead users to fake sites that closely resemble real ones.
Messages often use urgent reasons such as personal data leakage, unauthorized access detection, or transaction suspension.
When the sender appears trustworthy, small wording differences are not a reliable defense.
Individuals and teams should make the following behavior standard.
- Do not log in from links in email or SMS messages.
- Use official apps, saved bookmarks, or a URL typed directly into the browser.
- Pause before entering card numbers, authentication codes, phone numbers, or email addresses.
- Check through an official support channel whether the requested action is really necessary.
- If an unexpected authentication code arrives, review the account password and login history.
First-response checklist
When a suspicious message arrives, it is more effective to close possible damage paths than to spend time guessing whether the message is real.
| Situation | Do this first | Avoid this |
|---|---|---|
| You opened a link in an email or SMS | Close the page and open the service through its official app or saved bookmark | Continue logging in or entering payment data on the opened page |
| You entered an ID or password | Change the password through the official route and change it on any other service where it was reused | Keep using a slightly modified version of the same password |
| You entered a card number or authentication code | Contact the card issuer, bank, or service provider and ask about suspension or reissue | Wait until a suspicious charge appears |
| You see an unfamiliar transaction | Save statements and messages, then consult the provider and police consultation channels | Delete messages or screens that could become evidence |
Settings that protect your email account
If you keep using an email address that may have been exposed, changing only the password may not be enough.
Attackers can try password resets on other services, intercept authentication codes, or collect personal information from older messages.
Check at least the following settings.
- Change the email password to a long one that is not reused anywhere else.
- Enable multi-factor authentication or passkeys when available.
- Review login alerts, forwarding rules, connected apps, and recovery addresses.
- Enable junk mail and SMS filtering.
- Sign out old devices and unused mail apps.
The Council of Anti-Phishing Japan also recommends avoiding password reuse and using provider security features such as multi-factor authentication and passkeys.
What teams should decide in advance
Phishing prevention fails when it depends only on individual attention.
Teams handling customer support, accounting, hiring, e-commerce, or website administration need rules that are easy to follow under pressure.
- Do not process password reset, billing, refund, or delivery-change requests through links in message bodies.
- Do not paste external-service login credentials into shared chat.
- Confirm urgent payment-change requests through a separate phone or approval route.
- Centralize internal reporting of suspicious messages.
- When warning customers, clearly state the official support channel and verification method.
Fraud messages steal decision time with words such as urgent, important, restricted, unpaid, and delivery failed.
Teams need the opposite rule: the more urgent a request feels, the less procedure should be skipped.
Prepare consultation routes before trouble starts
If you start looking for help only after damage occurs, response slows down.
The National Police Agency advises victims of phishing to consult the nearest police station or the online reporting window for cyber-related incidents.
IPA’s information security consultation desk also provides advice for general security issues such as malware and unauthorized access.
It is worth bookmarking legitimate contact points for your card issuer, bank, telecom provider, e-commerce services, and workplace IT team before you need them.
FAQ
If the sender looks genuine, is the message safe?
No.
The National Police Agency explains that sender names and email addresses can be spoofed, so display information alone is not a reliable way to judge authenticity.
If I only opened the link, do I need to do anything?
If you did not enter personal information, the risk is lower.
Still, check login history through the official route and change the password if anything looks suspicious.
Should I abandon an email address that may have been leaked?
Not everyone can change addresses immediately.
However, you should change the password, enable multi-factor authentication, review forwarding settings, and reconsider whether the address should remain the recovery contact for important accounts.
What should I tell family members or colleagues?
Share four rules: do not enter through links, check through official apps or bookmarks, never share authentication codes, and contact official support when unsure.
Sources consulted
- Council of Anti-Phishing Japan: phishing email sent through misused domestic ISP credentials
- KDDI: unauthorized access to ISP operator mail system
- National Police Agency: phishing countermeasures
- Council of Anti-Phishing Japan: immediate phishing countermeasures for users
- National Police Agency SOS47 fraud prevention page
- IPA: information security consultation desk

