Llamaha icon

Article

Recognizing phishing

Phishing today is rarely the badly-spelled "Nigerian prince" email of fifteen years ago. It looks like an ordinary DocuSign, an HR document, an MFA prompt, or a quick text from your boss. The patterns below catch most of them.

The Patterns

What scammers consistently do

Urgency or pressure

"Action required in 24 hours," "your account will be suspended," "the CEO needs this gift card before her flight." Real businesses almost never use that tone for routine requests. Pause and verify.

The sender address does not match the brand

The display name might say "Microsoft Security" but the actual address is something@gmail.com or something@microsoft-security-alert.com. Hover over the sender (do not click) to see the real address.

The link goes somewhere unexpected

Hover (do not click) any link to see the real URL at the bottom of the screen. A "DocuSign" link should land on docusign.com or docusign.net. A "Microsoft sign in" link should land on login.microsoftonline.com.

Unexpected attachment, especially zip, htm, or html

Real businesses rarely send raw HTML files. Zip files asking you to "open the attached document" are a classic credential-stealer pattern.

Unexpected MFA push you did not request

If you get a Microsoft, Duo, or Okta push and you are not actively signing in, deny it. Then change your password — your password is probably already known.

The New Patterns

What 2025-era phishing looks like

Boss-impersonation text messages

"Hi, this is [CEO name], I'm in a meeting, can you do me a quick favor?" The number is unfamiliar. The follow-up always asks you to buy gift cards or move money. Verify by walking to the person's office or calling their known number — never reply to the text.

Fake DocuSign and Adobe Sign emails

Real DocuSign and Adobe Sign emails come from docusign.net and echosign.com or adobesign.com. The link in a real email goes to docusign.com or adobesign.com. Anything else is suspect.

Fake voicemail and "missed call" emails

A voicemail attached as an HTML or zip file is almost always phishing. Real voicemail comes from your phone system, not a random sender.

QR codes in email or printed materials

"Quishing" — a QR code that takes you to a fake sign-in page. Be especially suspicious of QR codes in unexpected emails or posted in random places.

If You Clicked

What to do in the first ten minutes

If you only clicked the link

Close the tab. Do not enter credentials. Tell IT what you clicked so they can review.

If you entered your password

Change your password right now from a different device or in a fresh browser session at https://aka.ms/mysecurityinfo (Microsoft) or your firm's identity provider. Then call IT — do not wait.

If you approved an MFA prompt

Call IT immediately. The attacker is signed in right now. IT can revoke active sessions and reset MFA.

If you sent money or gift cards

Call IT and your bank or card issuer immediately. Report it as fraud. Speed matters more than embarrassment.

Reporting

How to report phishing without making it worse

Use Outlook's Report button

In Outlook desktop and web, the Report button (or Junk > Phishing) sends the message to Microsoft and your IT team in a structured way. This is better than forwarding — forwarding can lose the original sender info.

Do not click anything to "see what happens"

Even a hover preview is fine; clicking is not. Report and delete.

Tell coworkers if it looks like a targeted campaign

If the email pretends to be from your CEO or HR, others probably got it too. Give your team a heads-up while IT investigates.