Protect yourself from phishing

Phishing (pronounced: fishing) is an attack that attempts to steal your money, or your identity, by getting you to reveal personal information -- such as credit card numbers, bank information, or passwords -- on websites that pretend to be legitimate. Cybercriminals typically pretend to be reputable companies, friends, or acquaintances in a fake message, which contains a link to a phishing website.

Your browser does not support video.

Learn to spot a phishing message

Phishing is a popular form of cybercrime because of how effective it is. Cybercriminals have been successful using emails, text messages, direct messages on social media or in video games, to get people to respond with their personal information. The best defense is awareness and knowing what to look for.

Here are some ways to recognize a phishing email:

  • Urgent call to action or threats - Be suspicious of emails that claim you must click, call, or open an attachment immediately. Often they'll claim you have to act now to claim a reward or avoid a penalty. Creating a false sense of urgency is a common trick of phishing attacks and scams. They do that so that you won't think about it too much, or consult with a trusted advisor who may warn you away.

    Tip: Whenever you see a message calling for immediate action take a moment, pause, and look carefully at the message. Are you sure it's real? Slow down and be safe.

  • Spelling and bad grammar - Professional companies or organizations usually have an editorial staff to ensure customers get high-quality, professional content. If an email message has obvious spelling or grammatical errors, it might be a scam. These errors are sometimes the result of awkward translation from a foreign language, and sometimes they're deliberate in an attempt to evade filters that try to block these attacks.

  • Generic greetings - An organization that works with you should know your name and these days it's easy to personalize an email. If the email starts with a generic "Dear sir or madam" that's a warning sign that it might not really be your bank or shopping site.

  • Suspicious links - If you suspect that an email message is a scam, do not open any links that you see. Instead, hover your mouse over, but don't click, the link to see if the address matches the link that was typed in the message. In the following example, resting the mouse on the link reveals the real web address in the box with the yellow background. Note that the string of IP address numbers looks nothing like the company's web address.

Fake IP address

  • Mismatched email domains - If the email claims to be from a reputable company, like Microsoft or your bank, but the email is being sent from another email domain like Yahoo.com, or microsoftsupport.ru it's probably a scam. Also be watchful for very subtle misspellings of the legitimate domain name. Like micros0ft.com where the second "o" has been replaced by a 0, or rnicrosoft.com, where the "m" has been replaced by an "r" and a "n". These are common tricks of scammers. 

Cybercriminals can also tempt you to visit fake websites with other methods, such as text messages or phone calls. Sophisticated cybercriminals set up call centers to automatically dial or text numbers for potential targets. These messages will often include prompts to get you to enter a PIN number or some other type of personal information.

Are you an administrator or IT pro?

If you have a Microsoft 365 subscription with Advanced Threat Protection you can enable ATP Anti-phishing to help protect your users. Learn more

If you receive a phishing email

  • Never click any links or attachments in suspicious emails. If you receive a suspicious message from an organization and worry the message could be legitimate, go to your web browser and open a new tab. Then go to the organization's website from your own saved favorite, or via a web search. Or call the organization using a phone number listed on the back of a membership card, printed on a bill or statement, or that you find on the organization's official website.

  • If the suspicious message appears to come from a person you know, contact that person via some other means such as SMS or phone call to confirm it.

  • Report the message (see below).

  • Delete it.

How to report a phishing scam

You can forward the phishing email to the Anti-Phishing Working Group at reportphishing@apwg.org. Forwarding as an attachment works best, if your email client supports it, but any forwarding is a good start.

Also:

  • Outlook.com. If you receive a suspicious email message, select the check box next to the message in your Outlook inbox. Select the arrow next to Junk, and then select Phishing.

  • Microsoft Office Outlook. While in the suspicious message, select Report message from the ribbon, and then select Phishing.

If you’re on a suspicious website:

  • Microsoft Edge. While you’re on a suspicious site, select the More(…) icon > Help and feedback > Report Unsafe site. Follow the instructions on the webpage that displays to report the website.

  • Internet Explorer. While you’re on a suspicious site, select the gear icon, point to Safety, and then select Report Unsafe Website. Follow the instructions on the webpage that displays to report the website.

For more information see Report suspicious messages.

What to do if you think you've been successfully phished

If you're suspicious that you may have inadvertently fallen for a phishing attack there are a few things you should do. 

  1. While it's fresh in your mind write down as many details of the attack as you can recall. In particular try to note any information such as usernames, account numbers, or passwords you may have shared.

  2. Immediately change the passwords on those affected accounts, and anywhere else that you might use the same password. While you're changing passwords you should create unique passwords for each account, and you might want to see Create and use strong passwords.

  3. Turn on multi-factor authentication (also known as two-step verification) for every account you can. See What is: Multifactor authentication

  4. If this attack affects your work or school accounts you should notify the IT support folks at your work or school of the possible attack. If you shared information about your credit cards or bank accounts you may want to contact those companies as well to alert them to possible fraud.

  5. If you've lost money, or been the victim of identity theft, report it to local law enforcement. The details in step 1 will be very helpful to them.

See also

The keys to the kingdom - securing your devices and accounts

How malware can infect your computer

Need more help?

Expand your skills
Explore Training
Get new features first
Join Microsoft Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×