Advice for email senders to make email more trustworthy

Emails Demanding Urgent Action

Phishing emails often threaten negative consequences unless urgent action is taken.

  • Do not send messages that urge users to take quick action
  • Give users plenty of notice to respond so they have time to research the message
  • Ensure your subject is meaningful and non-threatening

Emails with Bad Grammar and Spelling Mistakes

Many phishing messages include bad grammar and spelling mistakes

  • Run spellcheck and proofread messages for grammar before sending - beware of auto-correct
  • Avoid using all CAPITAL LETTERS

Emails to groups

Emails to groups should use mail merge or distribution lists.

  • Be cautious of using the Bcc: to a list and using the sender as the To: and From:
  • Avoid sending to a long list of email addresses in the To: or Cc: field

Emails with an Unfamiliar Greeting or Salutation

Emails that start with “Dear” or contain phrases not normally used in informal conversation should arouse suspicion.

  • Use appropriate greetings
  • Use a real person’s name to sign a message
  • Make sure the sender is listed in the campus directory with the same credentials

Inconsistencies in Email Addresses, Links, & Domain Names

Look for inconsistencies in sender name, email addresses, links, and domain names

  • Ensure the sender email address matches the individual signing the message
  • Ensure the sender email address matches the domain the message was sent from
  • Use SF State approved email servers to send messages and distribute documents
  • Use Client Certificates to sign messages and improve authenticity

Suspicious Attachments

Email messages with attachments should always be treated suspiciously.

  • Avoid using images in message signatures and images of signatures in messages
  • Include key content in the message body
  • Use campus servers such as Box at SF State to exchange documents
  • Ensure public documents can be found using campus Google search

Emails Requesting Login Credentials, Payment Information, or Other Sensitive Information

Emails that request login credentials, payment information, or other sensitive information should always be treated with caution.

  • Do not send messages requesting users send sensitive information via email
  • Avoid sending messages that use "Click here" links that do not show the Web address
  • Avoid using link shorteners (e.g., TinyURL) that hide the destination

Email messages that direct users to login page

Phishing messages often direct users to click on a link that takes them to a fake login page that looks real.

  • Use campus Single Sign-On for authentication
  • Provide links on existing Web pages that users can search for or navigate to independently
  • Confirm the URL (Web address) of the page the link takes you begins with idp.sfsu.edu or email.sfsu.edu before entering your SF State ID and Password

Too Good to Be True Emails

Too good to be true emails are those which incentivize the recipient to click on a link or open an attachment by claiming there will be a reward of some nature. If the sender of the email is unfamiliar or the recipient did not initiate the contact, the likelihood is this is a phishing email.

  • Avoid sending email that rewards bad behaviors – notify winners by another means

Check the message envelope

Email messages have a “hidden” message envelope called the message header. Send a test message and review the message header to see how the message travels from the sender to your recipient’s inbox. Contact IT support if you need assistance reviewing a header.

  • Check the server that was used to send the message
  • Check the account the message was sent from
  • Check the software that was used to send the message
  • Check the SPF status if message came from off-campus

For more information

The Information Security team has introduced an ongoing Information Security Awareness program for faculty and staff. This program is designed to help employees protect their sensitive information and that belonging to others. The program combines monthly advisory messages with phishing training exercises. For more information please see:  Information Security Awareness program for faculty and staff guide