Skip to content Skip to main navigation Report an accessibility issue
Information Security

Writing Non-Phishy Emails: Do’s and Don’ts


Is your department planning to send a survey or ask your students to complete a task online?  Do your faculty need to update their information with the department? Sometimes you have to request specific personal information or ask faculty, staff, and students to take action for entirely legitimate reasons. The issue with this kind of email is that it can sound suspiciously similar to the hoax messages sent by phishers.

When sending unsolicited email, it’s important to make the email look trustworthy.  Below are some suggestions follow when writing emails to make them look less suspicious.

Do’s and Don’ts When Writing Email Messages

From:

  • Clearly identify who you are — Your “From” name and email address should accurately identify who is sending the email.

 Subject:

  • Write a meaningful subject line — Keep it short and be specific about the point of the email. Also, try to arrange the keywords in order of importance to grab people’s attention.

 Body

  • Provide a detailed explanation — Explain the situation that has caused your department to send this urgent or important message. Actual phishing emails are generally pretty vague.
    Sample Phishing messages: “Important,” or ” We need you to verify your account before it is deleted.”
  • Choose your words carefully — Anything along the lines of “urgent action required” will raise flags.
  • Use personalization — Phishers don’t personalize their emails with recipients’ names because they typically don’t have this information. If you do, use it.
  • Reference your trusted website — If you need recipients to proceed to a website, send them to your department’s main webpage and prominently display a message with the action that needs to be taken.  Do not send them directly to a login page. Phishers will post “fake” login pages to collect credentials.
  • Don’t ask people to click a linkTo get people to visit your website or log in to their account; it’s best to provide the web address as text only and advise them to type it in. Provide step-by-step instructions when necessary. We realize that links are sometime unavoidable; if you need to include a link, be sure to link to an information page and not a login screen.
  • Don’t forget your address and contact information — Including a physical postal address and accurate contact is not typically something phishers do.   Encourage the recipient to contact your office to verify the validity of the message.

 Before you send the message

  • Check your final draft twice — Spelling errors and poor grammar should be avoided in all campaigns, but it’s especially important in this case because phishing scams commonly contain grammatical errors and misspellings.

Want help?

Let us know when you are sending out a mass email that includes a call to action.  This extra step will help us help you; we will be able to quickly answer questions about your email message and encourage the faculty, staff, and students to take action.  Please let us know the following information:

  • when the email will be sent
  • who the target audience is
  • who the email is “from,”
  • contact information if there are questions
  • copy of the message

If you would like us to review for phishy-ness, we’ll be happy to take a look at it. Contact us online at help.utk.edu.

The flagship campus of the University of Tennessee System and partner in the Tennessee Transfer Pathway.