Phone calls;
Emails;
Web sites.
Everybody I speak to has had streams of phishing emails seemingly from reputable sources, and apparently genuine calls form their financial providers or often, "Microsoft".
The problem is how do we detect which is genuine? It's better to be too suspicious - I've even told my bank (well it might have been) that I'm not going through security with them when they ring me up out of the blue. Phone numbers can be spoofed - I've asked to write me letters.
Often suspicious emails will deliver malware that the sender hopes to get installed on your machine so it can harvest emails and passwords: https://www.zdnet.com/article/phishing-attacks-one-in-three-suspect-emails-reported-by-employees-really-are-malicious
There are constant emails asking you to confirm your security details. Here is an example:
The scammer fakes the Microsoft web site login to grab your password and then may use your email account to retrieve other passwords and see what he can steal. When you get an email with a link - check where it's going by hovering your mouse over the link and the actual address will be revealed. It's not Microsoft and usefully tells the scammer what email address scored the hit. The details of respondents get sold on as handy victims.
If you think it's genuine go to the web site using a different approach - a bookmark or just type in the URL. Login that way and see if what the email says is true.