The SBA Application enables an end-user to reset or change a password using “Forgot Password” https://certify.sba.gov/users/password/new URL. End-user can change the password for security reasons or reset it if forgotten. The password reset URL contains a token with special characters. Some email clients will decode/encode it differently. As a result, the token is retrieved by the end-user can be different from the one in the SBA Application.
Verify Token issue
Ask the end-user for the password reset URL
Check the URL contain any non-ASCII characters like %3d, %2a in the URL like the one below