Recognizing Phishing and Social Engineering

Phishing emails have consistent characteristics that become easy to spot once you know what to look for. Learning to analyze each element quickly is a skill that protects you every day:

• The sender address — look at the actual email address, not just the display name. A phishing email may show 'Microsoft Security Team' as the sender name while the actual address is 'security@microsoft-alerts.biz.' In Outlook, hover over the sender name to see the actual address, or click the sender name to expand it. The domain (@microsoft.com for Microsoft, @hhs.gov for HHS) must match the legitimate organization — not a look-alike.
• The link destination — hover over any link without clicking to see its actual destination URL in the bottom of the browser or in a tooltip. 'Click here to verify' pointing to 'microsoftonline-security.com' is not a Microsoft URL. A real Microsoft link goes to microsoft.com or microsoftonline.com (the real Office 365 domain). Check the root domain carefully — attackers use subdomains like 'login.microsoft-account-verify.net' where 'login.microsoft' looks right but the root domain is 'microsoft-account-verify.net.'
• Urgency and threats — phishing emails almost always create artificial urgency: 'within 24 hours,' 'account will be suspended,' 'immediate action required,' 'final notice.' Legitimate services do not suspend accounts without significant advance warning through multiple channels. Any email that demands immediate action with threats of account closure, legal action, or financial penalty should be treated as suspicious until verified through an independent channel.
• Generic greetings — phishing emails sent to large numbers of people cannot personalize each one. 'Dear Customer,' 'Dear User,' 'Dear Account Holder' in an email supposedly from a service that knows your name is a warning sign. Your actual bank, Microsoft, or health insurance company knows your name and uses it.
• Attachments claiming to be invoices, contracts, or important documents — fake invoice PDFs and Word documents (.doc files with macros enabled) are the most common malware delivery method in phishing campaigns. Never open an attachment from an unexpected email without verifying the sender is legitimate through a separate channel (call the sender, do not reply to the email).

Social engineering is manipulation that exploits human psychology rather than technical vulnerabilities. Understanding the psychological levers attackers pull helps you recognize attempts in real time:

• Authority — attackers impersonate authority figures (your CEO, your IT manager, a government official, a physician) to create compliance. 'This is Dr. Walsh — I need you to transfer $500 in gift cards to cover an emergency expense and I'll reimburse you' is a common executive impersonation scam. Real authority figures follow established procedures for financial transactions — they do not ask you to break protocol in an urgent, unverifiable situation.
• Scarcity and urgency — creating time pressure prevents you from thinking clearly or verifying the request. 'If you do not provide this information in the next 10 minutes, the account will be deleted permanently' is designed to make you act before you can think. Slow down. Legitimate urgency is almost always verifiable — a real emergency at the clinic does not require you to bypass security procedures.
• Reciprocity — attackers provide something (a 'free' software tool, a helpful piece of information, a favor) to create a feeling of obligation. This is less common in email phishing but frequent in phone-based social engineering: 'I noticed a problem with your account and fixed it — I just need your verification code to confirm the fix.' Nothing they 'fixed' requires your password or verification code in return.
• Liking and familiarity — attackers research their targets and reference familiar details (your name, your organization, a recent news event about your clinic) to seem trustworthy. A spear phishing email that references a specific provider's name, a recent procedure, or a current patient situation feels legitimate because the details are real. The attacker found this information through public sources, social media, or a prior breach. Familiarity is not verification.

The correct response to a suspicious email depends on what type of suspicion you have and how the email appears:

• Do not click, reply, or forward a suspicious email — any of these actions can trigger malware, confirm your email address is active (making you a better phishing target in the future), or spread the phishing email to your colleagues.
• Report it to IT using your organization's reporting mechanism — in Outlook, there may be a 'Report Phishing' or 'Report Junk' button added by your IT department. Alternatively, forward the email as an attachment (not inline) to your IT security contact. Reporting suspicious emails helps IT block the sender, warn others, and track attack campaigns targeting your organization.
• Verify through an independent channel if you are uncertain — if an email claiming to be from Microsoft says your account is compromised, do not click the link in the email. Open a browser tab and go to account.microsoft.com directly to check your account status. If an email claiming to be from a vendor asks you to pay an invoice, call the vendor using a number from their official website (not from the email) to verify.
• Delete confirmed phishing emails after reporting — once you have reported a phishing email to IT, delete it from your inbox. Do not leave suspicious emails in your inbox where they might be accidentally opened later.