Phishing Awareness Guide

Phishing is the most common way attackers gain access to business systems. Over 80% of reported security incidents start with a phishing email. The good news is that phishing is also the most preventable attack, because it relies on human error rather than technical vulnerabilities. This guide will teach you how to spot phishing attempts, understand the different types, and know what to do if you make a mistake.

How to Spot a Phishing Email

Phishing emails are designed to look legitimate. Attackers impersonate trusted brands, coworkers, and vendors. Look for these warning signs:

Check the Sender Address

• Look at the actual email address, not just the display name. An email might show "Microsoft Support" as the name, but the address could be support@micr0soft-alerts.com.
• Watch for misspellings: amazom.com, paypa1.com, gooogle.com
• Be suspicious of free email accounts (gmail.com, yahoo.com) claiming to be from a business
• Check for extra characters or numbers added to legitimate-looking domains

Look for Urgency and Pressure

• "Your account will be suspended in 24 hours"
• "Immediate action required"
• "You have been selected for an audit"
• "Your payment has failed, update immediately"

Legitimate organizations rarely create this level of pressure. If something feels urgent and scary, that is by design. Stop and verify through a separate channel before taking action.

Inspect Links Before Clicking

• Hover over any link (without clicking) to see the actual URL. On a phone, press and hold the link.
• Verify that the URL matches the organization the email claims to be from. A link that says "Login to Microsoft" but points to microsoftlogin.suspicious-domain.com is phishing.
• Be wary of shortened URLs (bit.ly, tinyurl.com) in business emails. Legitimate companies use their own domains.
• Look for HTTPS, but know that attackers can also use HTTPS. It means the connection is encrypted, not that the site is trustworthy.

Be Cautious with Attachments

• Unexpected attachments from unknown senders should never be opened
• Be especially careful with .zip, .exe, .scr, and macro-enabled Office files (.docm, .xlsm)
• Even PDF files can contain malicious links or embedded scripts
• If a coworker sends an unexpected attachment, verify with them directly (by phone or in person, not by replying to the email)

Types of Phishing

Email Phishing

The most common form. Mass emails sent to thousands of people, impersonating banks, shipping companies, software providers, or government agencies. These emails are generic and rely on casting a wide net. Example: "Your package could not be delivered. Click here to reschedule." sent to thousands of people, hoping some are actually expecting a package.

Spear Phishing

Targeted emails directed at a specific person or organization. The attacker researches the target and personalizes the email to be more convincing. Example: an email to a clinic's billing department that references the practice's actual name, the name of a real insurance company they work with, and a plausible claim about a rejected batch of claims. Much harder to detect because the details are accurate.

Whaling

Spear phishing specifically targeting executives, owners, or decision-makers. These often impersonate other executives or board members and involve urgent financial requests. Example: an email appearing to come from the CEO to the office manager saying "I need you to wire $15,000 to this vendor today. I am in a meeting and cannot call. Handle it quietly." The urgency, authority, and secrecy are all deliberate manipulation tactics.

Smishing (SMS Phishing)

Phishing via text message. These are increasingly common and can be harder to verify than email. Example: "Your bank account has been locked. Call 1-800-XXX-XXXX immediately to verify your identity." The phone number connects to the attacker, not the bank.

Vishing (Voice Phishing)

Phishing via phone call. An attacker calls pretending to be from IT support, a bank, the IRS, or a vendor. They may use caller ID spoofing to make the call appear to come from a legitimate number. Example: "This is Microsoft support. We have detected a virus on your computer. Please let me connect remotely to fix it."

What to Do If You Clicked

If you clicked a phishing link or opened a suspicious attachment, do not panic. Quick action limits the damage.

1. Disconnect from the network. If you are on a work computer, unplug the ethernet cable or turn off Wi-Fi. This can prevent malware from spreading to other systems.
2. Do not enter any credentials. If you clicked a link and it is asking for a login, close the browser immediately. If you already entered credentials, change that password immediately from a different device.
3. Report it immediately. Contact your IT department or MSP. Do not feel embarrassed. Reporting quickly is far more valuable than hiding a mistake. The sooner IT knows, the faster they can contain the threat.
4. Do not delete the email. IT needs to analyze it to determine what type of attack it was and whether others in the organization received the same message.
5. Run a scan. If your IT team instructs you to, run a full antivirus/endpoint detection scan on your device.
6. Monitor your accounts. Watch for unusual activity on any account where you may have entered credentials. Enable MFA on all accounts if you have not already.

How to Report Phishing

• In Outlook: Use the "Report Message" button in the ribbon (if your organization has enabled it) or forward the email as an attachment to your IT team
• In Gmail: Click the three dots next to the reply button and select "Report phishing"
• To your IT team: Forward the suspicious email to your designated reporting address (ask IT if you do not know what it is)
• To the impersonated organization: Most major companies have a dedicated phishing report address (e.g., phishing@paypal.com, abuse@microsoft.com)

Real-World Patterns to Watch For

• The fake invoice: An email with a PDF attachment labeled "Invoice #38291" from a company you do not recognize. Opening it installs malware.
• The password reset: "Your password expires today. Click here to reset it." The link goes to a fake login page that captures your credentials.
• The shared document: "John shared a document with you on OneDrive." The link goes to a convincing but fake Microsoft login page.
• The HR notice: "Updated PTO policy - review required." Sent to all employees with a link to a malicious document.
• The IT support request: "We are upgrading our email system. Please verify your account by entering your current password." Legitimate IT teams will never ask for your password via email.