Phishing is when you are sent a legitimate email, usually from a supplier, vendor, bank etc. with the intention of stealing personal information from you, such as usernames, passwords, and credit card details.

Example: You receive an email that someone has shared a OneDrive document with you. When you click on the link it asks you to log in to your Office 365 account. Once you enter your credentials the hackers now have access to your email account. Then they just watch and wait, and hope you're sending out invoices. If yes, they put rules in place so that you can no longer see emails to and from that recipient. The invoice is changed with a new account number, and they send emails, hoping to get paid. If successful, you don't get paid, your customer likely won't pay twice, and your insurance, should you have any, won't cover it.

Spear phishing emails are directly targeted attacks.

Risk Mitigation: Enable Multi-Factor Authentication (MFA) on your email accounts. Branding your O365 login page is another simple way of knowing when you get directed to a fake page.

Image Credit: ProjectFive