At the University of Chicago, departments send out global emails daily to announce classes, services, and opportunities. A well-intended message may not get read or taken seriously if recipients think an email is a phishing scam.

How do you make your email look legitimate, and not like phishing? Here are a few best practices to reassure your audience that your message is trustworthy.

• The subject matters.
  The subject line should accurately and clearly describe the contents of the email. Readers should not have to guess or feel suspicious of the intent of your email after reading the subject line. For example, "Please Read Immediately" sounds vague, while "Important Changes in UChicago Parking Registration" provides a concrete and specific reason to open your email.
  
  
• Watch your links.
  When possible, avoid placing links in the body of the email message. If a message can be easily accessed from a website, refer readers to the location on the website that you would like them to read. For example, "Please visit the IT Services website and click on Safe Computing for more information." It is less likely to raise concern that a link is to an unsafe URL when it is not visible to the reader.
  
  If it's necessary to include links in the email, direct the reader to a recognizable and credible website, such as its.uchicago.edu. For longer links, clearly describe the website content or title in the hyperlinked text. For example, "View the IT Services Communication and Collaboration Tools." This will help readers assess the safety and trustworthiness of a website. Finally, if your goal is to have the reader visit a third-party site such as Survey Monkey to complete a survey, consider placing the survey link on a safe and more familiar website. Use the more familiar URL in your email, and from there you can explain the next steps.
  
  
• Grammar counts.
  Make sure your email looks professional. Proofread and use spell check and another set of eyes to avoid typos and grammatical mistakes.
  
  
• Don't ask for personal or confidential information via email.
  Never ask for social security numbers, account numbers, usernames, passwords, or other personal identifying information via email. This is a major red flag that may deter your readers from taking any further action. It may also spawn inquiries to your desktop support and security teams.
  
  
• Don't make threats.
  Typically, phishers apply pressure by threatening dire consequences if the recipient fails to act immediately. Stick to the facts and urge the recipient to contact the appropriate person or department to reconcile any urgent issues. Contact details should be easily found in the body of the message and repeated at the conclusion of the email. Provide reasonable timelines for recipients to return contact or make required changes, and offer an alternate way to communicate if a deadline has passed.
  
  
• Avoid using attachments.
  Phishers often include attachments in their email that can harm readers in various ways. Avoid sending attachments unless your recipient is expecting them. Include a clear explanation for the email and attachments in the body of the email. If you need your readers to complete a form, send them to a familiar and reputable website where they can complete or download the form themselves. For additional reassurance, use a document reference number when referring to a document in an email, such as Form ref#123987 rev. 10/2016. This reference number should be somewhere in the header, footer, or title of the document. This can help confirm the content and purpose of the document should anyone have questions.
  
  The information on any accompanying websites should be informative and consistent with everything communicated in the email. Contact information should also be accessible and consistent.
  
  
• Sign your emails.
  Your readers should be able to clearly identify who is sending the email. Signed emails are deemed more credible than those that are unsigned. Email signatures should include your name, department, phone number (local if possible), and email address so that the reader can contact you if they have any questions regarding the validity of the email. A phone number, especially an on-campus extension, gives the user a way to validate the authenticity of the email without having to contact IT Security or IT Services.

These simple steps will help your readers feel confident in the trustworthiness of your email and move on to the contents of your message. To get assistance with reviewing your email for security concerns, contact IT Security at security@uchicago.edu or call 773.703.2378 (2-CERT).