Most online services have a built-in security system that alerts you when it detects “unusual” activity on your account. For example, services send notifications about attempts to reset the phone number and e-mail address linked to the account, or the password. Of course, as soon as such messages became commonplace, enterprising cybercriminals tried to imitate this mechanism to attack corporate users.
Example of a fake notification
If it’s a public online service attackers will usually make every effort to create exact copies of a real message. However, if attackers are hunting for access to an internal system, they often have to use their imagination as they might not know how the email should appear.