What is a phishing email?

Learn what a phishing email is and how to protect yourself from this kind of online fraud.

Definition of phishing emails

Phishing is a type of online scam where criminals try to trick people into giving away sensitive information, like passwords, credit card numbers, and personal details. To accomplish this, a criminal pretends to be a trusted person or company, like a bank, government agency, or popular website.

A phishing email is a fraudulent message designed to look authentic. It usually asks you to click a link, download an attachment, or provide personal details in an effort to steal valuable information. These emails often create a sense of urgency—for example, warning that your account is at risk or offering a time-sensitive reward—to pressure you into acting quickly.

Key takeaways

Phishing emails are designed to steal personal information by pretending to be from legitimate sources.
Common signs of phishing emails include suspicious senders, urgent requests, generic greetings, unexpected attachments, and requests for sensitive information.
If you engage with a phishing email, act fast by changing passwords, notifying relevant parties, and reporting the email.
Prevent phishing attacks by staying alert, using strong security practices, and keeping software updated with antivirus protection and email filters.
Help detect and prevent phishing through AI-powered filtering, real-time threat detection, and multifactor authentication tools from Microsoft Security.

Why understanding phishing emails is important

The world is more digital than ever before, and phishing emails are one of the biggest online threats. Cybercriminals send millions of phishing emails every day that target individuals, businesses, and even government agencies. Falling for a cyberattack, such as a phishing email, can lead to stolen identities, financial loss, and hacked accounts. In workplaces, one wrong click can compromise entire networks, leading to data breaches and costly damage.

Recognizing phishing emails is a key skill for protecting yourself and your information. Attackers are getting better at making their scams look real, but knowing the warning signs can help you avoid them.

Understanding phishing doesn’t just help you—it also helps keep your workplace, family, and friends safe. The more people who can spot these scams, the harder it becomes for cybercriminals to succeed.

The evolution of phishing emails

Phishing started in the 1990s, when scammers tricked people into revealing their AOL passwords. As the internet grew, phishing attacks became more sophisticated. Criminals began copying the look and feel of real websites to steal login credentials. Over time, phishing expanded beyond email to text messages (smishing) and phone calls (vishing). Today, attackers use AI-generated messages and social engineering tactics to make their scams even more convincing.

Despite advancements in cybersecurity, phishing remains one of the most common online threats. Recognizing phishing emails is an important skill for staying safe online.

How phishing emails work

Phishing emails are designed to look like messages from companies and people you trust. The goal is to trick you into taking a certain action using deception and psychological tricks.

Cybercriminals carefully design phishing emails to appear real by:

Imitating legitimate brands. You might see official logos, similar email addresses, and professional-looking designs.
Using personal details. Some scams include your name, email, or other information to make the message seem more authentic.
Embedding fake links. The email may contain links that look real but actually lead to fake websites built to steal your information.
Adding malicious attachments. Some phishing emails include files that install ransomware or other types of malware if opened.

Psychological tricks used in phishing emails

Phishing emails take advantage of people’s emotions to increase the chances of a successful con. Common tactics include:

Urgency. For example, threatening to lock you out of your account unless you take a certain action.
Fear. For example, telling you that your account has been compromised.
Curiosity. For example, sending you a receipt or invoice for something you didn’t purchase.
Financial incentive. For example, saying you won a giveaway or gift card.
Authority. For example, pretending to be someone from your job’s IT department.

How to identify a phishing email

Phishing emails can be convincing, but they frequently have telltale signs. Here’s what to watch for:

Suspicious links. Hover over links (without clicking) to see where they really lead. Phishing links sometimes contain misspellings, extra characters, or unfamiliar domains—for example, "micros0ft-support.com" instead of "microsoft.com." If a link looks odd, don’t click it.
Unexpected attachments. Always be cautious of email attachments, especially if they ask you to enable macros or install software. Legitimate companies rarely send attachments that you didn’t request.
Urgent or threatening language. Wording that says you need to act immediately or face account suspension pressures you into acting out of fear. Scammers rely on panic to get quick responses.
Requests for personal or financial information. No legitimate company will ask you to provide passwords, credit card numbers, or Social Security numbers over email. If in doubt, contact the company directly through official channels—not by clicking anything in the email.
Generic greetings and lack of personalization. Phishing emails sometimes use generic openings, like “Dear customer” or “Dear user” instead of calling you by name. Real businesses typically personalize their emails.
Poor grammar and spelling mistakes. Many phishing emails contain awkward phrasing, typos, or unusual wording. Professional organizations proofread their emails, so these types of errors can be a red flag.
Mismatched sender addresses. Check the sender’s email address closely. Scammers will use addresses that look similar to real ones but have small differences, like “support@micr0soft.com” instead of “support@microsoft.com.”

Five phishing email examples

Browse these examples of common phishing email scams to better understand what they look like.

1. Fake security alert

Subject line: Unusual Sign-in Attempt Detected—Action Required!

A phishing email pretending to be from a well-known service, like your bank or email provider, warns that someone tried to access your account. It includes a link to "secure" your account, but the link leads to a fake login page designed to steal your credentials.

Red flags:

The email doesn’t mention where the sign-in attempt happened (no location or device details).
The "secure your account" link leads to a domain that’s slightly off from the company’s real website.
The sender’s address is something like “security-alerts@accounts-support.com” instead of the company’s official domain.

2. Faux invoice or payment request

Subject: Invoice #38491 Attached—Payment Due Immediately

This type of phishing email claims that you owe money for a service you never used. It pressures you to open an attached invoice or click a link to review the charge. The attachment may contain malware, or the link could lead to a fake payment page.

Red flags:

The email is unexpected. Legitimate businesses don’t send surprise invoices.
The invoice is in a suspicious format, like a .ZIP file or a document asking you to enable macros.
There’s no clear information about who sent the invoice—no company name or contact details.

3. "You’ve won a prize!" scam

Subject: Congratulations! You’ve Been Selected for a $500 Gift Card

This phishing email says you won a giveaway and simply need to "verify your details" to get the prize. It asks for personal information or directs you to a form that steals your data.

Red flags:

You never entered a contest, making the win suspicious.
The email asks for personal details, like your address, phone number, or credit card information.
The sender's email address is a generic Gmail or Yahoo account instead of a company domain.

4. CEO fraud (business email compromise)

Subject: Quick Request—Need Your Help ASAP

This workplace phishing attempt targets employees at a business by pretending to be from their boss, a senior executive, or human resources. The email asks the recipient to buy gift cards, wire money, or provide sensitive company data. Attackers commonly spoof a manager’s email address or use a similar one with a small difference.

Red flags:

The email is urgent and vague, with no prior context.
The sender’s address is slightly different from the real executive’s (for example, “ceo@companyname.co” instead of “ceo@companyname.com).”
The request is unusual—most companies have formal processes for financial transactions.

5. Fake IT department password reset

Subject: IT Notice: Your Email Password Will Expire Today

This email is supposedly from your company’s IT team, telling you to reset your password immediately. The link provided leads to a fake login page that steals your credentials.

Red flags:

The email doesn’t follow your company’s usual IT communication style.
The sender’s email isn’t from the official company domain.
IT support usually doesn’t ask employees to reset passwords through email links. Companies tend to use internal portals instead.

What to do if you get a phishing email

If you receive a phishing email, don’t panic, but don’t interact with it either. Follow these steps to protect yourself and others.

1. Don’t click links or open attachments

Avoid clicking any links, downloading attachments, or replying to the email.
Even if the email looks convincing, interacting with it could lead to malware or stolen information.

2. Verify the sender

Check the sender’s email address closely. If something looks off, like a slight misspelling or an unfamiliar domain, it’s probably a scam.
If the email claims to be from a company, go directly to the company’s official website instead of using any provided links.

3. Report the phishing email

If you received the email at work, forward it to your IT or security team.
In the United States, report phishing to the Federal Trade Commission (FTC) or forward the email to phishing-report@us-cert.gov.

4. Mark the email as spam and delete it

Many email services have a “Report phishing” option that helps improve spam filters. If you don’t see that option, report it as spam.
If your email provider doesn’t automatically move the email to your trash can after you flag it, delete it so you don’t accidentally open it later.

Steps to take if you’ve engaged with a phishing email

Once you've interacted with a phishing email, whether by clicking a link, downloading an attachment, or providing personal information, you should act quickly to limit the damage. Here’s what to do.

1. Take note of what you shared

If you entered your password, banking details, or personal information, write down what you shared.
This will help you determine what needs to be secured and whom to notify.

2. Change passwords immediately

Update any passwords you may have shared, especially for banking, email, or work accounts.
If you use the same password for other sites, change it there too.
Use strong, unique passwords and enable multifactor authentication for added security.

3. Tell the people who need to know

If the phishing email targeted your work account, alert your IT or security team.
If you provided financial details, contact your bank or credit card company to monitor transactions and freeze your account if needed.
Let friends, family, and colleagues know what happened if the scam could affect them (for example, if the attackers might use your compromised account to send phishing emails to them).

4. Report the phishing attack

If you lost money or had sensitive data stolen, report the attack to the FTC.
If financial fraud occurred, get in contact with local law enforcement.
Mark the message as a phishing attempt or spam through your email provider to help block similar attacks.

5. Expect follow-up phishing attempts

Scammers often target victims again using the stolen data to send new phishing emails, texts, or calls.
Be extra cautious of messages that claim to help you recover your account or that request more personal information.

What happens if you’ve been phished?

Being victimized by a phishing attack can have serious consequences that affect both individuals and organizations. Here are some potential effects.

Identity theft

Phishers steal personal information, such as Social Security numbers, addresses, and birthdates, to impersonate victims. This can lead to opening credit accounts or committing crimes under the victim's name.

Financial loss

Access to private financial data, like bank account details or credit card numbers, can result in unauthorized transactions and significant monetary losses. For example, a sophisticated invoice phishing scam that targeted Google and Facebook between 2013 and 2015 led to $100 million in losses.

Compromised sensitive information

Phishing attacks can expose confidential data, including business secrets and personal communications. In 2021, a phishing email led to the Colonial Pipeline attack, which caused a major fuel supply disruption in the United States.

Reputational damage

Organizations hit by phishing attacks could suffer long-term harm to their reputation. Customers and partners may lose trust, especially if their data was compromised. This loss of trust can have lasting effects on business relationships, financials, and public perception.

Preventing a phishing email attack

Even though phishing emails can be convincing, there are still ways to protect yourself by staying alert and following email security best practices.

Be cautious of all emails that ask for engagement

Always analyze emails carefully before clicking links or downloading attachments.
Ask yourself these questions before interacting:
- Does this email make sense? Am I expecting it?
- Is the sender’s email address correct?
- Are there urgent requests or threats that pressure me to act fast?
- Does the grammar and tone sound professional?
If something feels off, verify the email with the sender using a trusted contact method.

Amp up email security

Use email filters to block known phishing messages.
Mark suspicious emails as spam to improve filtering.
Never click links or download attachments from unknown or unexpected sources.

Keep your software and security tools updated

Install antivirus software and make sure it’s updated to help detect phishing threats.
Enable automatic updates for your operating system, web browsers, and email apps to patch security weaknesses.

Use multifactor authentication

Turning on multifactor authentication for your online accounts adds an extra layer of security by requiring a second step (like a code sent to your phone) before logging in.
Even if attackers steal your password, they won’t be able to access your account without the second factor.

Stay a step ahead of phishing with Microsoft Security

As phishing emails become more sophisticated using AI-generated emails, social engineering, and even deep-fake technology, thankfully, so do the Microsoft Security solutions that detect and prevent them.

By combining awareness with robust security tools, you’ll help dodge phishing emails and protect your personal and business data.

RESOURCES

Learn more about Microsoft Security

Solution

AI-powered, unified SecOps

Combine your security operations (SecOps) across prevention, detection, and response with an AI-powered platform.

Learn more

Get access to the threat protection portal

Understand how organizations are using integrated extended detection and response (XDR) and security information and event management (SIEM) to become more resilient against attacks.