Carnegie Mellon University

Writing Emails that Don't Look Phishy

If you need to send an email on behalf of a univeristy unit or office, follow these guidelines to help you make it clear that your message is legitimate and not a phishing scam. In general, make it easy for people to verify the sender, the URLs, and the content of the message so they can feel confident it is an official communication.

Make It Easy to Verify the Sender

Recipients will want to know whether the message is from a legitimate source. Help them by paying attention to the following:

  • From address: Give recipients as many clear indicators as you can that this is safe. The From address should:
    • Be associated with the Carnegie Mellon University Andrew account that can be found in the CMU Directory
  • Signature: Include a signature line in the message. Recipients should be able to search for the person's, unit's, or office's name to verify the message and find more information if necessary.

Write a Clear Subject Line

Spend extra time on your subject line. Make very clear what the email is pertaining to and why the intended recipient(s) should open it. Keep it brief and informative.

Make Link Locations and Attachments Clear

Make it easy for recipients to check the location of any URLs linked in your message.

Avoid short URLs. These look suspicious because they hide the real web address. If you must use a shorened URL in a university email, make the destination clear. See Shortened URL Security Tips.

Give navigation instructions where applicable. Let people know the name of the website they are being asked ot visit and where to go once they get there. If you are asking people to follow a procedure, provide detailed instructions.

If login is required, say so. Let people know if they will be prompted to log in. 

Do not send attachments before the recipient having prior knowlege of the attachment being sent. Be sure the person is aware of why the attachment is being sent. Alert the person through a prior email or contact them directly to make them aware that you are sending an attachment. 

Don't Ask for Sensitive Information in Email

Do not ask people to send sensitive information to you through email. Passwords, for example should never be sent via email. 

Be a Professional, Write Well

We tell message recipients to be suspicious of poorly written emails with multiple grammatical and spelling errors. Proofread your messages prior to sending them to the recipient to check for mistakes.