Story image

How to avoid sending 'phishy' emails that could lose you customers

03 Aug 18

As more businesses become aware of phishing emails and the dangers they pose when they land in the inbox, those same businesses should be careful to avoid falling into a similar trap.

Security firm ESET says that some genuine emails can often look similar to scam emails, which can lead to damaged relationships between businesses and their customers.

‘Phishy’ emails can also foster distrust; they can make it more difficult for people to tell the difference between genuine and scam emails; they can make it less likely for a customer to respond; and they can scare away customers.

What are some of the characteristics of phishing emails? ESET senior research fellow Nick FitzGerald explains:

“Stereotypical phishing emails usually feature an urgent-sounding headline, require action from the receiver, and come from an unknown sender address. However, some organisations are inadvertently replicating scam-email features in their legitimate email messages, creating confusion for their recipients.” 

Some of the telltale signs of phishing emails include:

  • unexpected arrival
  • unusual content
  • claims affiliation to an authoritative source
  • is from a sender not aligned with that source
  • a sense of urgency or importance
  • absent or generic greetings
  • unusual or unexpected attachments or links.

ESET says often genuine emails can contain some – or all – of these characteristics. The problem is that any recipient who has been through phishing awareness training may see those characteristics and classify the email as junk.

Businesses should consider providing phishing awareness training to their employees so that emails don’t accidentally resemble scam messages. ESET says training should include personal management advice on how to reconnect with people who don’t respond in a trustworthy, timely, and genuine way.

“Phishing and business email compromise (BEC), also known as email account compromise (EAC), cause hundreds of thousands of dollars in losses for businesses each year,” FitzGerald says.  

“This amount is unlikely to decrease if recipients are confused about how to handle suspicious-looking emails. Organisations must send messages that are verifiable and honest, so users can safeguard themselves against email phishing threats without missing important email content from companies they want to do business with.” 

Here’s how you can tailor your emails so they don’t appear ‘phishy’:

1. Make emails ‘expected’ 
If emails require recipients to take action, it’s useful to send an introductory email first, which helps them conveniently understand what the email will be about, and what is expected of them upon receipt. Trustworthy emails should include content summaries, a distinctive greeting and sign off, and a visible email address which is traceable to the sender. 

2. Keep calm 
Classic social engineering tactics can intimidate or turn away clients, so train employees in charge of email distribution how to relay a sense of urgency, without indicating panic. Organisations can address non-compliance calmly, yet seriously. If a message is attributed to the general manager or CEO of a company, it should legitimately come from that individual, rather than an alternate staff member. 

3. Choose security-conscious products 
Organisations should be picky when considering new Software-as-a-Service (SaaS) apps for sending emails. Some apps will let organisations customise bulk messages so they appear more user-friendly. It’s important to fill out all the variables in the SaaS templates, to avoid accidentally sending emails that read questionably, like, “Dear %RECIPIENT%”. 

4. Keep it simple 
Emails should mostly include text formatting, and only use HTML content when absolutely necessary. For users to trust an email, its message should be quick and easy to read and digest, so, organisations should avoid asking recipients to click on links or attachments to access message content. If users need more detailed information, emails should direct them to a standard, safe location, such as a company website. 

How to stay safe when shopping online
Online shopping is a great way to avoid the crowds – but there are risks.
Dell EMC embeds security in latest servers
Dell EMC's 14th generation of PowerEdge servers has comprehensive management tools to provide security across hardware and firmware.
Why data backups should be a part of daily operations
"Disaster recovery needs to address complete system failure and provide a set of security policies to govern disaster incidents."
Businesses focusing on threats from within - survey
Over 50% of respondents reported that 100 days of dwell time or more was representative of their organisation.
GCSB welcomes Inspector-General's report on intelligence warrants
Intelligence warrants can include surveillance, private communications interception, searches of physical places and things, and the seizure of communications, information and things.
Corelight and Exabeam partner to improve network monitoring
The combination of lateral movement and siloed usage of point security products leaves many security teams vulnerable to compromise.
SailPoint releases first identity annual report
SailPoint’s research found that many organisations are lacking maturity in their governance processes over identities.
Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."