Tips for writing emails that don’t look phishy

FacebooktwitterredditlinkedinmailFacebooktwitterredditlinkedinmail0

You have an important university email to send, but how do you craft it so it looks like the official, trustworthy, communication it is? In other words, how do you keep people from thinking it is a phish?

Email users are rightfully suspicious of unsolicited email, but that can sometimes cause them to ignore or delete your important, legitimate communications. When you send email on behalf of your unit or office, focus on helping recipients verify its legitimacy so they know it is safe to open and the information can be trusted.

  • Make it easy to verify the sender. The From address for your email should be an address that is clearly associated with your unit, preferably one that people can verify online. The signature line should also be verifiable, with the person’s name and/or unit name spelled correctly and matching the name on your website. Use appropriate U-M branding elements, and be sure to use them correctly. See U-M Office of Communication Brand Standards (U-M login required).
  • Make link locations clear. Use descriptive link text with the full URL. The descriptive text lets people know what to expect if they click the link. They can see the full URL by hovering over the link with their mouse.
  • Refer to supporting information. Refer to information on U-M websites that people already know and trust.

If you have contracted for a service that involves a third-party vendor sending email to members of the U-M community, you can work with Information Assurance to have information about the email posted at Legitimate Email that Might Appear Phishy.

Information Assurance can review the message and offer suggestions, as well as help you make sure the Information and Technology Services (ITS) Service Center is prepared to answer calls from people who may be uncertain about the legitimacy of the email. Contact us by sending email to info-assurance@umich.edu.

For more tips, see Guidelines for Writing Emails that Don’t Look Phishy on the Safe Computing website.