Prevent Emails from Looking Phishy

Overview

It's sometimes necessary to send email to a large number of people (mass or bulk email communication). On a smaller level, divisions and departments may also need to send email requesting actions, such as updating your payroll information.

But legitimate bulk emails can be mistaken for malicious activity, such as phishing. This can create a variety of problems, including:

Reduced response rate as recipients trash or ignore the message;
Recipients missing important information and spending time dealing with the perceived phish; people may also be more likely to be fooled by real phishing messages in the future;
Increased workload for technical staff responding to phishing reports and questions about legitimate email that appears phishy/spammy;
The sender may suffer reputational damage from sending email that encourages poor cybersecurity practices, such as clicking on unknown links or opening unexpected attachments.

The following will help you write emails that are more clearly legitimate.

How to Write a Mass Email (that doesn't look phishy)

1. Explain And Provide Context
Phishing often employs very short, urgent-sounding messages requesting action. If you send a very short message requesting action, it looks just like a phish. Don't be overly brief in your mass email communications. It may sound counter-intuitive, but it is important to provide some context. Briefly explain to the recipient why they are receiving the message, what person or group at the university is sending the message, and why the action needs to be taken. It will usually take a few sentences to communicate this effectively. If you include a greeting or salutation, the more specific the better, e.g., “Dear [person’s name]” as opposed to “Dear Email User.” Also, use a subject line that specifies what the message is about instead of a generic or vague subject line.

2. Provide A Method For The Recipient To Verify The Email
Options include:

a) Provide a UC contact, phone number, and email address for the recipient to verify the email. The contact should be a real, verifiable individual who will really get back to people who ask about the email.

b) Another effective method is posting a copy of the email on a known UC website and providing a link in the email saying, "you can confirm that this is a legitimate email by visiting the <<insert website name here>> website at..." Always spell out the link so people know where it is supposed to go. Don't use embedded "click here" types of links or shortened URLs (see Tip 6 below).

* Note: This method can backfire because it can be perceived as a "click this link" phishing email, but if the website is known and trusted, it is a reasonable option.

c) A final method is to advise the recipient to contact the IT Help Desk to verify the email. Include their contact information in the email. This option requires that you notify the IT Help Desk in advance (see Tip 4 below).

The most effective verification method uses all of the above tactics.

3. Notify Recipients In Advance
Send recipients advance notification to expect an email requesting action. The advance notification should be from a known sender and should be free of links, attachments, or action requests. The idea is that a very safe email informs the user in advance that a phishy looking email (e.g. one that has links, attachments, and/or requests action) will follow. For larger email communications, a good approach is to provide advance notice via broadly circulated newsletters or frequently visited websites. Once you notify in advance, you can even reference the prior notification in the bulk email. For example, "As announced in yesterday's edition of UC News..."

4. Keep The IT Help Desk And IT Security Informed
The IT Help Desk and IT Security are often the first places phishy emails get reported. If you let these groups know about the email beforehand, they can inform recipients who ask about it that the message is legitimate. If you intend to use the IT Help Desk as the verification source for your email (Tip 2c above), it is especially important that you inform them about the email in advance.

5. Avoid Using Attachments
Avoid including attachments in mass email. Attachments in email are viewed as suspicious by both spam filters and recipients because they can contain malware that infects computers and puts information at risk. If you must share a file, post it on a UC website or UC-approved cloud storage site. The email can then contain a spelled-out link where users can obtain the file.* For well-established websites or shared folders, you can simply direct people to the site or folder without including a link.

* Note: This method can still backfire because it can be perceived as a "click this link"-type phishing email, but it's still better than including attachments in mass email. If you must use an attachment, be sure it has a distinct, relevant name; however, it’s best to avoid attachments whenever possible.

6. Best Practices For Links
Links in email can be dangerous. They can link to web pages designed to steal information and passwords, download malicious software, and more. Cybersecurity training teaches people never to click on unknown or unexpected links in email. There really is no way for recipients to be 100% certain that a link is legitimate, but some links are less phishy than others. The following outline good link practices:

DO link to UC websites.
DO spell out all links completely so that recipients can see where they lead. This also allows recipients to type them in directly or copy and paste rather than clicking the link.
DO link to SSL websites (e.g., https).
DO NOT use embedded "click here"-type links or shortened or obscured URLs.
DO NOT link to executable files, such as .exe, .cmd, .scr, etc.
AVOID linking directly to non-UC websites. If you must, see Tip 2b above.
AVOID linking to an IP address (e.g., http://128.97.40.53).
AVOID linking directly to non-html documents, such as pdf, ppt, or swf.

7. Using BCC Increases Suspicion
If you only send the message using the BCC (Blind Carbon Copy) line, it increases the suspiciousness of the email. The recipient cannot determine who the email was sent to. Additionally, using only the the BCC line is a technique commonly used by attackers. This is a challenging situation, since there are good reasons to send via BCC-only -- most notably, to protect recipients' privacy and to prevent "reply all" responses that create an unwanted flood of email. Be aware that if you are only using the BCC line, it increases the need to explain and provide context to the email.

8. External Parties Increase Suspicion
An email sent from an external party or linking to an external party's website is going to make the recipient suspicious. For example, if the email is sent from joe@example.com with a link to http://www.example.com, people are going to be suspicious -- and they should be. Although a company may be a legitimate UC service provider, people may not have heard of them. And even if they recognize the name, many people will (and should) be suspicious of clicking on links to non-UC sites. If you must link to an external party's website, we recommend the email contain a link to a UC website where you can then provide a link to the external party's website. If this is not possible, or if the email must be sent by an outside party, then include a link to a known (local) web site, or local contact information, where the recipient can confirm the legitimacy of the email. Or send a heads-up first, like in Tip 3 above. Or all of these.

* Note: A valid UC email address doesn't inherently mean an email is legitimate. It is possible to impersonate a person's email. It is also a well known tactic for attackers to send email from legitimate accounts that they have compromised. Ironically, because a valid, verifiable UC email account can lend credibility to an email, it is exactly these emails that can be the most dangerous if they are malicious -- because people tend to trust them.

Example of a Good Email

Below is an example of a well done mass email communication. The details and contact information are fake, but this is based on actual email sent at a UC Location. This email provides good yet brief explanation and context, a campus link for information and to access the non-UC-hosted survey, and local, verifiable contact information for recipients to confirm the validity of the email and ask questions. Additional comments are [inline].

Good Example 1

Subject: Employee Satisfaction Survey
From: UCOP Human Resources <HR@ucop.edu>

I am writing to notify you that UCOP is conducting an Employee Satisfaction Survey. I encourage you to participate. This is an opportunity for UCOP to get direct feedback from individual employees that will help shape how we will all work at UCOP.

The survey is open and will be available through September 30th. This survey is being administered by Professional Survey Company. Please visit http://www.ucop.edu/human-resources/employee-satisfaction-survey.html for information about the survey and a link to the actual survey [see Tip 6, Best Practices For Links].

The survey is completely confidential. Individual responses and personally identifying information will not be shared with UCOP.

I will be happy to answer any questions you may have. I can be reached at HR@ucop.edu or by phone at (510) XXX-XXXX, from 7 am - 3 pm [see Tip 2, Provide A Method For The Recipient To Verify The Email].

Sincerely,
Employee Name
UCOP Human Resources

Examples of Phishy-Looking Emails

Phishy example #1

Phishy Example 1 is based on an actual email sent at a campus. The email address and link below are completely fake, but illustrate the idea from the original email. In this example, the recipients are all bcc'd. The email appears to come from Jane and to Jane, which is suspicious and confusing. This email is also missing sufficient explanation and context; it's too short (see Tip 1, Explain And Provide Context). There is also no way for the user to verify the email (see Tip 2, Provide A Method For The Recipient To Verify The Email). Additionally, many people reported the actual email as phishing because they had not received prior notice that they would be receiving something like this. An advance notification email (see Tip 3, Notify Recipients In Advance) may have prevented some of these reports, though it would not have made the email, itself, appear less phishy. It is good that the email appears to come from a campus email account (thought that’s not a guarantee it is legitimate), that the link uses https, and that it goes to a campus website, but in the absence of any other context, the entire email is very phishy.

Phishy Example 1

To: jane@uclocation.edu
From: jane@uclocation.edu
Subject: Please review your DIRECT DEPOSIT information online

Please visit Direct Deposit (https://personnel.uclocation.edu/self_service/bank_info/ ) to confirm your bank information.

Thanks,
Jane Doe

-----

Phishy example #2

Phishy Example 2, is based on an actual mass email sent by a company that provides services for UC. The actual message was widely reported as a phish. It is a good example of an email that appears extremely phishy because it has just about every problem discussed above. It does not provide enough context, there is no way to verify the message, there was no advance notification, it was sent from an external party, it links to an external party, it doesn't use SSL (https), and it is not clear how you could get more information other than by clicking the links (which could be dangerous!).

Phishy Example 2

Subject: Important notice from COMPANY
From: reports@example.com

You have a new electronic notice from COMPANY! To open, click here [links to http://www.example.com/login] to log in to your account and view your new correspondence.

Thank you,

COMPANY

This email is an automated notification. While we cannot receive replies at this email address, we're happy to help you with any questions or concerns you may have. Please log into your account [same link as above] and visit the "Contact us" page for more information.