Microsoft phishing scam – Don’t click that email

Over the past few weeks, our readers have been writing in telling us that they have been receiving suspicious-looking emails presumably from Microsoft with a warning that their Microsoft password has expired.  There is a big blue button in this email that says “Keep Password”.   The subject header reads “High-severity Alert – Service request”.

The high severity alert here actually is that YOU SHOULD NOT CLICK THIS EMAIL!

This is another example of a phishing attack you should be aware of.

What is a phishing attack?

A phishing scam is one where criminals pretend to be real organizations in their email and text message communications in order to steal your personal information.

How to detect an email phishing scam

In the screengrab above from our Microsoft email, there are a few tell-tale signs that this is not real.

  • In the email screengrab above, it says the email is from Support.  Okay, that seems like it could be legitimate, however, my Microsoft Outlook inserted a red ! next to the word telling me that it is an invalid email address.
  • In the email above, the scammer wants to induce panic and urgency when you see that “High-severity alert” and “Action required!”
  • Note the Microsoft logo in the email isn’t quite right.  I will typically go to the actual website to look at the logo to compare.

 

    • THE BIGGEST FLAG I always look for is when I am on my desktop or laptop (not phone or tablet), I hover my mouse over the button.  I NEVER click the button, I just hover over the button. When I do this, the link address of the button is revealed.  As you’ll see in the screengrab above, the address is not from microsoft.com, but from another random address.
      • As noted above, you can not hover over a link on your phone or tablet (out of fear of clicking a link on your phone or tablet, don’t even try it).

Remember not to quickly react to these emails.  Always take a second to question whether what you’re receiving is real or not.  If you do question the authenticity of the email, go directly to the merchant source by typing it in your browser (i.e “microsoft.com”, log into your account and look to see if there is a message there indicating that you need to change your password.

Another phishing variation of the same email

We recently received this variation of the email above now asking us to “retain the same password”.  Again, note the return address and you’ll see that when I carefully hover my mouse over the button the web address goes to some random site.

5 precautions to protect against phishing attacks

  1. Always keep your iOS or Android software up to date.
  2. Keep your browsers up to date.
  3. Question every email that comes in that indicates there is some sort of alert.
  4. Go to the company source to see if there is truly an issue.
  5. Install good security protection on all of your devices for the best protection.  My top pick is TotalAV (Limited time deal: $19 your first year (80% off).  More: Best Antivirus Protection in 2022 found here.

 

Related:

Related posts

Understanding brushing scams and how to protect yourself

From TikTok to trouble: How your online data can be weaponized against you

Massive data breach at federal credit union exposes 240,000 members