Story image

How to avoid sending 'phishy' emails that could lose you customers

03 Aug 18

As more businesses become aware of phishing emails and the dangers they pose when they land in the inbox, those same businesses should be careful to avoid falling into a similar trap.

Security firm ESET says that some genuine emails can often look similar to scam emails, which can lead to damaged relationships between businesses and their customers.

‘Phishy’ emails can also foster distrust; they can make it more difficult for people to tell the difference between genuine and scam emails; they can make it less likely for a customer to respond; and they can scare away customers.

What are some of the characteristics of phishing emails? ESET senior research fellow Nick FitzGerald explains:

“Stereotypical phishing emails usually feature an urgent-sounding headline, require action from the receiver, and come from an unknown sender address. However, some organisations are inadvertently replicating scam-email features in their legitimate email messages, creating confusion for their recipients.” 

Some of the telltale signs of phishing emails include:

  • unexpected arrival
  • unusual content
  • claims affiliation to an authoritative source
  • is from a sender not aligned with that source
  • a sense of urgency or importance
  • absent or generic greetings
  • unusual or unexpected attachments or links.

ESET says often genuine emails can contain some – or all – of these characteristics. The problem is that any recipient who has been through phishing awareness training may see those characteristics and classify the email as junk.

Businesses should consider providing phishing awareness training to their employees so that emails don’t accidentally resemble scam messages. ESET says training should include personal management advice on how to reconnect with people who don’t respond in a trustworthy, timely, and genuine way.

“Phishing and business email compromise (BEC), also known as email account compromise (EAC), cause hundreds of thousands of dollars in losses for businesses each year,” FitzGerald says.  

“This amount is unlikely to decrease if recipients are confused about how to handle suspicious-looking emails. Organisations must send messages that are verifiable and honest, so users can safeguard themselves against email phishing threats without missing important email content from companies they want to do business with.” 

Here’s how you can tailor your emails so they don’t appear ‘phishy’:

1. Make emails ‘expected’ 
If emails require recipients to take action, it’s useful to send an introductory email first, which helps them conveniently understand what the email will be about, and what is expected of them upon receipt. Trustworthy emails should include content summaries, a distinctive greeting and sign off, and a visible email address which is traceable to the sender. 

2. Keep calm 
Classic social engineering tactics can intimidate or turn away clients, so train employees in charge of email distribution how to relay a sense of urgency, without indicating panic. Organisations can address non-compliance calmly, yet seriously. If a message is attributed to the general manager or CEO of a company, it should legitimately come from that individual, rather than an alternate staff member. 

3. Choose security-conscious products 
Organisations should be picky when considering new Software-as-a-Service (SaaS) apps for sending emails. Some apps will let organisations customise bulk messages so they appear more user-friendly. It’s important to fill out all the variables in the SaaS templates, to avoid accidentally sending emails that read questionably, like, “Dear %RECIPIENT%”. 

4. Keep it simple 
Emails should mostly include text formatting, and only use HTML content when absolutely necessary. For users to trust an email, its message should be quick and easy to read and digest, so, organisations should avoid asking recipients to click on links or attachments to access message content. If users need more detailed information, emails should direct them to a standard, safe location, such as a company website. 

Hillstone CTO's 2019 security predictions
Hillstone Networks CTO Tim Liu shares what key developments could be expected in the areas of security compliance, cloud, security, AI and IoT.
Can it be trusted? Huawei’s founder speaks out
Ren Zhengfei spoke candidly in a recent media roundtable about security, 5G, his daughter’s detainment, the USA, and the West’s perception of Huawei.
Oracle Java Card update boosts security for IoT devices
"Java Card 3.1 is very significant to the Internet of Things, bringing interoperability, security and flexibility to a fast-growing market currently lacking high-security and flexible edge security solutions."
Sophos hires ex-McAfee SVP Gavin Struther
After 16 years as the APAC senior vice president and president for McAfee, Struthers is now heading the APJ arm of Sophos.
Security platform provider Deep Instinct expands local presence
The company has made two A/NZ specific leadership hires and formed several partnerships with organisations in the region.
Half of companies unable to detect IoT device breaches
A Gemalto study also shows that the of blockchain technology to help secure IoT data, services and devices has doubled in a year.
Stepping up to sell security services in A/NZ
WatchGuard Technologies A/NZ regional director gives his top tips on how to make a move into the increasingly lucrative cybersecurity services market.
Huawei founder publically denies spying allegations
“After all the evidence is made public, we will rely on the justice system.”