diff --git a/app/controllers/users_controller.rb b/app/controllers/users_controller.rb
index e60f9439f..eb1df74de 100644
--- a/app/controllers/users_controller.rb
+++ b/app/controllers/users_controller.rb
@@ -70,7 +70,7 @@ private
   end
 
   def find_resource
-    @user = User.find(params[:id])
+    @user = User.find_by(id: params[:id])
   end
 
   def authenticate_scope!
diff --git a/spec/requests/users_controller_spec.rb b/spec/requests/users_controller_spec.rb
index abd1adb67..59997f3ce 100644
--- a/spec/requests/users_controller_spec.rb
+++ b/spec/requests/users_controller_spec.rb
@@ -86,7 +86,8 @@ RSpec.describe UsersController, type: :request do
           end
 
           before do
-            allow_any_instance_of(User).to receive(:reset_password_sent_at).and_return(4.hours.ago)
+            allow(User).to receive(:find_or_initialize_with_error_by).and_return(user)
+            allow(user).to receive(:reset_password_sent_at).and_return(4.hours.ago)
             put "/users/password", headers: headers, params: params
           end
 
@@ -199,8 +200,9 @@ RSpec.describe UsersController, type: :request do
 
     context "when the update fails to persist" do
       before do
-        allow_any_instance_of(User).to receive(:update).and_return(false)
         sign_in user
+        allow(User).to receive(:find_by).and_return(user)
+        allow(user).to receive(:update).and_return(false)
         patch "/users/#{user.id}", headers: headers, params: params
       end