Email is one of the most widely used forms of digital communication. Whether it's for school, work, or personal use, there is common etiquette to sending and receiving emails. Messages that look odd and do not follow this etiquette are commonly phishing messages. Phishing is a form of social engineering that takes place over digital communication, and the goal is to gather personal or financial information from you.
When using digital communication, it is not only important to avoid falling for phishing messages, but it is also important to craft messages that are not mistaken as phishing. Follow the tips below to ensure your messages are not accidentally mistaken for a phishing message.
Explain and Provide Context
Phishing often involves language that comes off as short and urgent. Don't be overly brief in mass email communications. Be sure to include an explanation as to why they are receiving the email, what person at the University is sending the message, and what action needs to be taken. The subject line needs to be specific and convey what the message is about, avoid generic or vague subject lines. Lastly, in the salutation, be as specific as possible. For example, use "Dear [person's name]" instead of "Dear User."
Provide a Method for the Recipient to Verify the Email
Provide an OHIO contact, phone number, and email address for the recipient to verify the email. The contact should be a verifiable person who will respond to inquiries about the email.
Notify Recipients in Advance
Send recipients advanced notifications to emails requesting action. The notification should be from a known sender and should be free of links, attachments, or action requests. The concept is that the safe email informs the user in advance that a phish-looking email (contains links, attachments, and/or requesting action) will follow.
Keep the IT Service Desk and IT Security Informed
The IT Service Desk and IT Security are the most common places phishing messages get reported. If you let our teams know beforehand, we can post the message to The Phish Bowl to notify the University community.
Avoid Using Attachments
Avoid including attachments in mass emails. Attachments are commonly viewed as suspicious by both spam filters and recipients because they can contain malware that infects computers and puts information at risk. If a file needs to be shared in the communication, post it on an OHIO website or OHIO-approved cloud storage site. The email can then contain a spelled-out link where users can obtain the file.
Best Practices for Links
Links in email can be dangerous. They can link to web pages used for stealing information/passwords and downloading malicious software. Online IT Security Training teaches people never to click on unknown or unexpected links in an email. There really is no way for recipients to be 100% sure about the legitimacy of a link, but some links are less phishy than others. Follow the steps below when using links in an email:
- DO link to OHIO websites.
- DO spell out links completely so recipients can see where they lead.
- DO link to SSL websites (HTTPS://).
- DO NOT use phrases like "Click Here" or shortened/obscured URLs.
- DO NOT link to executable files such as .exe, .cmd, .scr.
- DO NOT link to an IP address.
- DO NOT link directly to non-HTML documents, such as .pdf, or .ppt.