Powers Computing, LLC · Free advice
Is this email really from Microsoft?
This is one of the most common questions I get, and it’s a smart one to ask. An email lands that looks like it’s from Microsoft — a security warning, a password notice, a bill — and it wants you to click a button and sign in. Is it real, or is it a trap?
Most of the time, these are fakes designed to steal your password. The good news: you can almost always tell, and there’s one move that works even when you can’t. Here’s the same straight advice I’d give a client, free and with nothing to sell you. (This is the email cousin of the fake “tech support” phone call — if you haven’t read Spam & scam phone calls: what to do, that one pairs with this.)
- 1.) The one move that beats every fake
- 2.) The tells: how to spot a fake
- 3.) Common fakes making the rounds
- 4.) If you clicked, or typed your password in
- 5.) How to report it
- 6.) The bottom line
- 7.) Not sure? Just ask us
Start here: the one move that beats every fake
Before any of the detective work below, learn this one habit and you’re most of the way safe:
Never sign in by clicking a link in the email. Open your browser and go to the website yourself.
If an email says there’s a problem with your Microsoft account, don’t click its button. Instead, open your browser and type the address in yourself — account.microsoft.com — and sign in there. If there’s really a problem, you’ll see it once you’re logged in. If everything looks normal, the email was a fake. Microsoft says exactly this: “Never click any links or attachments in suspicious emails” — instead, open a new browser tab and go to the company’s website yourself, from your own saved bookmark or a web search. (Microsoft Support)
That single habit defeats the whole scam, because the scam depends on you clicking their link and typing your password into their fake page. Take the link out of the equation and there’s nothing to steal.
The tells: how to spot a fake
If you want to know what you’re looking at, these are the giveaways. You rarely need all of them — one or two is usually enough.
- The real sender address, not the name. The display name is easy to fake — anyone can label an email “Microsoft Account Team.” What’s harder to fake is the actual address behind it. Click or tap the sender name to reveal the true email address. A message from “Microsoft” that actually comes from something like [email protected] is a fake. (For reference, Microsoft’s genuine account security alerts come from an address ending in @accountprotection.microsoft.com — but treat this as a clue, not proof, because even a from-address can sometimes be forged. The “go to the site yourself” move above is what you actually rely on.) (Microsoft Support)
- Where the link really goes. On a computer, rest your mouse pointer over a button or link without clicking — the real destination shows in the bottom corner of the screen. On a phone, press and hold the link to preview it. If the address isn’t an obvious Microsoft one, don’t click.
- Urgency and threats. “Your account will be permanently closed in 24 hours.” “Verify now or lose access.” Real companies don’t operate on a countdown clock. Manufactured panic is the scammer’s main tool — it’s meant to make you click before you think.
- They ask for something they’d never ask for. Microsoft will not email you asking for your password, and will never ask you to read back a security code (the one-time code texted to you). Anyone asking for either is a scammer, full stop.
- Generic greeting and odd wording. “Dear Customer” instead of your name, slightly-off grammar, or a logo that looks a little wrong are all common in fakes. They’re getting better at this, though, so a clean-looking email is not proof it’s real — which is why the from-address check and the “go direct” habit matter more than how polished it looks.
- An unexpected attachment. A real account notice doesn’t need you to open a file. An attachment you weren’t expecting — especially one asking you to “enable” something — is a red flag.
Common fakes making the rounds
You’ll most often see Microsoft-branded scams in these shapes. Recognizing the pattern takes the scare out of them:
- “Unusual sign-in activity.” Designed to frighten you into clicking to “secure” your account — which really means handing your password to the scammer. Check it the safe way: go to account.microsoft.com yourself and look at your recent activity there.
- “Your password expires today — click to keep it.” A classic. Any password change you actually need, you can do from inside your account after logging in directly.
- A fake invoice or renewal. “Your Microsoft 365 subscription renewed for $439 — click to cancel.” There’s no real charge; the “cancel” link leads to a fake login or a phone number that connects you to a scammer.
- “Your mailbox is full / verify your email.” Aimed at getting your email password, which is the master key to the rest of your accounts.
If you clicked, or typed your password in
It happens to careful people. If you entered your password on a page you reached from one of these emails:
- Change your Microsoft password right away — by going to account.microsoft.com directly (not through the email). If you use that same password anywhere else, change it there too.
- Turn on two-step verification for your Microsoft account if it isn’t already on. It’s the best lock against someone who now has your password.
- Check your recent sign-in activity once you’re logged in, so you can see whether anyone else got in.
- If it was your work email, tell whoever handles your company’s IT so they can watch for trouble.
How to report it
Reporting a phishing email helps shut these operations down, and it’s quick:
- In new Outlook for Windows or Outlook.com (on a computer), select the suspicious message, then above the reading pane choose Report → Report phishing. That reports it to Microsoft and moves it out of your inbox. (Microsoft Support)
- On the Outlook app on a phone or tablet, select the message, tap the ⋮ menu at the top right, choose Report Junk, then Phishing. (Microsoft Support)
- In other mail programs (Gmail, Apple Mail, etc.), use their “Report phishing” or “Report junk” option — most have one in the same menu as delete.
- Then delete it. You don’t need to reply, and you should never click anything inside it.
The bottom line
- Don’t sign in from an email link — ever. Go to account.microsoft.com yourself and check. That one habit beats every fake.
- Check the real sender address and where links actually go, not the display name or how polished it looks.
- Urgency is the tell. Real companies don’t threaten to delete your account by dinnertime.
- Microsoft will never email asking for your password or a security code.
Not sure about one sitting in your inbox right now?
If you’ve got an email in front of you and you can’t tell whether it’s real, don’t guess and don’t click — forward it to us and ask, or call and read it to us. We’ll tell you straight whether it’s legit. Powers Computing is a real, local IT company here in the Capital Region, a real person answers, and there’s no charge to ask.
Powers Computing, LLC
Albany, NY · Capital Region, New York
Phone / text: 518-322-0332
Email: chrispowers@
Related reading: Should I pay for antivirus? · Spam & scam phone calls: what to do