Departments often need to send email communication to large numbers of recipients. With any mass email, there is a risk that a recipient will view it suspiciously. As users report the message as a possible phishing attempt, they ignore the content of the email and the message is lost. The Information Security Office would like to offer the following tips for departments wishing to ensure their emails reach as many users as possible:
Click the tabs below to review our recommendations for crafting messages for large audiences.
Ensure the sender address references a UCF-specific departmental name and not generic terms.
(For example, use “UCF HR” instead of “Human Resources.”)
Always use an official UCF email address (@ucf.edu) to send the messages.
If not using a distribution list, BCC the recipients. This will prevent the email addresses of all recipients from being included in the message.
Ask yourself if the message is appropriate for the recipients you have selected: if they won’t consider it useful, they may view it as spam or phishing.
Avoid using subject lines that give the appearance of urgency or ambiguity.
State the reason for the email clearly in the subject line.
If your message is time sensitive, you may wish to include a date in the subject line.
Include a greeting that clearly identifies your audience.
(Example: “To all UCF employees:”)
Identify your department in the opening paragraph.
(Example: “This message is from…”)
Do not pressure the user to avoid negative consequences by completing a task, clicking a link, or providing personal information.
Be aware that if you choose to offer incentives such as gift cards or other prizes for responses, users may view these offers suspiciously.
Never ask users to reply to your message with personal information.
Double-check grammar and spelling – phishing emails often contain spelling or grammatical errors.
Mass emails should not include files attached directly to the message. Attachments are a common way that malware spreads and users should find most attachments not sent from an individual to be suspicious.
Instead, upload the file on an official UCF web page and provide a link to the file.
Links should be placed in the email in “raw” form so that users have a better idea of their destination. Links should not be masked with text such as “Click Here.”
(For example, use https://www.ucf.edu instead of Click Here to visit the UCF website)
Ensure any links in the message are clearly associated with UCF. Do not use URL shorteners such as bit.ly, social media, or mass-mailing-provided tracking links.
Use only secure https:// links, not http:// or plain URLs such as ucf.edu.
Depending upon the request you have made to the users, you may wish to include an alternative way for users to confirm the request.
(Examples: “Call our office at…” or “Visit our office in Millican Hall…”)
Ensure your department’s signature is included in the e-mail (make sure it references UCF), and include a link to your departmental web site. At the end of the message, include the following text separated from the body by a horizontal line:
———————
UCF will never send messages asking you to respond and provide personal information, login credentials, or passwords via email. You are not required, nor does UCF encourage or recommend providing your passwords and/or other secret login credentials to anyone claiming to represent UCF. Never respond to unsolicited email messages requesting your password, credentials, or other confidential information and never share your password with anyone. Regard all unsolicited messages with extreme caution and alert the Security Incident Response Team at SIRT@ucf.edu if a message appears suspicious.