The old advice is still true: don’t trust anything you see on the internet.
Within reason, of course: we work hard to make sure this blog is fact-based and trustworthy. But the big-picture advice is still good advice: how can you know for sure our team wrote this and that the whole post isn’t just the figment of a genAI’s imagination?
There are signs, like the way this introduction is going. (Not your standard opening, that’s for sure!)
So what’s our point? While you can learn a lot online, and you rely on it for a massive slice of your business, you still can’t take everything you see at face value.
A recent report looked at a huge number of phishing attempts — those fraudulent emails that pretend to be from someone else and try to get you to give up sensitive information — and found that one company was the undisputed “leader”: more than ⅓ of phishing emails impersonating a brand chose Microsoft.
If your business does business with Microsoft (and if you’re reading this on a Windows PC, you definitely do), then this statistic should be sobering.
Most-Spoofed: What It Doesn’t Mean
Before we get into what this means and what you can do, we want to be very clear for any lawyers in the room: Microsoft hasn’t done anything wrong here. The only thing it did “wrong” was become one of the biggest business tech companies, an entity that millions of office workers consider trustworthy and safe. The company’s size, reach, and overall trustworthiness are the reason scammers try to impersonate the brand.
It also doesn’t mean you can safely start ignoring any and all emails from Microsoft, because some of them are real, and some of those may well be pretty important.
Most-Spoofed: What It Does Mean
In a nutshell, more scammers are pretending to be Microsoft than any other business when they contact potential victims, across email, text messages, and even phone calls.
They’re taking advantage of the way that most people associate Microsoft with business, stability, and even authority, trying to get people to give up their credentials or sensitive business information.
And then, just like any other phishing expedition, the bad guys craft some kind of urgent message or crisis, something you must take action on right away. Something like “click to confirm your account now or it will be permanently deleted” or “Your invoice for some exorbitant amount is attached. If this isn’t right, click now”.
Of course, if you click, you land on a fake website that looks an awful lot like an actual Microsoft website. And whatever information you give them — username, password, banking or payment info — goes straight into the hands of the bad guys.
The Big Takeaway
So the big takeaway for you and your team: never assume an urgent message is legitimate without slowing down and looking closely. If it sounds fishy, it probably is. Microsoft is never going to randomly close your account or do anything that sounds drastic and ominous based on just a single email.
One Giveaway: URLs and Email Addresses
One quick way to spot a scammy message is to look closely at the URL (the link) or the email address itself (not just the name that shows in your email client). Scammers love to use a trick like this: where a legit Microsoft email address would end in @microsoft.com, a scammer might use @microsoft.ascam.com (put anything you like in the middle section there). Same with urls: microsoft.com/example is not the same thing as microsoft.ascam/example.
You’d never click a link to ascam.com/stealyouridentity, right? But by sticking the term “Microsoft” into the link, scammers know that more people will be fooled.
One last thought: better cyber security tools and better credentialing (like multi-factor authentication or MFA) can help reduce both the number of attacks that get through and the damage those attacks can do. We can help with both. Reach out today!