How to Write a Non-Phishy Email

Why is it important to craft good emails?

Sometimes our legitimate email communication is accidentally crafted in ways that resemble phishing emails. These messages can confuse employees and limit their ability to differentiate fraudulent emails from legitimate emails. When employees confuse a legitimate university email as a phishing attempt and report it to the abuse or phishing inbox, it impacts our communication goals, may create unnecessary work, and skews tracking and monitoring results when collecting metrics.

Some legitimate emails that have been reported as phishing attempts include:

• University announcements that require extra attention
• Administrative or HR notices where employees need to provide acknowledgment of policies for regulatory requirements
• Automated messages from company systems that require employee action
• Emails with attachments but no information in the body
• Survey requests from teams
• Messages that come from any kind of ‘no-reply’ sender

By taking the time to craft your email with your audience in mind, employees will better be able to differentiate between legitimate emails and phishing emails.

Tips for crafting emails that won’t be reported as a phish

• Address employees by name when possible. It’s always better to address the employee directly rather than having a generic greeting. Cybercriminals tend to have generic greetings or no greetings at all in their phishing emails. If it is not possible to address the employee directly, then it becomes even more important for you to create a professional message that demonstrates legitimacy.
• State the purpose of the email and provide a legitimate contact the employees could reach out to with questions. Always state the purpose of the email and which team you are with and what you are trying to achieve.
• Send the message from a university email address instead of a public email (i.e. Gmail). It’s always better to send emails from your university account or a team email account so that employees can review the sender details. Remember, almost anyone can create a Gmail account.
• List full contact details in the signature of the email, such as full name, title, office location, and phone details. Not only does this add professionalism to your email, it also provides employees with information they can confirm through the directory or another reliable source.
• When an internal email address is not available, it is strongly recommended that the leader of the organization sends out a message before the external email is delivered to employees, notifying them that the external email address is legitimate. State the name of the email address that will be used so that employees are aware that it is legitimate.
• Consider the tone of your message. Cybercriminals often play on emotions to trick their victims in taking action quickly rather than taking a step back to question the legitimacy of the email. Emotions such as curiosity, greed, fear, and urgency are all tactics cybercriminals use.
• Plan ahead, especially if you need employees to act upon receipt of your email. Give yourself enough time to create your messages in a thoughtful manner and include time in your planning for employees to complete action items when requested.