Why Hoxhunt?
Solutions
CustomersPricing
Resources
Company
Sign inRequest demo
Hoxhunt black logoRequest a demo
publishing date icon
September 1, 2022
read time icon
5 min. read

How to write an email that won’t be mistaken for spam or a phishing attack

Ever thrown away something you ended up needing later? Even something valuable? It happens to all of us. Especially with email. Unfortunately, we often mistake legit emails for malicious or phishy messages, and disregard them accordingly. This translates to a loss of time and money for the recipient’s company, as important messages go unseen. Here are some important tips on how to write an email that won’t be mistaken for spam or a phishing attack.

Author image
Pessi Nurmi
Junior Threat Analyst
Post hero image

Table of contents

share this post

An important email is a terrible thing to waste. Here's a guide to writing an email that won't be discarded as suspicious. Before you start writing an email, you should think about:

  • Who the message is for
  • what the message contains
  • And, most importantly, why the recipient should read it and possibly act on its content.

Pause for a moment and think about how the email will look to the recipient. After writing the message, if you think that it does not look like a reliable message, you should rewrite it.

Here are the rules of thumb to get you off to an excellent start

  • Personalize your message to the recipient
  • Immediately state the reason why you are contacting and why the recipient should react to the message
  • Avoid links. If they are mandatory, each link should go to the company's own information page, which is password-protected
  • If you are unable to implement links on your company's internal intranet, describe exactly what the service is, where the link will take you and what the recipient should do behind the link
  • Avoid attachments
  • Do not make the message look like an advertisement. If you must use a template, indicate at the beginning that it is an internal message, so that the recipient is more likely to read it
  • Do not use attachments, especially in security-related messages
  • Always indicate how you or your department can be contacted by other means.
  • Bonus: Use a consistent signature style across the company.

Writing a credible message starts before the first sentence at the first greeting

It's a good idea to write something personal or personalized in the very first sentence or greeting. Prefixes could be the recipient's nickname, department, job description or something similar. A combination of these can work well. It's also a good idea to use a little imagination in a group message. When sending a group email, it is also a good idea to mention that you are sending a group message, so that a certain style of writing is tolerated and less likely to raise suspicion.

Here are the most common greetings and working examples from them:

Common

  • Hi
  • Dear all
  • Dear colleagues
  • Hi team

Personalized

  • Hi Bob
  • Dear Hoxhunt employees
  • Hi everyone from sales team
  • Hello Alice at the home office

The most important sentence of the message

Next, we continue with the first and most important sentence. Tell us why you have sent the message and what it contains. It is particularly important to write clearly what the message contains and why you should react to it.

Example:

Hi Alice at the home office,

I am contacting you because our company will be introducing a new file sharing service on Thursday 27 June 2022. This will all happen automatically and does not require any action from you. Our IT department will run the updates on your computer during the working day. If you encounter any problems, please contact our IT department directly.

This same news is available on our intranet. Extranet > Info > New file sharing service.

Links and attachments

Links, and especially attachments, are always tricky to deliver in an email as they are frequently used to distribute malicious files and phishing sites. For this reason, the email delivery of links and attachments requires more planning and common company rules. It is not out of the question for a company not to use links or attachments via email at all. This significantly reduces the attack surface of the company.

However, if your company does use links and attachments in emails, the following rules should be assumed.

  • All links should be written in full in the email, regardless of the length or style of the link.
  • Never use link shorteners such as bit.ly , shorturl, tinyURL or similar. Shortlinks do not allow the recipient to confirm the end of the link and thus shortlinks increase distrust.
  • Link only to well-known services. The best way would be to link to the company's own internal website, which requires a login. At the same time, every employee should be familiar with the address of the company's internal website.

However, there are many situations where it is necessary to link to an external service or send an attachment with an email. In such cases, it is up to the sender to explain exactly what is behind the link or file and why the recipient should view it.

In security-related emails, you should use as few links as possible. Communicate guidelines for action in internal channels and consider email only as an additional means of communication. Under no circumstances should it be considered as the only channel for information on security-related issues. Indeed, many people are unfamiliar with security issues and are therefore prone to suspicion. As a minimum, these messages should also include other methods of contact, such as "Contact IT support if necessary". Avoid using links or phone numbers when referring to how to get in touch, as this can, in the worst case, teach the recipient to rely on the phone numbers in the emails.

Emails sent by external services

There will be occasions when your company uses an external service to (for example) carry out surveys, book services, or activate user accounts. In these cases, internal communication is everything. So be specific about what type of service the message is coming from and what users need to do to receive it and why.

Many services allow you to include comments, but this is not inherently the best communication channel and is not a substitute for advance notice. This is because many attackers use the comment sections of services to spread malicious links and phone numbers.

Sending an email

In cases where you send an email to several employees at a time, it is tempting to use email forwarding services and newsletter tools. Their major drawback is that the sender's address is not known and the links are implemented in a tracking manner that hides the final destination of the link. This eliminates a good link "hover" tactic.

It's worth considering whether the statistics of your email delivery services, such as click-through rates, engagement rates, and other tracking statistics are so important that your company is teaching people to click on links whose destination cannot be known without clicking.

Last but not least, read the email carefully before sending. The more important the message is, the more it is recommended to ask someone to proofread the message to eliminate most of the errors and typos.

In addition, you can also use an internally agreed signature method. First of all, it adds to the brand image of the company, as well as creating a more familiar email layout. However, it is worth bearing in mind that a single signature does not create additional security for your messages, as the signature is easily copied and is only an indicator of very low-level attacks.

Here’s a great example of an email written according to good cybersecurity etiquette

Email with personalized who, and clearly stated what, where, when messaging

The email starts by telling the reader who the message is addressed to. Even if the message is addressed to the entire company, it is still a good idea to add something personal at this stage. The next step is to explain why the message is being sent and what it is about. It also explains what to expect from the link. Finally, another way of contacting you is written in the message. Please note that no links or phone numbers have been added to the contact methods, which prevents spoof phone numbers or links from being included in phishing attempts. At the very end of the message, the signature of the sender is added.

Summary

By following these guidelines, it is much more likely that your email messages will reach the recipient and not go straight to the spam folder. With a little more thought and consideration of the recipient's reason and need to read the message, the email becomes much more reliable with a little tweaking.

Sending a good and reliable email takes a bit more time and thought, but doing so can greatly reduce your company's attack surface and makes communication more efficient.

Staying of the hook

While these indicators are excellent for improving communication, they cannot be relied upon blindly. You still need to remember the general rules of email security.

  • Think before you click
  • Verify the email sender
  • Check that links lead to legit domains
  • Log in to services by navigating to them directly through your web browser instead of clicking the links in an email.

Subscribe to All Things Human Risk

Subscribe to our newsletter for a curated digest of the latest news, articles, and resources on human risk and evolving phishing threats in the ever-changing landscape.

Hoxhunt needs the contact information you provide to us to contact you about our products and services. You may unsubscribe from these communications at anytime. For information on how to unsubscribe, as well as our privacy practices and commitment to protecting your privacy, check out our Privacy Policy.