Outlook - What is Phishing

About:

This document explains what phishing is, how phishing attacks work, how they usually appear in a company environment, and how users should respond if they encounter one. The focus is on understanding phishing first, so it is easier to recognise and handle correctly.

What is Phishing?

A phishing attack is when someone is trying to trick you into revealing sensitive information such as passwords, credit card details, or personal information by disguising themselves as a trustworthy entity.

!! BE AWARE !!

A phishing message is designed to manipulate you into acting without thinking. This is usually done by creating urgency, fear, or curiosity, and then guiding you to click a link, open an attachment, or provide information.

The person they impersonate is often someone with high authority or trust, such as:
• The CEO or senior management
• Your direct manager
• IT support or internal departments
• Well-known companies like Microsoft or Adobe

Phishing is typically carried out through deceptive emails, but it can also happen via text messages (SMS) or phone calls. The attacker usually tries to guide the victim to a fake website designed to steal credentials or install malware on the device.

!! BE AWARE !!

In everyday work, you will mostly encounter phishing as fake emails.

How phishing attacks work:

Phishing attacks rely on social engineering rather than technical hacking. The attacker manipulates emotions such as urgency, fear, curiosity, or authority to make the recipient act quickly without thinking.

Common goals of phishing emails include:
• Stealing usernames and passwords
• Capturing MFA approval or session tokens
• Installing malicious software
• Gaining access to internal systems

Once access is gained, attackers may move laterally inside company systems or impersonate the victim to target others.

How to recognise phishing attempts:

While phishing takes many forms, common characteristics include:

Suspicious sender:
Always check the sender’s email address and display name. If it looks strange, misspelled, or does not match who they claim to be, it may be a phishing attempt.

Urgent or alarming messages:
Phishing emails often create pressure, such as:
• “Your account will be locked”
• “Immediate action required”
• “Unusual sign-in detected”

The goal is to stop you from verifying the request.

Requests for sensitive information:
Legitimate organisations do not ask for passwords, MFA codes, or personal details via email. Any request for this information should be treated as suspicious.

Unusual links or attachments:
Hover over links to see the actual URL. If the domain looks odd or does not match the sender’s identity, do not click it.
Be especially cautious with unexpected attachments, particularly .exe, .zip, or macro-enabled Office files.

Generic greetings:
Messages using “Dear user” or “Hello customer” instead of your name can indicate phishing.

Poor spelling and grammar:
Many phishing emails contain spelling mistakes, grammatical errors, or awkward language. Legitimate companies usually maintain professional communication standards.

Impersonation of trusted brands or internal roles:
Some phishing emails closely mimic Microsoft, Adobe, or internal IT communications but contain small inconsistencies in wording, branding, or links.

Real-world phishing examples:

Recent incidents have included:
• A user clicking a fake Microsoft login link, resulting in password reset and session revocation
• A phishing email impersonating Adobe that attempted to download a malicious .exe file
• Social engineering attempts targeting IT service desks to reset MFA for privileged accounts

User security guidelines:

  1. Do not visit potentially malicious websites
  2. Do not download unknown or unexpected files
  3. Use only company-approved browsers – Microsoft Edge
  4. Be cautious when entering company information on external webpages
  5. Do not open strange or unexpected emails
  6. Never sign in to private accounts on company devices
!! BE AWARE !!

Private email accounts accessed through the company network can be exposed and compromised. Best practice is to never sign into private things on your work computer.

What to do if you suspect phishing:

  1. Do not click any links or download attachments
  2. Use the built-in “Report Phishing” or “Report Message” button in Microsoft Outlook
  3. Raise an incident to the IT Team in your company!

If you already clicked a link:
• Disconnect from the network if possible
• Notify IT Security immediately
• Reset your password and revoke active sessions

Why reporting phishing matters:

Reporting suspicious emails helps protect everyone. It alerts the cybersecurity team and improves automated detection systems, reducing the risk of future attacks.

Sources:

https://www.microsoft.com/en-us/security/business/security-101/what-is-phishing
https://www.uio.no/english/services/it/security/help/fraud-phishing.html
https://www.cloudflare.com/learning/access-management/phishing-attack/

And you are done 😄