Would Your Staff Spot This Fake Email?

We tested 500 employees with a fake phishing email. 34% clicked the link. 12% entered their password. Would your team do better?

Last month, we ran a simulated phishing test for a client. Here's what the email looked like:

---

From: IT Support <it.support@microsft-365.com>

Subject: Action Required: Password Expires in 24 Hours

Dear [Employee Name],

Your Microsoft 365 password will expire in 24 hours. To avoid being locked out of your account, please update your password immediately.

[Update Password Now]

If you do not update your password, you will lose access to:

• Email
• Teams
• SharePoint files

Regards, IT Support Team

---

The Results

• 34% clicked the link
• 12% entered their password
• 6% entered their password AND their MFA code when prompted

In a real attack, that 6% would have given hackers complete access to their email, files, and potentially the entire company network.

Why People Click

Before you judge, consider the psychology:

Urgency: '24 hours' creates panic. People stop thinking carefully.

Authority: 'IT Support' sounds legitimate. Who questions IT?

Fear: 'Lose access to email' - for most office workers, that's their entire job.

Familiarity: The email looks exactly like real Microsoft emails. Same fonts, same colours, same layout.

The attackers are good at this. They've refined these techniques over millions of emails. One small mistake by one tired employee at 5pm on a Friday, and you've got a breach.

The Clues That Give It Away

The sender address: microsft-365.com - note the missing 'o'. Real Microsoft emails come from microsoft.com.

The urgency: Microsoft doesn't actually expire passwords with 24-hour warnings. That's not how it works.

The generic greeting: 'Dear [Employee Name]' should be your actual name. Legitimate systems know who you are.

The link destination: Hovering over the button would show a URL that has nothing to do with Microsoft.

But in a busy inbox, with 50 other emails to deal with, how carefully are your staff really looking?

The Attacks That Work Even Better

The password expiry email is actually quite crude. The really dangerous ones are:

Invoice attachments: 'Please see attached invoice for immediate payment' - with a malware-laden PDF.

Boss impersonation: An email appearing to come from the CEO asking for an urgent wire transfer. (We've seen £200,000 lost to this.)

Voicemail notifications: 'You have a new voicemail from [unknown number]' - with a link to credential harvesting.

Delivery notifications: 'Your package couldn't be delivered' - works especially well around Christmas.

Why Awareness Training Isn't Enough

Most security awareness training consists of:

• A boring video once a year
• A multiple-choice quiz everyone guesses through
• A certificate that says 'Completed'

And then nothing changes.

Effective training requires:

• Regular simulated phishing - not once a year, every month
• Immediate feedback - if you click, you find out instantly what you missed
• Progressive difficulty - start obvious, then get subtle
• No blame culture - people who report suspicious emails should be praised, not those who never click

Technical Controls That Help

Training your humans is only half the battle. You should also:

Enable external email warnings: Mark emails from outside your organisation with a banner.

Implement email filtering: Block known malicious senders before they reach inboxes.

Use link protection: Microsoft Defender for Office 365 rewrites links and scans them when clicked.

Enable MFA everywhere: Even if credentials are stolen, attackers can't use them.

Deploy DMARC/SPF/DKIM: Prevent attackers spoofing your own domain to trick your staff.

The Questions That Matter

Before your next cyber insurance renewal, ask yourself:

• Do all staff have MFA enabled? (Not just email - everything)
• When did you last run a phishing simulation?
• Can staff report suspicious emails with one click?
• Do you have email filtering that actually works?
• Has anyone received security awareness training in the last 12 months?

The Quick Check

We've built a quick email security assessment that takes about 2 minutes. It checks the controls that actually matter - not the ones that just tick boxes.

Take the Email Security Check

Knowing where you stand is the first step. The second step is fixing it before the real attack arrives.

What We Can Do

Our Cyber Security service includes:

• Monthly phishing simulations with real-time reporting
• Email security configuration (SPF, DKIM, DMARC)
• Microsoft Defender for Office 365 deployment
• Ongoing security awareness training
• Incident response if something does get through

90% of cyber attacks start with email. Make sure yours is protected.