Story image

How to avoid sending 'phishy' emails that could lose you customers

03 Aug 18

As more businesses become aware of phishing emails and the dangers they pose when they land in the inbox, those same businesses should be careful to avoid falling into a similar trap.

Security firm ESET says that some genuine emails can often look similar to scam emails, which can lead to damaged relationships between businesses and their customers.

‘Phishy’ emails can also foster distrust; they can make it more difficult for people to tell the difference between genuine and scam emails; they can make it less likely for a customer to respond; and they can scare away customers.

What are some of the characteristics of phishing emails? ESET senior research fellow Nick FitzGerald explains:

“Stereotypical phishing emails usually feature an urgent-sounding headline, require action from the receiver, and come from an unknown sender address. However, some organisations are inadvertently replicating scam-email features in their legitimate email messages, creating confusion for their recipients.” 

Some of the telltale signs of phishing emails include:

  • unexpected arrival
  • unusual content
  • claims affiliation to an authoritative source
  • is from a sender not aligned with that source
  • a sense of urgency or importance
  • absent or generic greetings
  • unusual or unexpected attachments or links.

ESET says often genuine emails can contain some – or all – of these characteristics. The problem is that any recipient who has been through phishing awareness training may see those characteristics and classify the email as junk.

Businesses should consider providing phishing awareness training to their employees so that emails don’t accidentally resemble scam messages. ESET says training should include personal management advice on how to reconnect with people who don’t respond in a trustworthy, timely, and genuine way.

“Phishing and business email compromise (BEC), also known as email account compromise (EAC), cause hundreds of thousands of dollars in losses for businesses each year,” FitzGerald says.  

“This amount is unlikely to decrease if recipients are confused about how to handle suspicious-looking emails. Organisations must send messages that are verifiable and honest, so users can safeguard themselves against email phishing threats without missing important email content from companies they want to do business with.” 

Here’s how you can tailor your emails so they don’t appear ‘phishy’:

1. Make emails ‘expected’ 
If emails require recipients to take action, it’s useful to send an introductory email first, which helps them conveniently understand what the email will be about, and what is expected of them upon receipt. Trustworthy emails should include content summaries, a distinctive greeting and sign off, and a visible email address which is traceable to the sender. 

2. Keep calm 
Classic social engineering tactics can intimidate or turn away clients, so train employees in charge of email distribution how to relay a sense of urgency, without indicating panic. Organisations can address non-compliance calmly, yet seriously. If a message is attributed to the general manager or CEO of a company, it should legitimately come from that individual, rather than an alternate staff member. 

3. Choose security-conscious products 
Organisations should be picky when considering new Software-as-a-Service (SaaS) apps for sending emails. Some apps will let organisations customise bulk messages so they appear more user-friendly. It’s important to fill out all the variables in the SaaS templates, to avoid accidentally sending emails that read questionably, like, “Dear %RECIPIENT%”. 

4. Keep it simple 
Emails should mostly include text formatting, and only use HTML content when absolutely necessary. For users to trust an email, its message should be quick and easy to read and digest, so, organisations should avoid asking recipients to click on links or attachments to access message content. If users need more detailed information, emails should direct them to a standard, safe location, such as a company website. 

McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Forcepoint and Chillisoft - “a powerful combination”
Following Chillisoft’s portfolio expansion by signing on Forcepoint, the companies’ execs explain how this is a match made in cybersecurity heaven.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.