1. Explain and provide context.
Phishing emails are often short, request action, and convey a sense of urgency. Take the time to explain briefly why the recipient is receiving the message, who is sending it, and why action needs to be taken (if applicable). More specific, customized salutations are also preferred (e.g., “Dear Tara” vs. “Dear staff member”).
2. Eliminate or minimize the use of links and/or attachments.
The Information Security Office teaches never to click on unknown or unexpected links or attachments in emails. Consider the following best practices when you do choose to include them:
3. Use a known “From” address and include contact information.
Emails sent from external email addresses increase suspicion, so use a Princeton.edu email account when you can. Provide contact information should the recipient have questions or seek to verify the validity of the email.
4. Notify recipients in advance.
If you must send a questionable looking email, consider sending an email in advance from a known Princeton.edu address explaining what will follow (e.g., another email from XYZ will follow that contains links and/or attachments). For broader communications, such as something being shared University-wide, you may want to notify people using circulated newsletters or popular University websites. This approach allows you to reference the prior notice in the email to gain even more validity (e.g., “As announced in The Daily Prince, …”).
5. Keep OIT & the campus community informed.
Prior to sending your message, you may submit mass mailing messages to The Phish Bowl and ask that it be added to the “Legitimate Emails” section. You may request this when completing a PU Mass Mailing Request Form or by submitting a Generic Request Form.