Email Security & Professional Communication
Spot the phishing trap, handle attachments safely, and write email that sounds like a professional.
What you'll learn
- Recognize phishing and external-sender warning signs
- Handle attachments and links safely
- Write with professional tone and clear structure
Email is where most security breaches begin and where most professional reputations are quietly made or dented. One careless click can hand an attacker the keys; one sloppy message can make a smart person look careless. The good news is that both risks shrink dramatically with a few habits. This module covers staying safe and sounding sharp — the two sides of being trusted over email.
Spotting phishing
Phishing is a fake email designed to trick you into clicking a bad link, opening a malicious attachment, or handing over a password. Attackers are good now — phishing emails can look almost perfect — so you watch for patterns rather than typos. The classic tells:
- Urgency and fear. “Your account will be closed in 24 hours.” Pressure is designed to stop you thinking.
- A mismatched sender. The display name says “IT Helpdesk” but the actual address is a stranger. Always check the real address, not just the name.
- Links that don’t match. Hover over a link (don’t click) and the address that appears is nothing like where it claims to go.
- Unexpected attachments, especially asking you to “enable content” or log in.
- An odd request from a “known” person — your CEO suddenly emailing you to buy gift cards. This is business email compromise, and it preys on authority.
When something feels off, slow down. Don’t click — verify through another channel. Call the person, or report the message using your organization’s Report Phishing button (built into Outlook). Reporting helps protect everyone, not just you.
External tags and safe handling
Most workplaces now stamp an [External] tag on emails from outside the organization. That little banner is a gift: it tells you instantly that a message claiming to be from a colleague actually came from outside, which is one of the loudest phishing alarms there is. Treat external mail with extra care, especially when it asks for money, credentials, or urgency.
For attachments and links, Microsoft 365’s Safe Attachments and Safe Links quietly scan files and rewrite links to check them at the moment you click. They’re a safety net, not a substitute for judgment. The rule stays simple: if you weren’t expecting it, don’t open it. Verify with the sender first. A thirty-second message — “Did you mean to send me this file?” — has saved countless people from a very bad afternoon.
When something feels off: stop, verify through another channel, then report it.
Rule of thumb: if an email creates urgency and asks you to click, log in, or pay — slow down and verify another way. Urgency is the attacker’s favorite weapon.
Professional tone and structure
Now the other side of trust: how you come across. Professional email isn’t stiff — it’s clear and considerate. A few habits do most of the work. Open with a quick greeting and get to the point in the first line; busy readers shouldn’t have to dig for what you want. Use short paragraphs and, when you’re asking for several things, bullet points so nothing gets lost. State the action and any deadline plainly. Close with a clear next step and a simple sign-off.
Mind your tone. Sarcasm and jokes fall flat in text, and ALL CAPS reads as shouting. When a message is important or sensitive, write it, then reread it as if you were the recipient before sending. Copilot in Outlook can help here — it can draft a first version from a short instruction, adjust the tone to be more formal or more friendly, and tighten a rambling message. Treat its output as a draft to check and make your own, not a final word to send blind.
Spot it: safe or sketchy
Read each email trait and decide whether it’s a red flag or safe, then tap a card to flip it and check your answer.
Sort the email security check
Drag each situation into the response it calls for — or tap a chip, then tap a bucket. Hit Check placement when you’re done.
Here's where each one goes:
- Message claiming to be IT asking to reset password via link → Report it — classic phishing, use the Report Phishing button.
- Unexpected file from someone you work with regularly → Verify first — even trusted senders can be compromised; ask through another channel.
- Normal message from a known sender with a standard request → Proceed safely — no red flags, act normally.
- Vendor email with a link that doesn't match the displayed URL → Report it — mismatched link is a loud alarm.
- External email asking for urgent payment or personal info → Verify first — slow down and check through another channel.
- A colleague sending a document you asked for → Proceed safely — expected, legitimate request.
Tip: drag with a mouse, or tap a chip then tap a bucket on touch screens. Get one wrong and the answer key appears.
How to use it
Build two reflexes. For safety: before clicking anything, glance at the real sender address, watch for the [External] tag, and if anything pressures you, stop and verify. Report suspicious mail rather than just deleting it. For polish: lead with your point, use bullets for multiple asks, state the deadline, and reread important messages before sending. Useful phrases: “Just confirming through chat — did you send me this attachment?” “Reporting this one as phishing to be safe.” “Here’s what I need, and by when:” followed by a short, clean list.
Quick check
1. A common sign of phishing is…
2. An [External] tag on an email tells you…
3. For a professional, clear email you should…