Managed IT • Commercial Security Cameras • Cybersecurity • WiFi • Northern Michigan
833-787-2487support@northern-pc.com
Email Security

What Is Phishing?

Phishing tricks employees into clicking links, opening files, sharing credentials, or approving fraudulent requests.

Quick Answer

Phishing is a social engineering attack that uses trust, urgency, and normal business routines to get users to make a mistake.

  • Fake Microsoft 365 logins are common
  • Vendor compromise is especially dangerous
  • MFA and reporting reduce damage

Phishing Is a Trick, Not Just a Bad Email

Phishing is a social engineering attack where someone tries to trick a user into giving up information, clicking a malicious link, opening a dangerous attachment, approving a login, or sending money. Most people think phishing means a poorly written email from a stranger. Modern phishing is often much more convincing than that.

A phishing message may look like it came from Microsoft, a bank, a customer, a vendor, a delivery company, a hotel booking system, a government agency, or even the business owner. The goal is not to break through a firewall. The goal is to get an employee to open the door.

Why Phishing Works

Phishing works because it targets normal business behavior. Employees expect invoices. Managers approve payments. Staff reset passwords. Vendors send documents. Customers ask questions. Microsoft 365 prompts people to sign in all the time.

Attackers build messages around urgency, fear, routine tasks, and trust. A message may say an account will be closed, a payment failed, a voicemail is waiting, a document needs review, or a password is about to expire.

Common Phishing Examples

  • Fake Microsoft 365 login pages
  • Fake invoice attachments
  • Voicemail notification scams
  • Shared document links
  • Shipping and delivery notices
  • Password expiration warnings
  • Gift card requests
  • Banking or payment changes
  • Vendor account compromise emails

Business Email Compromise

One of the most damaging forms of phishing is business email compromise. Instead of sending obvious spam, attackers compromise a real email account and use it to send believable messages.

If a vendor’s mailbox is compromised, a fake payment change request may come from a real email thread. If an employee mailbox is compromised, attackers may create forwarding rules, search for invoices, impersonate leadership, or send phishing messages to customers.

Warning Signs of Phishing

Employees should slow down when a message includes unusual urgency, unexpected attachments, requests for passwords, payment changes, gift card requests, strange links, grammar that does not match the sender, or login prompts from links in email.

The absence of obvious errors does not make a message safe. Many phishing messages are clean, well written, and based on real business context.

Why MFA Matters

Multi-factor authentication reduces the damage from stolen passwords. If an employee enters a password into a fake login page, MFA may prevent the attacker from accessing the account. MFA is not perfect, but it is one of the most important protections a business can enable.

What To Do If Someone Clicks a Phishing Link

Do not shame the employee. Fast reporting matters more than blame. Change the password, revoke sessions, review mailbox rules, check sign-in logs, scan the endpoint, and review whether any data, money, or accounts were affected.

Frequently Asked Questions

Is phishing always email?

No. Phishing can happen through text messages, phone calls, chat platforms, social media, and fake websites.

Can MFA stop phishing?

MFA reduces risk, but some advanced phishing attacks can still trick users. It should be combined with monitoring and user training.

What is business email compromise?

Business email compromise happens when attackers use a real or impersonated business email account to commit fraud or steal information.

Should employees report suspicious emails?

Yes. Fast reporting helps IT review threats before they spread or cause damage.

Can phishing lead to ransomware?

Yes. Phishing can steal credentials or deliver malware that later leads to ransomware.

Need Help Securing Your Business?

Northern Computer Services helps Northern Michigan businesses improve security with managed IT, Microsoft 365 security, endpoint protection, DNS filtering, backups, and practical cybersecurity planning.