Ever thrown away something you ended up needing later? Even something valuable? It happens to all of us. Especially with email. Unfortunately, we often mistake legit emails for malicious or phishy messages, and disregard them accordingly. This translates to a loss of time and money for the recipient’s company, as important messages go unseen. Here are some important tips on how to write an email that won’t be mistaken for spam or a phishing attack.
An important email is a terrible thing to waste. Here's a guide to writing an email that won't be discarded as suspicious. Before you start writing an email, you should think about:
Pause for a moment and think about how the email will look to the recipient. After writing the message, if you think that it does not look like a reliable message, you should rewrite it.
Here are the rules of thumb to get you off to an excellent start
It's a good idea to write something personal or personalized in the very first sentence or greeting. Prefixes could be the recipient's nickname, department, job description or something similar. A combination of these can work well. It's also a good idea to use a little imagination in a group message. When sending a group email, it is also a good idea to mention that you are sending a group message, so that a certain style of writing is tolerated and less likely to raise suspicion.
Here are the most common greetings and working examples from them:
Next, we continue with the first and most important sentence. Tell us why you have sent the message and what it contains. It is particularly important to write clearly what the message contains and why you should react to it.
Hi Alice at the home office,
I am contacting you because our company will be introducing a new file sharing service on Thursday 27 June 2022. This will all happen automatically and does not require any action from you. Our IT department will run the updates on your computer during the working day. If you encounter any problems, please contact our IT department directly.
This same news is available on our intranet. Extranet > Info > New file sharing service.
Links, and especially attachments, are always tricky to deliver in an email as they are frequently used to distribute malicious files and phishing sites. For this reason, the email delivery of links and attachments requires more planning and common company rules. It is not out of the question for a company not to use links or attachments via email at all. This significantly reduces the attack surface of the company.
However, if your company does use links and attachments in emails, the following rules should be assumed.
However, there are many situations where it is necessary to link to an external service or send an attachment with an email. In such cases, it is up to the sender to explain exactly what is behind the link or file and why the recipient should view it.
In security-related emails, you should use as few links as possible. Communicate guidelines for action in internal channels and consider email only as an additional means of communication. Under no circumstances should it be considered as the only channel for information on security-related issues. Indeed, many people are unfamiliar with security issues and are therefore prone to suspicion. As a minimum, these messages should also include other methods of contact, such as "Contact IT support if necessary". Avoid using links or phone numbers when referring to how to get in touch, as this can, in the worst case, teach the recipient to rely on the phone numbers in the emails.
There will be occasions when your company uses an external service to (for example) carry out surveys, book services, or activate user accounts. In these cases, internal communication is everything. So be specific about what type of service the message is coming from and what users need to do to receive it and why.
Many services allow you to include comments, but this is not inherently the best communication channel and is not a substitute for advance notice. This is because many attackers use the comment sections of services to spread malicious links and phone numbers.
In cases where you send an email to several employees at a time, it is tempting to use email forwarding services and newsletter tools. Their major drawback is that the sender's address is not known and the links are implemented in a tracking manner that hides the final destination of the link. This eliminates a good link "hover" tactic.
It's worth considering whether the statistics of your email delivery services, such as click-through rates, engagement rates, and other tracking statistics are so important that your company is teaching people to click on links whose destination cannot be known without clicking.
Last but not least, read the email carefully before sending. The more important the message is, the more it is recommended to ask someone to proofread the message to eliminate most of the errors and typos.
In addition, you can also use an internally agreed signature method. First of all, it adds to the brand image of the company, as well as creating a more familiar email layout. However, it is worth bearing in mind that a single signature does not create additional security for your messages, as the signature is easily copied and is only an indicator of very low-level attacks.
The email starts by telling the reader who the message is addressed to. Even if the message is addressed to the entire company, it is still a good idea to add something personal at this stage. The next step is to explain why the message is being sent and what it is about. It also explains what to expect from the link. Finally, another way of contacting you is written in the message. Please note that no links or phone numbers have been added to the contact methods, which prevents spoof phone numbers or links from being included in phishing attempts. At the very end of the message, the signature of the sender is added.
By following these guidelines, it is much more likely that your email messages will reach the recipient and not go straight to the spam folder. With a little more thought and consideration of the recipient's reason and need to read the message, the email becomes much more reliable with a little tweaking.
Sending a good and reliable email takes a bit more time and thought, but doing so can greatly reduce your company's attack surface and makes communication more efficient.
While these indicators are excellent for improving communication, they cannot be relied upon blindly. You still need to remember the general rules of email security.