As part of awareness training and good cyber security, you are told to be aware of phishing and suspicious emails. But sometimes hackers can also, with the help of social engineering, trick you into thinking it's a legitimate email you're reading. That's why it's important to be able to write and communicate in an optimal way, so that you and your colleagues don't become suspicious when you're reading emails from each other.
Avoid discarding the wrong email
Both you and your colleague have to do a little extra work when writing emails. You should start by considering who is receiving the email, what the email should say, and why the recipient should read it - and perhaps respond to it.
Then, once the email is written, for good measure, read it through with phishing glasses on - would you find the email suspicious yourself, or is it obvious that it's a legitimate email?
Below we've listed some good rules of thumb to follow when writing emails - and to avoid others suspecting it's phishing or a scam:
- Make your message personal.
- State quickly why you are contacting them.
- Avoid using links as much as possible - this is one of the first anti-phishing tips to be aware of. That's why many people don't click on links or read emails with links in them.
- If a link cannot be omitted, describe what they are clicking so that it does not appear to be an illegitimate link.
- Avoid attachments as far as possible - and again, if it can't be avoided, describe what the recipient can expect to see in the link.
- Write how you and the company can be contacted so that the recipient can turn to you if they have any doubts.
- Use a consistent email signature within the company so that the recipient, who may be a colleague, can recognise the signature and thus verify its credibility.
The first sentence of an email says something about its reliability
An important element of a trustworthy email is that it is personalised in some way. Here you can look at how the email is introduced and how you address the recipient.
You can use colleagues' names, company names, department names, etc. It may also be a good idea to write to the recipient, if you are sending out an email to several people, that it is a group you are sending to.
A generalised greeting or introduction might look like this:
- Dear all
- Dear colleagues
- Dear team
By the generalizing greetings, you might think that a hacker is behind it and is sending out phishing to more people.
A personalized greeting might look like this:
- Hello Joey
- Dear Moxso employees
- Hello everyone in HR
After your greeting, you should write why you are addressing the person and what they can expect from the content. For example:
I am writing to tell you that our department is implementing a new cloud solution, so in the future you will be able to find documents etc. on our intranet. If you have any questions, you can contact me as usual on my email, otherwise we have made an introduction, which you can find below: "Intranet > Info > New files and sharing".
Best regards, Joey from IT"
Links and attachments
It is becoming more difficult to share links, because companies are undergoing awareness training regarding their cyber security. Employees are learning to be aware of links and attachments, and if it is not obvious what a link leads to, the majority will not click on the link or open the email.
However, few companies and departments use links to share various documents, as it is often on an internal server or storage. However, if your company or department uses links to share files etc., it is a good idea to consider the following:
You should write the links in full length and not use link shorteners such as bit.ly, shorturl or similar as it does not allow the recipient to check the link and its credibility. As far as possible, try to send links only from reliable and recognisable sources to minimise doubts among employees.
If you are sending out an email with sensitive information, it is extra important that you avoid using links - if it is an important email, the recipient may discard it unnecessarily. You can sign yourself up as the contact person in case of doubts or questions, to minimise the risk of finding yourself in a situation where the email disappears.
Summary and alternative forms of communication
As mentioned, it is always a good idea to read through your email before sending it. If you follow awareness training, you also know what methods a hacker would typically use in phishing emails. Therefore, it is a good idea to avoid these methods.
For example, you should avoid sending emails asking employees to respond "within 24 hours" to something specific (at least without giving them an explanation and reason why it is a limited period), or using your authority or position to get employees to act on the email.
Another alternative solution, to avoid mistake phishing or fraud in internal communications, is to use platforms such as Slack, Microsoft Azure and Google Workspace. These are communication platforms that act like emails, but are linked to employees' emails so they can communicate internally easily and quickly - as well as get around using emails for internal communication.
It is harder for hackers to send phishing and links out on these platforms precisely because they are personal accounts where it is harder to infiltrate the messages being sent. However, you should always be aware of what you send as well as what you receive, so that you do not risk your company's cyber security by clicking on links and attachments.
Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.