Phishing 101: What It Is, How To Spot It, and What You Should – and Shouldn’t – Do

Cybersecurity threats come in many forms, but phishing remains one of the most common—and dangerous—tactics used by attackers. Phishing doesn’t require high-level hacking skills; it simply preys on human behavior. Phishing attacks are not reserved for large-scale enterprises. Small businesses are often seen by attackers as easy targets due to limited cybersecurity resources or lack of employee training. That’s why understanding what phishing is, how to recognize it, and how to respond is essential for every employee and every business.

So – What Is Phishing?

Phishing is a form of social engineering where cybercriminals impersonate trusted entities—such as banks, service providers, coworkers, or executives—to trick users into revealing sensitive data. This data could include login credentials, financial information, or personal identifiers. Often, the attacker’s goal is to steal money, gain access to internal systems, or launch broader attacks.

Phishing typically starts with an email, but it can also occur through SMS (smishing), phone calls (vishing), or even messaging apps and social media.

How to Identify a Phishing Attack

Phishing attempts have become increasingly sophisticated. While some are riddled with spelling errors and suspicious links, others can closely mimic legitimate business emails. Here are some signs to watch for:

• Urgency or scare tactics: Messages claiming your account will be suspended or that immediate action is required.
• Generic greetings: “Dear customer”, “Dear Sir or Madam”, or “Dear user” instead of your name.
• Unusual email addresses: The display name might look legitimate, but hovering over the address reveals a different, suspicious domain.
• Unexpected links or attachments: Especially from unknown or unexpected sources.
• Unusual branding: Does a company logo look discoloured? Is the font different than usual?
• Requests for sensitive information: No legitimate organization will ask for login credentials or payment info over email.
• Poor spelling and grammar: While not always present, these can be red flags.

Biggest takeaway: Trust your instincts. If something feels “off” – it probably is.

What To Do

• Pause before clicking: Take a moment to evaluate the message, especially if it creates a sense of urgency.
• Hover over links: See where a link leads before you click it. Phishing links often redirect to malicious sites with unknown URLs.
• Check the sender’s address: Look carefully at the full email address, not just the display name. Sometimes even a single letter might be off – an extra “s”, “rn” instead of “m”, etc.
• Report suspicious emails: Use tools like the “Report Phishing” button in Microsoft Outlook or send a screenshot to your IT or security team. In any case, AVOID at all costs forwarding the email. This can spread the malicious email and increase the chance of someone else clicking on it.
• Delete phishing messages: After reporting, remove the email from your inbox, if not done automatically. Once your IT team confirms it is malicious, permanently delete – even from the Deleted Items/Recycle Bin.
• Use multifactor authentication (MFA): Even if your password is compromised, MFA provides a critical extra layer of protection (read here about how MFA could have helped this organization).
• Stay informed: Participate in security awareness training, such as Microsoft’s Attack Simulation Training, to improve your ability to recognize and respond to phishing attempts.

What Not To Do

• Don’t click on links or download attachments from unknown or suspicious sources.
• Don’t share sensitive information via email or text, even if the request appears to come from a colleague or vendor.
• Don’t reuse passwords across accounts—if one gets compromised, others could be at risk.
• Don’t ignore suspicious emails: Even if you recognize the phishing attempt, someone else in your organization might not. Notify IT or your manager if you receive a suspicious email.
• Don’t forward the suspicious email: this will increase the chance of someone else clicking on it. If you want to warn others, use a screenshot instead.
• Don’t assume small businesses are safe from attacks: Attackers often see smaller companies as low-hanging fruit.

Protect Yourself

Phishing relies on deception—not technical weakness. That means the best defense is awareness and vigilance. Technology like Microsoft Defender for Office 365 provides strong protection, but users remain the first line of defense.

As your Microsoft Services Partner, we’re here to help you implement the right security tools, provide tailored employee training, and run phishing simulations that prepare your team for the real thing.

Want to learn more about protecting your organization from phishing threats? Not sure if your team members could recognize a phishing attack? Fill out the form below and our team will be in touch.