Is This Microsoft 365 Email Real or a Phishing Attempt?

You’ve just logged into your account and suddenly your heart drops.

It’s the dreaded moment you realise you’ve opened a phishing link or attachment. Hopefully, you haven’t entered your credentials! But don’t be ashamed if you have, it’s not uncommon for recipients to do so and even IT professionals sometimes get caught.

Phishing attacks are a common tactic used by cybercriminals to trick you into giving them your credentials. Office 365 users are often targeted in convincing-looking phishing attacks designed to specifically steal their Office 365 login credentials.

In our latest blog we’ve summarised some tips on what to look out for and what to do if you open a link.

Can you tell the difference?

Most people are now aware that an email asking for your bank details so you can claim your lottery winnings is a phishing attempt. But phishing attacks have become increasingly sophisticated and it can be difficult to tell the difference between a legitimate email or landing page and a fake.

An Office 365 phishing attack is a perfect example as with more than 75 million daily users, it’s a good pond for them to go phishing in.

Take a look at the two following screenshots of emails sent to Microsoft Teams users. What do you think, are they real or fake?

How to spot a phishing attempt

Here are some obvious ways to tell if an email or landing page is a phishing scam.

1. The Sender’s Details. Keep an eye out for misspelt words, stray hyphens or unfamiliar domain names. For example, a common differentiation between legitimate senders and phishers might be something like info@paypal.com versus acounts.user@pay-pal.com.
2. Urgency. Phishing scams often attempt to use fear to create a sense of urgency prompting users to click.
3. The URL Link. Take a look at the URL of the link that you’re being asked to click. You can do this by hovering your cursor over the link and determining whether the address is secure with ‘https://’ at the beginning and actually goes where it says it’s going. Phishing scams typically direct you to dodgy links and websites that have sinister URLs.
4. The URL spelling. Watch out for subtle misspellings such as micr0soft.com vs. microsoft.com. An “o” has been replaced with an “0” is a common scammer trick.
5. Spelling and bad grammar. Cybercriminals didn’t get A’s in English. Professional companies pay editorial staff to ensure high-quality content, so an email littered with bad spelling and grammar means it could be a scam.

What to do if you open a phishing link

Depending on whether you opened an email attachment or clicked on a link and submitted your credentials here are a few steps you can take to limit the damage.

• Run a virus scan – especially if you’ve opened an attachment.
• Change your password.
• Lookout and correct any changes to your personal details.
• Remove any unrecognised devices.
• Check for any cancelled orders not made by you.
• Remove any stored credit cards.
• Call your credit card providers.

Tips to avoid phishing scams

Here are some easy ways to arm yourself against phishing scams.

• If you’re not sure if an email you’ve received is a phishing attempt or not then instead of following the emails instructions, go directly to the website in your browser and login to your account as you normally would. Legitimate notifications will be listed in your account.
• Enable two factor authentication. If hackers were to get your login information this might prevent them from being able to access your account.
• Use a password manager. Password managers urge you to change passwords regularly and automatically audit your passwords to ensure you don’t use the same one anywhere else.

The best defence for your business

Staff members are a primary target when it comes to phishing attacks with criminals employing social engineering tactics to trick employees into clicking on a malicious link/attachment, and commencing an attack.

Anti-virus tools do not protect against all attacks which means the most effective way to combat cybercriminals is through education. In businesses, employees are your frontline defence, but do they know what to look out for? To help you educate your staff, we have put together a free cybersecurity training guide. Use our guide to increase your employees cybersecurity knowledge, identify where there may be gaps, and prevent your organisation from falling victim to an attack.

Chat to the experienced Evologic team today if you have any questions about phishing attacks or about how we can help you stay protected from phishing scams.