Guidance for preventing emails from looking phishy

When sending email to large numbers of people (mass or bulk email communication), it can easily be mistaken for malicious activity if it shares characteristics with phishing emails or other scams.

This guide will help ensure your emails appear trustworthy and legitimate.

Identifying Phishy Characteristics

Here is a list of some characteristics typically associated with phishing emails. Learn more about phishing emails and see examples at The Phish Bowl.

  • Generic greetings (e.g., Dear Employee, Dear Health Plan Member, etc.)
  • Urgent language that pressures recipients to take immediate action -- usually to fix a problem, avoid losing service, or take advantage of a "great opportunity"
  • Recipients being asked to log into a web page with their campus account credentials or to sign up for a new service with their account credentials and/or personal information
  • Emails sent from an email address, alias, or listserv that is unknown to the recipient
  • Requests for personal or login information
  • Hidden or obscure URLs -- such as a shortened URL, text link, or image link
  • Messages that do not provide a way to confirm that it is a legitimate University communication
  • Links to an external (non-UC) web site

Phishing-like messages can have unintended consequences, which can significantly impact both the sender and the recipients. Recipients may be wary of opening or responding to emails that appear suspicious, leading them to either delete or ignore the message altogether. Additionally, if a significant number of recipients report the email as spam or phishing, it could also lead to the sender's email address or domain being flagged or blocked by email service providers.

Tips on how to write an mail message that doesn't look phishy

Given the understanding of the potential consequences associated with phishing-like emails, it's important to examine methods to ensure that emails are perceived as credible and trustworthy communications.

Tip #1 - Explain and provide context

  • Phishing often employs very short, urgent-sounding messages requesting action in hopes the recipient will open the attacker's malicious attachments or click malicious links. It's important to include context and avoid being overly brief in your mass email communications.
  • Explain to the recipient why they are receiving the message, what person or group at the university is sending the message, and why the action needs to be taken.

Tip #2 - Provide verification

  • Always say who is sending the email and provide a UCSC or UC contact, phone number, and email address for the recipient to verify the email. The contact should be a real, verifiable individual.

Tip #3 - Notify recipients in advance

  • If possible, send recipients advanced notification to expect an email requesting action. The advanced notification should be from a known sender and should be free of links, attachments, or action requests. The idea is that a very safe email informs the user in advance that a phishy looking email (e.g. has links and/or requests action) will follow.

Tip #4 - Keep the ITS Support Center and Information Security Informed

  • The ITS Support Center (help@ucsc.edu) and Information Security contacts (phishing@ucsc.edu) are often the first place email scams get reported. If you let these groups know about the email beforehand, they can be prepared to let recipients know that the email is legitimate.

Tip #5 - Avoid using attachments

  • Avoid using attachments in mass email. Attachments in email are viewed as suspicious by both spam filters and recipients because they can contain malware that infects computers and puts information at risk. In place of attachments, include a link to a Google Doc or online PDF.

Tip #6 - Use best practices for links

  • Links in email are viewed as suspicious by both spam filters and recipients as they can link to web pages designed to steal information and passwords or download malicious software. There is no way to include a link in an email in a way that the recipient can be 100% certain it is legitimate, but some links are less phishy than others. Check out these Do's and Don'ts to be safe:
DO: 
  • Link to UCSC, UC websites, or Google Drive files
  • Spell out all links completely so that recipients can see where they lead. This also allows recipients to type them directly into their browser or copy and paste rather than clicking the link
  • Keep the number of links in the email message to a minimum. The fewer links the better.
DON'T: 
  • Use embedded "click here"-type links or shortened or obscured URLs
  • Link directly to non-UCSC/UC websites
  • Link to non-html documents
  • Link to an IP address
  • Link to executable files (such as .exe, .cmd, .scr)

Tip #7 - Avoid sending emails via external parties

  • Emails should come from a valid UCSC or UC email address. Sending an email from an external party or linking to an external party's website may make the recipient suspicious.
  • If you must link to an external website, we recommend the email contain a link to a UCSC or UC website where you provide a link to the website. If this is not possible, or if the email must be sent by the external party, then include a link to a known website, or local contact information, where the recipient can confirm the legitimacy of the email.

Example of a Good Email

Below is an example of a well done mass email communication. The details and contact information are fake, but this is based on actual email sent at a UC location. This email provides a good yet brief explanation and context, a campus link for information and to access the non-UC-hosted survey, and local, verifiable contact information for recipients to confirm the validity of the email and ask questions.

Good Example

Subject: Employee Satisfaction Survey
From: UCOP Human Resources <HR@ucop.edu>

I am writing to notify you that UCOP is conducting an Employee Satisfaction Survey. I encourage you to participate. This is an opportunity for UCOP to get direct feedback from individual employees that will help shape how we will all work at UCOP.

The survey is open and will be available through September 30th. This survey is being administered by a Professional Survey Company. Please visit http://www.ucop.edu/human-resources/employee-satisfaction-survey.html for information about the survey and a link to the actual survey.

The survey is completely confidential. Individual responses and personally identifying information will not be shared with UCOP.

I will be happy to answer any questions you may have. I can be reached at HR@ucop.edu or by phone at (510) XXX-XXXX, from 7 am - 3 pm.

Sincerely,
Employee Name
Title / Department

Questions?

If you have any questions, please email help@ucsc.edu. You can also learn more about protecting yourself online on the ITS Security web page.