Story image

How to avoid sending 'phishy' emails that could lose you customers

03 Aug 18

As more businesses become aware of phishing emails and the dangers they pose when they land in the inbox, those same businesses should be careful to avoid falling into a similar trap.

Security firm ESET says that some genuine emails can often look similar to scam emails, which can lead to damaged relationships between businesses and their customers.

‘Phishy’ emails can also foster distrust; they can make it more difficult for people to tell the difference between genuine and scam emails; they can make it less likely for a customer to respond; and they can scare away customers.

What are some of the characteristics of phishing emails? ESET senior research fellow Nick FitzGerald explains:

“Stereotypical phishing emails usually feature an urgent-sounding headline, require action from the receiver, and come from an unknown sender address. However, some organisations are inadvertently replicating scam-email features in their legitimate email messages, creating confusion for their recipients.” 

Some of the telltale signs of phishing emails include:

  • unexpected arrival
  • unusual content
  • claims affiliation to an authoritative source
  • is from a sender not aligned with that source
  • a sense of urgency or importance
  • absent or generic greetings
  • unusual or unexpected attachments or links.

ESET says often genuine emails can contain some – or all – of these characteristics. The problem is that any recipient who has been through phishing awareness training may see those characteristics and classify the email as junk.

Businesses should consider providing phishing awareness training to their employees so that emails don’t accidentally resemble scam messages. ESET says training should include personal management advice on how to reconnect with people who don’t respond in a trustworthy, timely, and genuine way.

“Phishing and business email compromise (BEC), also known as email account compromise (EAC), cause hundreds of thousands of dollars in losses for businesses each year,” FitzGerald says.  

“This amount is unlikely to decrease if recipients are confused about how to handle suspicious-looking emails. Organisations must send messages that are verifiable and honest, so users can safeguard themselves against email phishing threats without missing important email content from companies they want to do business with.” 

Here’s how you can tailor your emails so they don’t appear ‘phishy’:

1. Make emails ‘expected’ 
If emails require recipients to take action, it’s useful to send an introductory email first, which helps them conveniently understand what the email will be about, and what is expected of them upon receipt. Trustworthy emails should include content summaries, a distinctive greeting and sign off, and a visible email address which is traceable to the sender. 

2. Keep calm 
Classic social engineering tactics can intimidate or turn away clients, so train employees in charge of email distribution how to relay a sense of urgency, without indicating panic. Organisations can address non-compliance calmly, yet seriously. If a message is attributed to the general manager or CEO of a company, it should legitimately come from that individual, rather than an alternate staff member. 

3. Choose security-conscious products 
Organisations should be picky when considering new Software-as-a-Service (SaaS) apps for sending emails. Some apps will let organisations customise bulk messages so they appear more user-friendly. It’s important to fill out all the variables in the SaaS templates, to avoid accidentally sending emails that read questionably, like, “Dear %RECIPIENT%”. 

4. Keep it simple 
Emails should mostly include text formatting, and only use HTML content when absolutely necessary. For users to trust an email, its message should be quick and easy to read and digest, so, organisations should avoid asking recipients to click on links or attachments to access message content. If users need more detailed information, emails should direct them to a standard, safe location, such as a company website. 

Ramping up security with next-gen firewalls
The classic firewall lacked the ability to distinguish between different kinds of web traffic.
Gartner names LogRhythm leader in SIEM solutions
Security teams increasingly need end-to-end SIEM solutions with native options for host- and network-level monitoring.
Cylance makes APIs available in endpoint detection offering
Extensive APIs enable security teams to more efficiently view, enrich, and contextualise real-time intelligence collected at the endpoint to keep systems secure.
SolarWinds adds SDN monitoring support to network management portfolio
SolarWinds announced a broad refresh to its network management portfolio, as well as key enhancements to the Orion Platform. 
JASK prepares for global rollout of their AI-powered ASOC platform
The JASK ASOC platform automates alert investigations, supposedly freeing the SOC analyst to do what machines can’t. 
Pitfalls to avoid when configuring cloud firewalls
Flexibility and granularity of security controls is good but can still represent a risk for new cloud adopters that don’t recognise some of the configuration pitfalls.
Securing hotel technology to protect customer information
Network security risks increase exponentially as hotels look to incorporate newer technologies to support a range of IoT devices, including smart door locks.
Why total visibility is the key to zero trust
Over time, the basic zero trust model has evolved and matured into what Forrester calls the Zero Trust eXtended (ZTX) Ecosystem.