All articles
CybersecurityPhishingSecurity Awareness

Phishing 101: What It Is, How to Spot It, and What to Do

Regroove IT Consulting5 min read600 words

Phishing is one of the most common and consistently effective attack methods used against organizations of all sizes. Understanding what it is, how to recognize it, and what to do when you encounter it is one of the most practical security skills anyone who uses email can have.

What Is Phishing

Phishing is an attempt to trick someone into revealing sensitive information, clicking a malicious link, or taking an action that gives an attacker access to accounts or systems. It most commonly arrives via email but also appears in text messages (smishing), phone calls (vishing), and social media messages.

The name comes from the idea of fishing for victims using bait. The bait is usually a convincing message that creates urgency, impersonates a trusted sender, or offers something compelling. The goal is to get the recipient to act before they think carefully about what they are doing.

How to Identify a Phishing Attempt

Phishing messages have patterns, even when they look convincing:

  • Urgency or pressure: "Your account will be suspended in 24 hours," "Immediate action required," or "Your payment has failed." Real organizations rarely threaten immediate consequences for inaction delivered without prior notice.
  • Mismatched sender addresses: The display name may say "Microsoft Support" but the actual email address will be something unrelated. Always check the full address, not just the display name.
  • Suspicious links: Hover over links before clicking. The URL displayed in the email and the URL the link actually goes to may be different. Legitimate organizations link to their own domains.
  • Requests for credentials or personal information: Microsoft, your bank, and your IT department will not ask for your password via email. Ever.
  • Generic greetings: "Dear Customer" or "Dear User" instead of your actual name suggests a mass-sent phishing campaign rather than a genuine communication.

What to Do When You Receive a Suspicious Email

If an email seems suspicious, do not click any links, open any attachments, or reply to the sender. Report it using your organization's reporting process. In Microsoft 365, the Report Message add-in allows you to flag suspicious emails directly from Outlook.

If you are unsure whether an email from a known organization is legitimate, go directly to that organization's website by typing the address in your browser rather than clicking any link in the email. Contact the organization directly through a verified phone number if you need to verify whether the message is real.

What Not to Do

  • Do not click links in emails that create urgency, even if the sender looks familiar
  • Do not open attachments you were not expecting, especially those with unusual file extensions
  • Do not enter credentials on a page you arrived at by clicking an email link
  • Do not forward suspicious emails to colleagues to ask if they think it looks legitimate, as this spreads the risk
  • Do not assume you cannot be targeted because your organization is small or because you have antivirus software

If You Think You Clicked Something

Report it to IT immediately. The faster an incident is reported, the faster it can be contained. Do not wait to see if anything happens. Attackers often move quickly after initial access is gained, and early notification gives your IT team the best chance of limiting the damage.

Regroove IT Consulting

Microsoft Solutions Partner specializing in Managed IT Services and Modern Work, covering Microsoft 365, Teams, SharePoint, Power Platform, and Azure. Helping organizations everywhere get lasting value from their Microsoft investment since 1993.

About Regroove →

Need help with your Microsoft environment?

We work with organizations everywhere. Tell us where you are and what you're trying to solve.

Talk to Regroove