Legitimate bulk emails or emails from a generic or departmental account can be mistaken for phishing emails. This can create problems that:
- Slow or no response rate because recipients may delete or ignore the email.
- Recipients may miss important information if they delete or ignore the email.
- Wasted time with recipient determining if email is legitimate.
- Increased workload on IT Security when dealing with requests to verify.
- Recipients in the future are less likely to read or respond when seeing an email from a source that they are unsure they can trust.
1. Explain and Provide Context
Phishing emails use short, urgent sounding messages requesting that the user perform some action without stopping to think. When sending an email that may only require a small update or task, avoid being too brief. Provide enough context and information that will establish your authenticity. You should clearly explain to the recipient why they are receiving the message, who is sending the message, and from what department, and what the user needs to do. If you can personalize the message by using the recipient’s name, this will also further establish credibility. Also, be sure to include a specific subject line.
2. Provide A Method for The Recipient to Verify the Email
If possible, provide an APSU contact, phone number, and email address for the recipient to verify the email. The contact should be a real, verifiable university employee who will get back to people when asked about the email.
3. Notify Recipients in Advance
If possible, send recipients advance notification to expect an email from a generic or departmental account requesting an action. The advance notification should be from a university employee’s named account and should be free of links, attachments, or bulk action requests. Once you notify in advance, you can even reference the prior notification from the generic account email. For example, "As announced yesterday from..."
4. Keep IT Security Informed
The IT Security team is often the first place suspicious emails get reported. If you let IT Security know about the email beforehand, they can inform recipients who ask if the message is legitimate. You can contact apitsecurity@apsu.edu to inform IT Security of your email.
5. Avoid Using Attachments
If possible, avoid including attachments in a mass email. Attachments in email are viewed as suspicious by both spam filters and recipients because they can contain malware that infects computers and puts information at risk. If you must share a file, post it on an APSU website or APSU-approved cloud storage site. The email can then contain a fully written out non-clickable link or a reference to the website where users can obtain the file.
6. Best Practices For Links
Links in email can be dangerous. They can link to web pages designed to steal information and passwords, download malicious software, and more. Cybersecurity training teaches people never to click on unknown or unexpected links in email. There really is no way for recipients to be 100% certain that a link is legitimate, but some links are less phishy than others. The following outlines some do’s and don’ts when including links:
- DO link to APSU websites.
- DO spell out all links completely so that recipients can see where they lead. This also allows recipients to type them in directly or copy and paste rather than clicking the link.
- DO link to SSL websites (e.g., https).
- DO NOT use embedded "click here"-type links or shortened or obscured URLs.
- DO NOT link to executable files, such as .exe, .cmd, .scr, etc.
- AVOID linking directly to non-APSU websites.
- AVOID linking to an IP address (e.g., http://128.97.40.53).
- AVOID linking directly to non-html documents, such as pdf, ppt, or swf.
7. Using BCC Increases Suspicion
If you send an email only using the BCC (Blind Carbon Copy) line (nothing on the To or CC: lines), it increases the suspiciousness of the email. The recipient cannot determine who the email was sent to. Additionally, using only the BCC line is a technique commonly used by attackers. This is a challenging situation, since there are good reasons to send with BCC-only -- most notably, to protect recipients' privacy and to prevent "reply all" responses that create an unwanted flood of email. Be aware that if you are only using the BCC line, it increases the need to explain and provide context to the email.
8. External Parties Increase Suspicion
An email sent from an external party or linking to an external party's website is going to make the recipient suspicious. For example, if the email is sent from joe@example.com with a link to http://www.example.com, people are going to be suspicious -- and they should be. Although a company may be a legitimate APSU service provider, people may not have heard of them. And even if they recognize the name, many people will (and should) be suspicious of clicking on links to non-APSU sites. If you must link to an external party's website, we recommend the email contain a link to an APSU website where you can then provide a link to the external party's website. If this is not possible, or if the email must be sent by an outside party, then include a link to a known (local) web site, or local contact information, where the recipient can confirm the legitimacy of the email. Or send a heads-up first (see Number 3 Notify Recipients in Advance).
How to verify if the sender is from the APSU domain.
If the subject line has the [EXTERNAL] tag on it then this means that the email is not from the APSU domain and is from an outside source. *Just because the email is from the APSU domain does not mean that it is 100% trustworthy as somebody could hack into an APSU account and send out emails in order to get an unsuspecting victim’s credentials.
Example of a Good Email
Below is an example of a well-done mass email communication from a generic account. This email provides a good yet brief explanation and context, a campus link for information and to access the non-APSU-hosted survey, and local, verifiable contact information for recipients to confirm the validity of the email and ask questions. Additional comments are [inline].
Subject: Employee Satisfaction Survey
To: facultystaff@apsu.edu
From: APSU Human Resources <jobs@apsu.edu>
I am writing to notify you that APSU is conducting an Employee Satisfaction Survey. I encourage you to participate. This is an opportunity for APSU to get direct feedback from individual employees that will help shape how we will all work at APSU.
The survey is open and will be available through September 30th. This survey is being administered by [Professional Survey Company]. Please visit http://www.apsu.edu/human-resources/employee-satisfaction-survey.html for information about the survey and a link to the actual survey [see Number 6, Best Practices For Links].
The survey is confidential. Individual responses and personally identifying information will not be shared with APSU.
I will be happy to answer any questions you may have. I can be reached at employeename@apsu.edu or by phone at (931) XXX-XXXX, from 7 am - 3 pm [see Number 2, Provide A Method For The Recipient To Verify The Email].
Sincerely,
Employee Name
APSU Human Resources
Examples of a Phishy-Looking Email
Phish Example 1
Subject: Please review your DIRECT DEPOSIT information online
To: jane@apsu.edu
From: jane@apsu.edu
Please visit Direct Deposit (https://personnel.apsu.edu/self_service/bank_info/ ) to confirm your bank information.
Thanks,
Jane Doe
In this example, the recipients are all BCC'd indicating that this is one mass email and not specific to the receiver at all. The email appears to come from jane@apsu.edu and to jane@apsu.edu, which is suspicious and confusing. This email is also missing sufficient explanation and context (Number 1, Explain and Provide Context). There is also no way for the user to verify the email as the sender did not add any contact or department information (Number 2, Provide A Method for The Recipient to Verify the Email). It is good that the email appears to come from a campus email account (though that’s not a guarantee it is legitimate), that the link uses https, and that it goes to a campus website, but in the absence of any other context, the entire email is very phishy.
How to verify an email from an APSU generic account.
If the email is from a generic account that you do not recognize and provides no contact info, go to the APSU faculty and staff page (https://www.apsu.edu/directory/) and ask a representative from the respective department that the generic account appears to be tied to for the legitimacy of the email. If this does not work then contact apitsecurity@apsu.edu for assistance verifying.