Phishing emails are the single biggest cyber threat facing small businesses. And if your team uses Microsoft 365 - which most Geelong businesses do - your inbox is the front door that attackers are trying to walk through every single day.
The good news is that most phishing emails share common patterns. Once you know what to look for, you and your team can catch them before they cause damage.
What Is a Phishing Email?
A phishing email is a fake message designed to trick you into doing something harmful - clicking a malicious link, downloading an infected attachment, or entering your login credentials on a fake website. The goal is usually to steal your Microsoft 365 credentials, which gives the attacker access to your email, files, contacts, and potentially your entire organisation.
Modern phishing emails are sophisticated. They often look identical to legitimate messages from Microsoft, banks, Australia Post, or even your own colleagues.
Red Flags to Watch For
Here are the most common signs that an email is a phishing attempt:
1. Urgency and Pressure
"Your account will be suspended in 24 hours." "Immediate action required." "Your payment has failed." Phishing emails almost always create a sense of urgency to stop you from thinking critically. Legitimate organisations rarely threaten you with immediate consequences over email.
2. Suspicious Sender Address
The display name might say "Microsoft Support" but the actual email address could be something like support@micros0ft-secure.com. Always check the full sender address, not just the display name. In Outlook, you can hover over or click the sender name to reveal the actual address.
3. Generic Greetings
"Dear Customer" or "Dear User" instead of your actual name. Your bank, your software provider, and your colleagues all know your name. If an email doesn't use it, that's a warning sign.
4. Mismatched or Suspicious Links
Hover over any link before clicking it. The URL that appears should match the organisation the email claims to be from. If Microsoft is asking you to sign in, the link should go to login.microsoftonline.com, not microsoft-login-verify.com.
5. Unexpected Attachments
Be especially cautious with attachments you weren't expecting - particularly ZIP files, Office documents with macros, or executable files. Even PDF files can be weaponised. If a colleague sends you an unexpected attachment, confirm with them directly before opening it.
6. Spelling and Grammar Errors
While AI has made phishing emails more polished, many still contain subtle errors - odd phrasing, inconsistent formatting, or Australian spelling mixed with American spelling. These are clues that the email wasn't written by who it claims to be from.
Common Phishing Scenarios in Microsoft 365
The Fake Login Page
You receive an email saying your Microsoft 365 password is expiring or your account needs verification. You click the link and land on a page that looks exactly like the Microsoft login screen. You enter your credentials - and now the attacker has them.
This is the most common phishing attack against Microsoft 365 users. The fake login pages are often pixel-perfect copies.
The Shared Document Trap
An email that looks like a SharePoint or OneDrive sharing notification: "John Smith shared a document with you." The link takes you to a fake login page instead of the actual document. These are effective because sharing documents via Microsoft 365 is something people do every day.
Business Email Compromise (BEC)
This is the most damaging type. An attacker compromises a real email account (often through one of the methods above) and then uses it to send legitimate-looking emails to colleagues, clients, or suppliers - requesting payments, changing bank details, or sharing sensitive information.
How to Protect Your Business
Enable MFA on Every Account
Multi-factor authentication is the single most important protection against phishing. Even if an attacker steals a password, MFA stops them from logging in. Every Microsoft 365 account in your organisation should have MFA enabled - no exceptions.
Harden Your Microsoft 365 Security Settings
The default security settings in Microsoft 365 are not aggressive enough for most businesses. You should enable Safe Links (which scans URLs in real time), Safe Attachments (which detonates attachments in a sandbox), and anti-phishing policies that detect impersonation attempts. Our Microsoft 365 hardening service covers all of this.
Train Your Team
Technology catches most phishing emails, but some will always get through. Your team needs to know what to look for and what to do when they spot something suspicious. Regular training and phishing simulations are the most effective way to build this muscle.
Set Up Email Authentication
DMARC, DKIM, and SPF records prevent attackers from spoofing your domain - sending emails that look like they come from your business. These are DNS settings that your IT provider can configure.
What to Do If Someone Clicks a Phishing Link
- Change the password immediately - and any other accounts that use the same password.
- Enable MFAif it's not already active.
- Report it- Use the "Report Phishing" button in Outlook, and notify your IT provider.
- Check for unauthorised activity - Your IT provider can review sign-in logs, mail forwarding rules, and any changes to the account.
- Alert your team - If one person received the phishing email, others probably did too.
Stay Ahead of the Threat
Phishing is not going away - it's getting more sophisticated. But with the right combination of security controls, hardened Microsoft 365 settings, and an informed team, you can dramatically reduce your risk.
If you're not sure how well your Microsoft 365 environment is protected, we offer a free security assessment that includes a review of your email security configuration.