Phishing emails try to trick you into handing over a password, approving a payment, or opening something harmful. They are getting more convincing, but they almost always trip on one of a few tells.
The 20-second check
- Who really sent it? Hover over the sender name and read the actual address. "Microsoft" from
[email protected]is not Microsoft. - Is it pushing you to hurry? "Your account will be closed in 24 hours" is pressure designed to stop you thinking.
- Where does the link actually go? Hover over a link (do not click) and read the address that pops up. If it does not match the company, leave it.
- Were you expecting it? An invoice, a shared file, a password reset you did not request — treat the unexpected with suspicion.
Things we will never ask
- We will never email you asking for your password.
- We will never ask you to approve an MFA prompt you did not start.
- We will never ask you to buy gift cards or move money urgently.
If you are not sure
Do not click, do not reply, and do not forward it around the office. Forward it to us and we will take a look. If you have already clicked or entered a password, tell us straight away — fast action makes all the difference, and you will never be in trouble for reporting it.
Frequently asked
- I clicked a link but did not type anything in. Am I in trouble?
- Probably fine, but tell us anyway so we can check. You will never be told off for reporting something.
- How do I report a suspicious email?
- Forward it to us and call if it looks urgent. In Outlook you can also use the Report button if we have set it up for your organisation.
- They knew my name and my manager's name. Doesn't that mean it's real?
- No. Attackers harvest names from websites and LinkedIn. Personal detail is a common trick to make a message feel legitimate.
Still stuck?
If this didn't sort it, talk to a human — we're happy to help.