Tips for Writing Non-phishy Email

1. Explain and provide context.

Phishing emails are often short, request action, and convey a sense of urgency.  Take the time to explain briefly why the recipient is receiving the message, who is sending it, and why action needs to be taken (if applicable).  More specific, customized salutations are also preferred (e.g., “Dear Tara” vs. “Dear staff member”).

2. Eliminate or minimize the use of links and/or attachments.

The Information Security Office teaches never to click on unknown or unexpected links or attachments in emails. Consider the following best practices when you do choose to include them:

• Avoid linking directly to outside websites (we recognize that sometimes you have no other option) and instead consider directing recipients to a Princeton website containing the published links (e.g., posting links to benefit providers on the official Princeton HR website or providing external links in ServiceNow knowledge base articles).  If you must link directly to the outside website within an email message, consider notifying recipients in advance and providing thorough contact information in the event they want to check the message’s validity.
• URL shortening services (e.g. Bitly, TinyURL, etc.) obscure the URL target, making it difficult for a user to determine the website to which browsers are being directed. Unless there is a character limit, full URLs should be utilized in University communications so recipients can assess the risk of a website prior to clicking the link.  In keeping with University accessibility guidelines to provide clear and meaningful links, users may embed the full URLs within text.
• If you must share a file in a mass email, post it on a Princeton University website, Princeton-approved cloud storage, or a network-shared drive and refer to that location in the message.

3. Use a known “From” address and include contact information.

Emails sent from external email addresses increase suspicion, so use a Princeton.edu email account when you can.  Provide contact information should the recipient have questions or seek to verify the validity of the email.

4. Notify recipients in advance.

If you must send a questionable looking email, consider sending an email in advance from a known Princeton.edu address explaining what will follow (e.g., another email from XYZ will follow that contains links and/or attachments).  For broader communications, such as something being shared University-wide, you may want to notify people using circulated newsletters or popular University websites. This approach allows you to reference the prior notice in the email to gain even more validity (e.g., “As announced in The Daily Prince, …”).

5. Keep OIT & the campus community informed.

Prior to sending your message, you may submit mass mailing messages to The Phish Bowl and ask that it be added to the “Legitimate Emails” section.  You may request this when completing a PU Mass Mailing Request Form or by submitting a Generic Request Form.