Technology

Businesses must avoid sending phishy-looking emails

Despite awareness email phishing, many businesses confuse email recipients into adopting poor email security practices by using phishing-like wording and practices. 

Glenn Baker
Glenn Baker
August 2, 2018 3 Mins Read
614

Despite relatively widespread awareness of the dangers of phishing emails, many businesses are confusing their email recipients into adopting poor email security practices by using phishing-like wording and practices.

This makes it more difficult for people to differentiate between legitimate and scam emails, and can affect business success by turning away customers and decreasing the chance of recipient responses. 

“Stereotypical phishing emails usually feature an urgent-sounding headline, require action from the receiver, and come from an unknown sender address,” says Nick FitzGerald, senior research fellow, ESET. “However, some organisations are inadvertently replicating scam-email features in their legitimate email messages, creating confusion for their recipients.” 

Phishing emails tend to display the following characteristics: 

  • Unexpected arrival. 
  • Unusual content. 
  • Claims affiliation to an authoritative source. 
  • Is from a sender not aligned with that source. 
  • A sense of urgency or importance. 
  • Absent or generic greetings. 
  • Unusual or unexpected attachments or links.

Often emails from legitimate sources contain some, or even all, of these traits, despite them being used most commonly in targeted social engineering campaigns. These email qualities generate distrust among recipients because identifying these telltale signs is a common goal of phishing awareness training. Consequently, in the long run, recipients could become confused, leading them to trust emails which are in fact harmful. 

Organisations should consider providing employees with anti-phishing training, so when they email their customers, they aren’t accidentally mimicking scam messages. This should include personal management advice on how to reach out to non-respondents in an authentic, trustworthy, and timely manner. 

“Phishing and business email compromise (BEC), also known as email account compromise (EAC), cause hundreds of thousands of dollars in losses for businesses each year,” says FitzGerald. This amount is unlikely to decrease if recipients are confused about how to handle suspicious-looking emails. Organisations must send messages that are verifiable and honest, so users can safeguard themselves against email phishing threats without missing important email content from companies they want to do business with.” 

ESET has identified four important ways organisations can ensure their emails don’t appear ‘phishy’: 

1. Make emails ‘expected’. If emails require recipients to take action, it’s useful to send an introductory email first, which helps them conveniently understand what the email will be about, and what is expected of them upon receipt. Trustworthy emails should include content summaries, a distinctive greeting and sign off, and a visible email address which is traceable to the sender. 

2. Keep calm. Classic social engineering tactics can intimidate or turn away clients, so train employees in charge of email distribution how to relay a sense of urgency, without indicating panic. Organisations can address non-compliance calmly, yet seriously. If a message is attributed to the general manager or CEO of a company, it should legitimately come from that individual, rather than an alternate staff member. 

3. Choose security-conscious products. Organisations should be picky when considering new Software-as-a-Service (SaaS) apps for sending emails. Some apps will let organisations customise bulk messages so they appear more user-friendly. It’s important to fill out all the variables in the SaaS templates, to avoid accidentally sending emails that read questionably, like “Dear %RECIPIENT%”. 

4. Keep it simple. Emails should mostly include text formatting, and only use HTML content when absolutely necessary. For users to trust an email, its message should be quick and easy to read and digest, so, organisations should avoid asking recipients to click on links or attachments to access message content. If users need more detailed information, emails should direct them to a standard, safe location, such as a company website. 

Article supplied by ESET.

References: (1) – https://www.scamwatch.gov.au/about-scamwatch/scam-statistics?scamid=31&date=2018 

Share Article

Glenn Baker
Follow Me Written By

Glenn Baker

Glenn is a professional writer/editor with 50-plus years’ experience across radio, television and magazine publishing.

Other Articles

Related Posts