Getting Your Message Through (How not to send phish)

The points below are indicators that people can use to confirm their confidence in a message. If you are producing email content that will be “machine generated” or delivered through an automated system then the more things that you can include in the message that raise the confidence of the people receiving the message, the less likely that it will be classified as spam or phishing.

  1. Inform people why they are receiving the email, i.e. as a result of a new financial transaction pending their action, in response to a student’s request to use them as a reference etc.
  2. Avoid the use of non-personalised salutations such as “Dear Customer”. Instead, to increase confidence in the validity of the message, use the person’s name and if possible additional information such as their position and department.
  3. Provide the name and position of the person who authorised or oversees the service. An alternative contact channel such as phone number or web site (with an image of the message) will allow people to easily validate the request.
  4. Don’t request sensitive information via email. Speaks for itself, if you do need it then email is not the right tool.
  5. If you are including any links, don’t use a URL shortening service. Include the full the URL in the message rather text and the link as this makes it easy for people to see where the link is pointing.
  6. If you are sending messages to lots of people include this in the message as there is then clearly no intent to deceive which improves trustworthiness.
  7. Avoid using excessive persuasion to coerce people into action, there is a fine balance between commanding and requesting. If there is sufficient information available, then colleagues and students should easily be able to decide if the request is trustworthy and honour the request.
  8. If you do need to include sensitive content in an attachment, then email is almost certainly the wrong tool. This also extends to executable programs and documents with active content (i.e. macros) as many of these are quarantined or blocked by organisations as criminals frequently abuse them.
  9. Good grammar and spelling increases people’s confidence in the validity of the message.
  10. Use Otago’s email systems to generate and deliver messages as this assures people that Otago has in some way sanctioned the message. It is most unlikely that official communications should be coming from a personal email address like,, or
  11. Include how you will follow up with people if they do not respond to the original message. This might be resending the same message after so many days or the person will be phoned to confirm their receipt of the message.

If you want any assistance or have any questions about this please contact me at the details below.


Any views or opinion represented in this site belong solely to the authors and do not necessarily represent those of the University of Otago. Any view or opinion represented in the comments are personal and are those of the respective commentator/contributor to this site.