Story image

How to avoid sending 'phishy' emails that could lose you customers

03 Aug 18

As more businesses become aware of phishing emails and the dangers they pose when they land in the inbox, those same businesses should be careful to avoid falling into a similar trap.

Security firm ESET says that some genuine emails can often look similar to scam emails, which can lead to damaged relationships between businesses and their customers.

‘Phishy’ emails can also foster distrust; they can make it more difficult for people to tell the difference between genuine and scam emails; they can make it less likely for a customer to respond; and they can scare away customers.

What are some of the characteristics of phishing emails? ESET senior research fellow Nick FitzGerald explains:

“Stereotypical phishing emails usually feature an urgent-sounding headline, require action from the receiver, and come from an unknown sender address. However, some organisations are inadvertently replicating scam-email features in their legitimate email messages, creating confusion for their recipients.” 

Some of the telltale signs of phishing emails include:

  • unexpected arrival
  • unusual content
  • claims affiliation to an authoritative source
  • is from a sender not aligned with that source
  • a sense of urgency or importance
  • absent or generic greetings
  • unusual or unexpected attachments or links.

ESET says often genuine emails can contain some – or all – of these characteristics. The problem is that any recipient who has been through phishing awareness training may see those characteristics and classify the email as junk.

Businesses should consider providing phishing awareness training to their employees so that emails don’t accidentally resemble scam messages. ESET says training should include personal management advice on how to reconnect with people who don’t respond in a trustworthy, timely, and genuine way.

“Phishing and business email compromise (BEC), also known as email account compromise (EAC), cause hundreds of thousands of dollars in losses for businesses each year,” FitzGerald says.  

“This amount is unlikely to decrease if recipients are confused about how to handle suspicious-looking emails. Organisations must send messages that are verifiable and honest, so users can safeguard themselves against email phishing threats without missing important email content from companies they want to do business with.” 

Here’s how you can tailor your emails so they don’t appear ‘phishy’:

1. Make emails ‘expected’ 
If emails require recipients to take action, it’s useful to send an introductory email first, which helps them conveniently understand what the email will be about, and what is expected of them upon receipt. Trustworthy emails should include content summaries, a distinctive greeting and sign off, and a visible email address which is traceable to the sender. 

2. Keep calm 
Classic social engineering tactics can intimidate or turn away clients, so train employees in charge of email distribution how to relay a sense of urgency, without indicating panic. Organisations can address non-compliance calmly, yet seriously. If a message is attributed to the general manager or CEO of a company, it should legitimately come from that individual, rather than an alternate staff member. 

3. Choose security-conscious products 
Organisations should be picky when considering new Software-as-a-Service (SaaS) apps for sending emails. Some apps will let organisations customise bulk messages so they appear more user-friendly. It’s important to fill out all the variables in the SaaS templates, to avoid accidentally sending emails that read questionably, like, “Dear %RECIPIENT%”. 

4. Keep it simple 
Emails should mostly include text formatting, and only use HTML content when absolutely necessary. For users to trust an email, its message should be quick and easy to read and digest, so, organisations should avoid asking recipients to click on links or attachments to access message content. If users need more detailed information, emails should direct them to a standard, safe location, such as a company website. 

Disruption in the supply chain: Why IT resilience is a collective responsibility
"A truly resilient organisation will invest in building strong relationships while the sun shines so they can draw on goodwill when it rains."
Businesses too slow on attack detection – CrowdStrike
The 2018 CrowdStrike Services Cyber Intrusion Casebook reveals IR strategies, lessons learned, and trends derived from more than 200 cases.
What disaster recovery will look like in 2019
“With nearly half of all businesses experiencing an unrecoverable data event in the last three years, current backup solutions are no longer fit for purpose."
Proofpoint launches feature to identify most targeted users
“One of the largest security industry misconceptions is that most cyberattacks target top executives and management.”
McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.