phishing / a fish hook on computer keyboard with email sign / computer crime / data theft / cyber crime
Staff guide
A phishing email is designed to trick you into clicking a link, opening an attachment, or approving a sign-in. For Australian SMBs, one busy moment can lead to account takeover, invoice fraud, or malware. This guide covers the five most common characteristics of phishing emails using current examples.
Attackers go after everyday workflows. They copy Microsoft 365 alerts, Teams notifications, supplier invoices, and MFA prompts because they look normal. Phishing succeeds when people are rushed and verification steps are skipped.
If something feels slightly off, treat that feeling as a signal to slow down.
The five signs
Many phishing emails look polished. Do not rely on spelling mistakes. Focus on behavioural red flags such as urgency, unexpected sign-ins, and requests that break normal process.
Phishing relies on emotion. The message tries to rush you so you skip normal checks, often using threats, short deadlines, or final warning language.
A Microsoft 365 style alert claims your password has expired or that unusual sign-in activity was detected. It includes a button such as Review activity or Keep my account.
Screenshot placeholder
Annotated image showing a fake Microsoft 365 security alert. Highlight urgency phrases, generic greeting, and the main call-to-action button. Add a note that real alerts should be verified by opening Microsoft 365 directly, not via the email link.
Attackers commonly use display name tricks. The name might look legitimate, but the underlying email address is different or slightly altered.
A Microsoft Teams notification claims you were mentioned in a chat with a link to View message. The sender name looks real, but the email address is external or off-domain.
Screenshot placeholder
Annotated image showing a convincing display name and the expanded sender details. Highlight the actual email address and any suspicious domain variations. Add a callout showing how staff can expand the sender details in their email client.
Prevention note: email security controls can reduce these messages reaching staff and flag impersonation patterns.
A common characteristic of phishing emails is that they try to make you authenticate or approve access when you did not start the process. This includes credential harvesting pages and MFA fatigue attacks.
You receive repeated Microsoft sign-in prompts on your phone and a matching email asking you to verify the request. The goal is to wear you down until you approve a prompt.
Screenshot placeholder
Two-part annotated image. Part one shows the email pushing you to verify a sign-in. Part two shows multiple MFA prompts. Highlight Approve and add a note that unexpected MFA prompts should be denied and reported.
Uplift note: consistent MFA configuration and support reduces approval mistakes. See Duo MFA rollout and support.
Most phishing emails include a link or attachment. The label might look familiar, but the destination is different, or the attachment leads to a fake login screen.
An invoice attached email includes a PDF or HTML attachment. When opened, it shows a secure document page and asks you to sign in to view it. Another version uses a fake file-sharing link that redirects to a lookalike login.
Screenshot placeholder
Annotated image showing a phishing email with a View document link and an attachment. Add callouts explaining how to hover or long-press to preview link destinations. Include a note that unexpected sign-in prompts after opening a document are a red flag.
Protection note: DMARC, SPF and DKIM help reduce spoofing and improve detection signals.
Phishing often targets finance and approvals. The request is framed as urgent or confidential to stop you verifying. This includes invoice scams and supplier bank detail changes.
An email impersonates a supplier stating banking details have changed and asks you to pay an invoice using a new account. Another version impersonates a director requesting an urgent payment while I am in a meeting.
Screenshot placeholder
Annotated image showing an invoice email requesting bank detail changes. Highlight the changed bank details, urgency language, and reply instruction. Add a note to verify changes using a known phone number, not the one in the email.
Layering note: combine process controls with managed email security to reduce exposure.
Printable reference
Print this and keep it near the desk, or share it internally in Teams. One yes is enough to pause and verify.
Print tip: use your browser print function and select background graphics if you want the styling to appear on paper.
Immediate actions
Speed matters. Reporting early can prevent account takeover and limit impact. These steps are written for general office staff.
FAQ
These question and answer pairs are suitable for FAQ schema markup.
A common characteristic of a phishing email is pressure to act quickly, usually paired with a link or attachment. The message might claim your Microsoft 365 password is expiring, that a file was shared in Teams, or that an invoice needs urgent action. The safest habit is to slow down and verify the request using a trusted pathway, such as opening the official app directly or calling the person on a known number.
Look for phishing indicators such as urgency, sender mismatch, unexpected sign-in prompts, suspicious link destinations, and requests that bypass normal approval processes. Modern phishing can be well-written and look legitimate, so do not rely on spelling mistakes. When unsure, do not click. Report it and verify before taking action.
Do not click links or open attachments. Report it to your IT support and follow your internal reporting process. If you need to show someone what you saw, share the sender details and context rather than forwarding the email to others. Organisational controls like email security also help reduce these messages reaching staff.
Yes. Attackers often impersonate staff using display name tricks, or they may send messages from a compromised mailbox. Treat unexpected requests for payments, password resets, or file access with caution even if the email appears internal. Verify the request using a known contact method, and do not rely on the contact details provided in the email.
No. Many current phishing templates are polished and copy legitimate branding. Focus on underlying red flags such as unexpected sign-ins, link destinations, and process-bypass requests. Combining staff awareness with technical measures such as DMARC, SPF and DKIM improves overall protection.
Next step
Training works best when it is reinforced by technical controls. Milnsbridge can reduce phishing delivery, harden your email domain, and improve response when someone clicks.
Relevant cyber services: Email security, Managed DMARC, Duo MFA, Incident response.
Related IT services
If you want broader IT support and governance alongside cyber uplift, these pages may help.
Use the enquiry option if you want this adapted into internal training material for your staff.
Aussie small and medium businesses face a turbulent cyber climate. Recent forecasts show organisations are…
Why does Cyber Resilience for Australian SMEs matter? A small business breach happens every 11…
A Sydney business can now lose a week of productivity because a single staff member…
For most small businesses, email is how quotes go out, invoices come back, and purchase…
Discover how Anthropic is disrupting AI espionage with innovative safeguards, empowering safer AI development. Learn…
Discover how IT infrastructure upgrades can boost your Sydney business’s efficiency, security, and growth.