Search Microsoft Security
Search Microsoft.com

How to recognize phishing email messages or links

How to recognize phishing email messages or links

Phishing email messages are designed to steal your identity. They ask for personal data, or direct you to websites or phone numbers to call where they ask you to provide personal data. A few clues can help you spot fraudulent email messages or links within them.

What does a phishing email message look like?

Phishing email messages take a number of forms:

  • They might appear to come from your bank or financial institution, a company you regularly do business with, such as Microsoft, or from your social networking site.

  • They might appear to be from someone you in your email address book.

  • They might ask you to make a phone call. Phone phishing scams direct you to call a phone number where a person or an audio response unit waits to take your account number, personal identification number, password, or other valuable personal data.

  • They might include official-looking logos and other identifying information taken directly from legitimate websites, and they might include convincing details about your personal history that scammers found on your social networking pages.

  • They might include links to spoofed websites where you are asked to enter personal information.

Here is an example of what a phishing scam in an email message might look like.

Example of a phishing email message

Example of a phishing email message that includes threat of account closure and malicious links designed to trick you into entering your account information.

To make these phishing email messages look even more legitimate, the scam artists use graphics that appear to go to the legitimate websites (Windows Live Hotmail and Woodgrove Bank, respectively), but actually take you to a phony scam site or possibly a pop-up window that looks exactly like the official site.

Here are a few phrases that are commonly used in phishing email scams:

"Verify your account."

Businesses should not ask you to send passwords, logon information or user names, Social Security numbers, or other personal information through email.

If you receive an email message from Microsoft or any other business asking you to update your credit card information, do not respond: This is a phishing scam.

"You have won the lottery."

The lottery scam is a common phishing scam known as advanced fee fraud. One of the most common forms of advanced fee fraud is a message that claims that you have won a large sum of money, or that a person will pay you a large sum of money for little or no work on your part. The lottery scam often includes references to big companies, such as Microsoft. There is no Microsoft Lottery. For more information, see What is the Microsoft Lottery scam?

"If you don't respond within 48 hours, your account will be closed."

These messages convey a sense of urgency so that you'll respond immediately without thinking. A phishing email message might even claim that your response is required because your account might have been compromised.

What does a phishing link look like?

Sometimes phishing email messages direct you to spoofed websites.

HTML-formatted messages can contain links or forms that you can fill out just as you would fill out a form on a legitimate website.

Phishing links that you are urged to click in email messages, on websites, or even in instant messages, may contain all or part of a real company's name and are usually masked, meaning that the link you see does not take you to that address but somewhere different, usually an illegitimate website.

Notice in the following example that resting (but not clicking) your mouse pointer on the link reveals the real web address, as shown in the box with the yellow background. The string of cryptic numbers looks nothing like the company's web address. This is a suspicious sign.

Example of a masked web address

Example of a masked web address.

Cybercriminals also use web addresses that resemble the names of well-known companies but are slightly altered by adding, omitting, or transposing letters. For example, the address "www.microsoft.com" could appear instead as:

  • www.micosoft.com

  • www.mircosoft.com

  • www.verify-microsoft.com

This is called "typo-squatting" or "cybersquatting."

For more information about phishing, see Email and web scams: How to help protect yourself.