The festive season is upon us, and while we're busy buying presents and planning holidays, cybercriminals are busy too. They're getting smarter, and a new, incredibly subtle phishing scam targeting Microsoft users is making the rounds.
A video we've reviewed highlights a highly deceptive email that looks like a legitimate Microsoft password reset notification. Everything—the logo, the layout, the tone—is designed to trick you into clicking. But the giveaway is tiny, and it's something your brain is programmed to miss: the sender's email domain.
The Deceptive 'rn' Trick
The scam operates on a concept called typosquatting or a homograph attack, which is designed to exploit how quickly we scan text.
The Fake Domain: The sender's address uses the domain
rnicrosoft.com.The Real Domain: The legitimate domain is, of course,
microsoft.com.
Take a closer look: the letters 'r' and 'n' placed next to each other (rn) can look almost identical to the letter 'm' in many fonts, especially when viewed quickly, on a mobile screen, or in a truncated email address bar.
By swapping one letter for two that visually mimic it, the criminals create a perfect, blink-and-you-miss-it trap. If you click the link in that email, you'll be taken to a fake login page where your password and other credentials will be harvested instantly.
🛡️ Your Essential UK Cyber Security Checklist
Don't let a tiny typo lead to a total account takeover. Here’s how you can protect yourself and your business accounts:
🔍 Scrutinise the Sender Address: Always check the email address of the sender, not just the display name. If it's a security or password-related email from Microsoft, the official domains are typically:
@microsoft.com@accountprotection.microsoft.comAny slight deviation, like
rnicrosoft.com, is a massive red flag.
🛑 Did You Request It? If you receive a password reset notification but you did not initiate a password reset yourself, assume it's a scam. Legitimate services will not send you an unsolicited password reset link.
🖱️ Hover Before You Click (Desktop): If you're on a computer, hover your mouse cursor over any link in the email. The true destination URL will appear in the bottom corner of your browser. If it doesn't lead to a proper, official Microsoft domain, do not click it.
📱 Don't Trust Your Phone's Screen: Be extra cautious when viewing emails on a small mobile screen, as the full sender address is often shortened or obscured, making the 'rn' trick even harder to spot.
🔑 Enable Multi-Factor Authentication (MFA): This is your strongest defence. If you have MFA enabled, a scammer who steals your password still won't be able to access your account without the second code sent to your phone or authenticator app. Set it up on your Microsoft, Google, bank, and all other sensitive accounts right now.
🙅♀️ Report and Delete: If you suspect an email is a scam, report it to your email provider (e.g., as 'phishing') and then delete it immediately. Never forward it to anyone except your IT support if you're at work.
Stay alert and stay safe this holiday season. A quick check can save you a world of trouble.
🔒 How to Set Up Multi-Factor Authentication (MFA)
MFA adds a crucial second layer of security, so even if a criminal gets your password (like in the 'rnicrosoft' scam), they can't log in without the code from your phone.
1. Microsoft Accounts (Outlook, Hotmail, Office 365)
Microsoft calls this Two-Step Verification.
| Step | Action | Description |
| 1. | Go to Security Settings | Sign in to your Microsoft account's security basics page. (Search Google for "Microsoft security basics" if you don't have the link.) |
| 2. | Find Verification | Under the Advanced security options tile, look for Two-step verification. |
| 3. | Turn It On | Select Turn on Two-step verification. You will be asked to verify your identity. |
| 4. | Choose Your Method | Microsoft will ask you how you want to receive your second code. The most secure methods are: |
| Best: Authenticator App | Use the official Microsoft Authenticator app (or Google Authenticator, etc.). This generates a code on your phone without needing a text message or email, which is faster and more secure. | |
| Good: Text Message | You can opt to receive a code via SMS to your mobile number. | |
| 5. | Set Up Recovery | Make sure you have one or two recovery methods (like a secondary email or a backup code) in case you lose your phone. |
2. Google Accounts (Gmail, Workspace)
Google calls this 2-Step Verification.
| Step | Action | Description |
| 1. | Go to Google Security | Sign in to your Google Account and navigate to the Security tab. (Search Google for "Google Security Checkup"). |
| 2. | Find 2-Step Verification | Under the "Signing in to Google" panel, click on 2-Step Verification. |
| 3. | Get Started | Click Get Started and follow the on-screen prompts. You will need to re-enter your password. |
| 4. | Primary Method: Google Prompts | Google will first suggest using Google Prompts (a simple "Yes, it's me" notification that pops up on your logged-in phone). This is very convenient. |
| 5. | Set Up Backups | It will then prompt you to set up backup methods, such as: |
| Backup Option 1: Text Message or Voice Call | You can enter a phone number to receive a backup code via SMS. | |
| Backup Option 2: Backup Codes | Google will give you a list of 10 single-use codes. Print these out and store them in a secure, physical location (like a safe or locked drawer) in case you lose access to your phone. |
🔥 Pro-Tip for Maximum Security:
Always choose the Authenticator App method (like Microsoft Authenticator or Google Authenticator) over SMS text messages if possible. SMS codes can sometimes be intercepted by very sophisticated hackers, but codes generated inside an authenticator app on your phone are much safer.
