Protect yourself from phishing

Applies to: Windows 10Windows 8.1Windows 7

Phishing is a fraudulent scheme that is designed to steal your money by getting you to divulge personal information on websites that pretend to be legitimate portals. These websites are designed to lure you into revealing personal information, such as credit card numbers, bank information, or passwords. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake email message, which contains a link to a phishing website.

Some examples of messaging in these emails are:

  • Emails that promise a reward. “Click on this link to get your tax refund!”
  • A document that appears to come from a friend, bank, or other reputable organizations. The message is something like “Your document is hosted by an online storage provider and you need to enter your email address and password to open it.”
  • An invoice from an online retailer or supplier for purchase or order that you did not make. The attachment appears to be a protected or locked document, and you need to enter your email address and password to open it.

Learn to spot a phishing email

Phishing is a popular form of cybercrime because of how effective it is. Cybercriminals have been successful using emails to get people to respond with their personal information. The best defense is awareness and knowing what to look for.

Here are some ways to recognize a phishing email:

  • Spelling and bad grammar. Cybercriminals are not known for their grammar and spelling. Professional companies or organizations usually have an editorial staff to ensure customers get high-quality, professional content. If an email messages is fraught with errors, it might be a scam.
  • Suspicious links. If you suspect that an email message is a scam, do not open any links that you see. Instead, rest your mouse but don't click- on the link to see if the address matches the link that was typed in the message. In the following example, resting the mouse on the link reveals the real web address in the box with the yellow background. Note that the string of IP address numbers looks nothing like the company's web address.

Fake IP address

  • Threats. These types of emails cause a sense of panic to get you to respond quickly. For example, it may include a statement like “You must respond by end of day.” Or saying that you might face financial penalties if you don’t respond.
  • Spoofing. Spoofing emails appear to be connected to legitimate websites or companies, but actually take you to phony scam sites or display legitimate-looking pop-up windows.
  • Altered web addresses. A form of spoofing where web addresses that closely resemble the names of well-known companies, but are slightly altered; for example, or
  • Incorrect salutation of your name.
  • Mismatches. The link text and the URL are different from one another; or the sender’s name, signature, and URL are different.
  • BCC. The mail is sent to multiple recipients or to you in BCC.

Cybercriminals can also get you to visit fake websites with other methods, such as text messages or phone calls. Sophisticated cybercriminals set up call centers to automatically dial or text numbers for potential targets. These messages will often include prompts to get you to enter a PIN number or some other type of personal information.

Report phishing scams

There are a few ways to report a phishing scam.

If you’re on a suspicious website:

  • Microsoft Edge. While you’re on a suspicious site, select the More (…) icon > Send feedback > Report Unsafe site. Follow the instructions on the web page that displays to report the website.
  • Internet Explorer. While you’re on a suspicious site, select the gear icon, point to Safety, and then select Report Unsafe Website. Follow the instructions on the web page that displays to report the website.
  • If you receive a suspicious email message that asks for personal information, select the check box next to the message in your Outlook inbox. Select the arrow next to Junk, and then point to Phishing scam.
  • Microsoft Office Outlook 2016 and Microsoft Office 365. While in the suspicious message, select Report message in the Protection tab on the ribbon, and then select Phishing.

If you receive an unsolicited phone call, take down the caller's information and report it to your local authorities.