Phishing (pronounced: fishing) is an attack that attempts to steal your money, or your identity, by getting you to reveal personal information — such as credit card numbers, bank information, or passwords — on websites that pretend to be legitimate. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.
Select the headings below for more information
Learn to spot a phishing message
Phishing is a popular form of cybercrime because of how effective it is. Cybercriminals have been successful using emails, text messages, and direct messages on social media or in video games, to get people to respond with their personal information. The best defense is awareness and knowing what to look for.
Here are some ways to recognize a phishing email:
- Urgent call to action or threats - Be suspicious of emails that claim you must click, call, or open an attachment immediately. Often, they'll claim you have to act now to claim a reward or avoid a penalty. Creating a false sense of urgency is a common trick of phishing attacks and scams. They do that so that you won't think about it too much or consult with a trusted advisor who may warn you.
Tip: Whenever you see a message calling for immediate action take a moment, pause, and look carefully at the message. Are you sure it's real? Slow down and be safer.
- First time or infrequent senders - While it's not unusual to receive an email from someone for the first time, especially if they are outside your organization, this can be a sign of phishing. When you get an email from somebody you don't recognize, or that Outlook identifies as a new sender, take a moment to examine it extra carefully.
- Spelling and bad grammar - Professional companies and organizations usually have an editorial staff to make sure customers get high-quality, professional content. If an email message has obvious spelling or grammatical errors, it might be a scam. These errors are sometimes the result of awkward translation from a foreign language, and sometimes they're deliberate in an attempt to evade filters that try to block these attacks.
- Generic greetings - An organization that works with you should know your name and these days it's easy to personalize an email. If the email starts with a generic "Dear sir or madam" that's a warning sign that it might not really be your bank or shopping site.
- Mismatched email domains - If the email claims to be from a reputable company, like Microsoft or your bank, but the email is being sent from another email domain like Gmail.com, or microsoftsupport.ru it's probably a scam. Also be watchful for very subtle misspellings of the legitimate domain name. Like micros0ft.com where the second "o" has been replaced by a 0, or rnicrosoft.com, where the "m" has been replaced by an "r" and a "n". These are common tricks of scammers.
- Suspicious links or unexpected attachments - If you suspect that an email message is a scam, don't open any links or attachments that you see. Instead, hover your mouse over, but don't click, the link to see if the address matches the link that was typed in the message. In the following example, resting the mouse over the link reveals the real web address in the box with the yellow background. Note that the string of numbers looks nothing like the company's web address.
Tip: On Android long-press the link to get a properties page that will reveal the true destination of the link. On iOS do what Apple calls a "Light, long-press".
Cybercriminals can also tempt you to visit fake websites with other methods, such as text messages or phone calls. Sophisticated cybercriminals set up call centers to automatically dial or text numbers for potential targets. These messages will often include prompts to get you to enter a PIN number or some other type of personal information.
For more information see How to spot a "fake order" scam.
Are you an administrator or IT pro?
If you have a Microsoft 365 subscription with Advanced Threat Protection you can enable ATP Anti-phishing to help protect your users. Learn more
If you receive a phishing email
Never click any links or attachments in suspicious emails. If you receive a suspicious message from an organization and worry the message could be legitimate, go to your web browser and open a new tab. Then go to the organization's website from your own saved favorite, or via a web search. Or call the organization using a phone number listed on the back of a membership card, printed on a bill or statement, or that you find on the organization's official website.
If the suspicious message appears to come from a person you know, contact that person via some other means such as text message or phone call to confirm it.
Report the message (see below).
Delete it.
How to report a phishing scam
Microsoft 365 Outlook - With the suspicious message selected, choose Report message from the ribbon, and then select Phishing. This is the fastest way to report it and remove the message from your Inbox, and it will help us improve our filters so that you see fewer of these messages in the future. For more information see Use the Report Message add-in.
Outlook.com - Select the check box next to the suspicious message in your Outlook.com inbox. Select the arrow next to Junk, and then select Phishing.
Note: If you're using an email client other than Outlook, start a new email to [email protected] and include the phishing email as an attachment. Please don't forward the suspicious email; we need to receive it as an attachment so we can examine the headers on the message.
If you’re on a suspicious website:
While you’re on a suspicious site in Microsoft Edge, select the Settings and More (…) icon towards the top right corner of the window, then Help and feedback > Report unsafe site. Or click here.
Tip: ALT+F will open the Settings and More menu.
For more information see Securely browse the web in Microsoft Edge.
What to do if you think you've been successfully phished
If you're suspicious that you may have inadvertently fallen for a phishing attack there are a few things you should do.
While it's fresh in your mind write down as many details of the attack as you can recall. In particular try to note any information such as usernames, account numbers, or passwords you may have shared.
Immediately change the passwords on those affected accounts, and anywhere else that you might use the same password. While you're changing passwords you should create unique passwords for each account, and you might want to see Create and use strong passwords.
Confirm that you have multifactor authentication (also known as two-step verification) turned on for every account you can. See What is: Multifactor authentication
If this attack affects your work or school accounts you should notify the IT support folks at your work or school of the possible attack. If you shared information about your credit cards or bank accounts you may want to contact those companies as well to alert them to possible fraud.
If you've lost money, or been the victim of identity theft, report it to local law enforcement. The details in step 1 will be very helpful to them.
How can you spot these scams?
1. The sender address
The sender's email address is often the first clue that the message is a fake. In this example they haven't even tried to make it look real. If Norton were sending you a real confirmation message it wouldn't come from a dodgy-looking Gmail address. It would come from one of their real domains, perhaps @nortonlifelock.com.Tip: Some scammers will try to get tricky by using a domain that LOOKS like it could be legitimate, such as @n0rtonlifel0ck.com. The letter "o" has been changed to the number 0, but at a glance you might not notice.
2. To whom it may concern
If they don't know your name, they can't withdraw any funds from your bank account. A legitimate company would insert your name into a confirmation message. It's easy for them to do with modern billing systems.3. The logo
Scammers often insert the logo of the organization they're trying to impersonate into the message to make it seem more legitimate. In this case they've used a pretty poor imitation of Norton's logo. They spelled "Norton" correctly and seem to have a yellow color that is pretty close to Norton's, but otherwise it's clearly not Norton's real logo.Tip: Notice the weird spacing in the "N O R T O N" logo? That's intentional to try and hide from filters that might be looking for the word "Norton" and it's another clue that this message is bogus.
4. The date format...and other quirks
This message uses an odd date format: "Jan/05/2022". That's another clue that this probably isn't a real confirmation message from a professional company. Aside from the date, the entire message is awkwardly worded and formatted. Why is "Subscription" used as a proper noun, and why is it a different color? Phrases like "...in your bank account statement" or "auto-paid" don't seem like how a professional company would write a customer message. That doesn't mean real messages never have errors, but this much poor writing is suspicious.5. The phone number
Notice the odd spacing in the phone number? Just like with the logo that's a trick to try and get around any filters that might be looking for their phone number. Weird spacing like that is one of the big clues that this message is likely to be fake.Bonus: The fake urgency
Scammers usually try to create some false urgency in order to get you to react quickly and emotionally before you've had time to think about it, or to ask a trusted advisor for their opinion. Notice in this example that it claims that "$499.99" will be withdrawn from your bank account TODAY. Then, curiously, says you need to contact them "within 48 hours", or "right away." They know you probably won't be fooled if you stop to think about it, so they want you to react before you've stopped to think about it.What should you do?
Stop. Think. Breathe. Look closely for clues like the ones we just talked about. If you're still not sure if the message is real or fake, ask a friend or family member whose advice you trust. If you still want to confirm if the message is real, open your web browser to a new tab and do an internet search for the organization the message claims to be from. Go to their official website and contact them at their published phone number. If you have an account with them, open your web browser to a new tab and use your own saved favorite or internet search to sign into your account. Then you should be able to see if this mysterious order actually appears in their system.Important: Never call the phone number, or click any links, in the email message.