If you suspect a phishing email landed in your inbox, the most important thing to know is this: you haven’t done anything wrong yet. What you do next is what matters.
Signs It is Likely a Phishing Email
These are some general but accurate signs that may give away that the email you received might be a phishing attempt:
If the email asks you for verification, your password, or sensitive information. Furthermore, through urgency and threats, they try to pressure you to click the link before thinking.
If there are any suspicious attachments in the email.
If the email shows up unsolicited, meaning, you didn’t expect that email and didn’t have any contact with the organization beforehand.
It is also a good idea to look at spelling or grammar mistakes, or low-resolution images. Those are often good indicators the email is not legitimate.
Lastly, if you hover over the link, it shows a site you will be taken to. Look at the email’s sender address. Is it from the same domain?
In our comprehensive guide on How To Avoid Phishing Scams: a Step-by-Step Guide, you can find all the red flags to look for in an email, and how to properly check if the destination url and sender domain match up.
The guide above is a very good aid at recognizing and avoiding phishing.
Note: the ”silver bullet” for verifying if an email is phishing or not, is that you can always ”verify externally.” Meaning, outside of your mail, on your own initiative, you can contact the organization it supposedly comes from directly. Then you can verify whether the email or request was legitimate.
What to Do Next
What you should do depends on how far the interaction went. If you went through the steps above and suspect you’re really onto a scam, you should look at the steps below.
You Haven’t Clicked Anything
You’re in the best possible position. Do not click any links or open any attachments. Report the email using your email client’s “Report phishing” or “Report spam” option. Most clients will then move or delete it automatically, but if not, delete it yourself.
If the email is impersonating a real organisation: your bank, a delivery company, or Microsoft, you could also forward it to that organisation’s abuse or security team. Most large companies have a dedicated address for this.
Not sure where to find the report message as phishing button? We’ve got you covered: Where Is the Report Phishing Button in Outlook 365? (Quick Guide)
You Clicked But Didn’t Enter Anything or Download Anything
If you immediately landed on a page that looked like a real login portal, but didn’t enter any information, you are fine. It was an attempt at ”credential-harvesting”, the most common phishing attempt. Recognizing that after clicking a suspicious link is all of the work: but make sure you don’t enter any information.
This type of fraud would only succeed if you were convinced it was the real login portal of the actual organization at hand.
Another thing to be aware of is that clicking a link may trigger a ”drive-by” download. Although far less common than credential-harvesting, it is good to be aware of what it is and the risk it carries.
According to BitDefender, drive-by downloads can be used to harvest personal information, install banking trojans, or infect your entire network. In order to reduce the risk, keep your browser and OS up to date, avoid suspicious sites, and run decent endpoint protection.
To read Bitdefender’s article on drive-by downloads, you can read it here: What are drive-by download attacks and how do you prevent them?
You can always run an endpoint protection security scan to verify there was nothing malicious downloaded; even if you didn’t see a download prompt.
You Clicked and Entered Credentials or Downloaded Something
This is where it gets more serious.
Take steps promptly to limit damage, the sooner the better. Run through this quick checklist:
- Change your password immediately for the affected account, and ask yourself whether you use that password for other accounts as well, if the answer is yes, change the passwords of the other accounts too
- Enable two-factor authentication if it wasn’t on already and link it to your authenticator app
- Keep an eye on your account(s) to spot changes you didn’t make: forwarding rules, recovery email, login from unusual location or IP address
The following articles go into more detail regarding what happens when you click a phishing link and enter credentials, or specifically what happens when you click a phishing link on your phone:
Read our articles here: What to Do If You Clicked a Phishing Link on Your Phone
and Can You Get Hacked by Clicking a Link? (What Actually Happens)
Should You Just Delete a Phishing Email?
Deleting it is fine, but reporting it first takes 10 seconds and actually helps.
Reporting through Microsoft sends a signal that helps improve their filters for all Microsoft 365 users.
If you are part of an organisation that uses a dedicated security platform like Microsoft Defender, reporting it also alerts your IT team. It allows them to block the threat for everyone in the company before it reaches your colleagues.
Leave a Reply