Guidelines for Writing Emails and Other Communications that Don’t Look Phishy

 

If you need to send an email or text on behalf of a university unit or office, follow these guidelines to help you make it clear that your message is legitimate. In general, make it easy for people to verify the sender, the URLs, and the content of the message so they can feel confident it is an official communication.

Make It Easy to Verify the Sender

Recipients will want to know whether the message is from a legitimate source. Help them by paying attention to the following:

From address

Give your recipients as many clear indicators as you can that this is safe. The From address should:

• Be associated with your office or unit.  In most cases, it should include the name of your unit or office.
• End in the appropriate domain for your campus (@umontana.edu, @mso.umt.edu, @mtech.edu, @umwestern.edu, @helenacollege.edu).
• Be listed as a contact address on your website.

Signature

Include a signature line in the message. Recipients should be able to search for the person's, unit's or office's name to verify it and find more information. 

• Search results for a unit or office name should include the official campus website for that unit or office in the UM System (umontana.edu, umt.edu, mtech.edu, umwestern.edu, helenacollege.edu)
• Spell out the full unit or office name, and check that it is spelled correctly.
• Provide an email address or phone number that recipients can contact if they have questions.

Branding elements

Use appropriate logos, wordmarks, and other UM System branding elements.

Write a Clear Subject Line

Spend extra time on your subject line. Make very clear what the email is about and why people should open it. Keep it brief and informative.

Make Link Locations Clear

Make it easy for recipients to check the location of any URLs linked in your message.

Avoid short URLs

These look suspicious because they hide the real web address. If you must use a shortened URL in a university email, make the destination clear.

Use descriptive link text with the full URL

In emails and on web pages, it is best to use descriptive link text with the full URL behind it. The descriptive text lets people know where they will go if they click. Never label a link with "Click here," because it does not tell people where the link will take them. Using descriptive link text is also a recommended best practice for accessibility, because it provides people who use screen readers with clear, complete information.

We recommend that people hover over links in email with their pointer so they can see if the URL looks legitimate and matches what is described in the link text. Write your message so recipients can do this.

Navigation instructions

Give navigation instructions where applicable. Let people know the name of the website they are being asked to visit and where to go once they get there. If you are asking people to follow a procedure, include a link to detailed instructions.

If login is required, say so

Let people know if they will be prompted to log in. 

Refer to Supporting Information

Where applicable, refer to supporting information on UM System websites. It is especially helpful to provide information that members of the UM System community are familiar with and used to consulting. If recipients receive email about a service provided by University of Montana Information Technology (UM IT), for example, they will expect to find supporting information on the UM IT website or UM Solutions Center that they can use to corroborate the legitimacy of the message. 

Don't Ask for Sensitive Information in Email or Text

Do not ask people to send sensitive information to you through email or text message. Passwords, for example, should never be sent via email or text message. If you must ask people to verify something, provide instructions for using a secure method to do so and be sure to reference existing instructions on an official university website. 

Be Professional, Write Well

We tell message recipients to be suspicious of poorly written emails with grammatical and spelling errors. Email sent on behalf of the university should be well-written with accurate information.

If a Third-Party Vendor Sends Email

If your unit contracts with a third-party vendor for a university service, and the vendor sends email to members of the UM System community, work with the vendor to help ensure that UM System recipients can verify the legitimacy of the message.

• Consider contacting message recipients before the vendor sends email to let them know what to watch for and why.
• Publish a page on your website describing the communication so recipients can find further information if they check.
• Ask the vendor to include clear information about the relationship of the service to the UM System, as well as the office recipients can contact if they have questions. Ideally, the message will include information about how to verify its legitimacy.