Maria has worked in the office for six years. She knows her job well. She uses email, logs into Microsoft 365 and manages files in the cloud every day without thinking twice. One Monday morning, she got an email that looked exactly like a Microsoft security alert. It told her that someone had tried to access her account. It asked her to verify her identity by clicking a link. The link took her to a page that looked like the real Microsoft login. She typed in her username and password.
It was not Microsoft. It was a fake page. By the time Maria reported it to IT, someone had already used her credentials to log into her work account.
Maria did nothing wrong on purpose. She just did not know what to look for.
Maria received a phishing email designed to steal her login credentials. The fake login page looked legitimate. When she entered her username and password, attackers captured them instantly. Her account was compromised before she realized anything was wrong.
Your work login is not just a password. It is the key to your email, your files, your organization's data, and sometimes your payroll and HR information. A stolen credential can give an attacker access to everything connected to that account, including your coworkers' information. What happens at work can also follow you home if you reuse the same password on personal accounts.
Never click a link in an unexpected security alert email. Go directly to the website by typing the address in your browser (Edge, Firefox, Chrome, etc.).
If a login page appears after clicking a link, stop. Close the tab and report the email to IT.
Turn on multi-factor authentication (MFA) on your work account and personal accounts. MFA adds a second layer of protection even if someone steals your password.
Use a different password for work than you use for personal accounts. If one gets stolen, the other stays safe.
When in doubt, call or message IT directly to confirm whether an alert is real.
Open your Microsoft 365 account settings and confirm that multi-factor authentication is turned on. If you are not sure how, ask IT. It takes less than five minutes and it is one of the most effective protections available.
I do not click links in unexpected security alert emails.
I go directly to websites by typing the address in my browser.
MFA is turned on for my work account.
I use a unique password for work, separate from my personal accounts.
I know how to report a suspicious email to IT.
Before you click any link in an email, ask yourself: Did I expect this? If the answer is no, do not click. Go directly to the website instead.