Guidelines for Writing Emails that Don't Look Phishy

If you need to send an email on behalf of a university unit or office, follow these guidelines to help you make it clear that your message is legitimate and not a phishing scam. In general, make it easy for people to verify the sender, the URLs, and the content of the message so they can feel confident it is an official communication.

Make It Easy to Verify the Sender

Recipients will want to know whether the message is from a legitimate source. Help them by paying attention to the following:

From address. Give your recipients as many clear indicators as you can that this is safe. The From address should:

  • Be associated with your office or unit. In most cases, it should include the name of your unit or office.
  • End in the appropriate domain for your campus (@umich.edu for all campuses, @med.umich.edu for Michigan Medicine, @flint.umich.edu for UM-Flint, and @umd.umich.edu for UM-Dearborn).
  • Have a profile or entry in MCommunity or in a campus-specific directory (such as the Michigan Medicine Exchange directory). In MCommunity, it is helpful to provide information about the use of the address in the Notice or Description section of the group profile.
  • Be listed as a contact address on your website.

Signature. Include a signature line in the message. Recipients should be able to search for the person's, unit's or office's name to verify it and find more information. 

  • Search results for the person's name should include an MCommunity Directory entry or information on a U-M website. 
  • Search results for a unit or office name should include the official U-M website for that unit or office.
  • Spell out the full unit or office name, and check that it is spelled correctly.
  • Provide an email address or phone number that recipients can contact if they have questions.

Branding elements. Use appropriate logos, wordmarks, and other U-M branding elements. These are available, along with guidelines for use, at U-M Office of Communication Brand Standards. You will need to log in with your uniqname and UMICH (Level-1) password to download U-M branding elements.

Write a Clear Subject Line

Spend extra time on your subject line. Make very clear what the email is about and why people should open it. Keep it brief and informative.

Make Link Locations Clear

Make it easy for recipients to check the location of any URLs linked in your message.

Avoid short URLs. These look suspicious because they hide the real web address. If you must use a shortened URL in a university email, make the destination clear. URL shorteners for official university business are available. See Shortened URL Security Tips.

Use descriptive link text with the full URL. In emails and on web pages, it is best to use descriptive link text with the full URL behind it. The descriptive text lets people know where they will go if they click. Never label a link with "Click here," because it does not tell people where the link will take them. Using descriptive link text is also a recommended best practice for accessibility, because it provides people who use screen readers with clear, complete information.

We recommend that people hover over links in email with their mouse so they can see if the URL looks legitimate and matches what is described in the link text. Write your message so recipients can do this.

Give navigation instructions where applicable. Let people know the name of the website they are being asked to visit and where to go once they get there. If you are asking people to follow a procedure, include a link to detailed instructions.

If login is required, say so. Let people know if they will be prompted to log in (for an example, see the Branding elements note above). 

Refer to Supporting Information

Where applicable, refer to supporting information on U-M websites. It is especially helpful to provide information that members of the U-M community are familiar with and used to consulting. If recipients receive email about a service provided by Information and Technology Services (ITS), for example, they will expect to find supporting information on the ITS website that they can use to corroborate the legitimacy of the message. 

Don't Ask for Sensitive Information in Email

Do not ask people to send sensitive information to you through email. Passwords, for example, should never be sent via email. If you must ask people to verify something, provide instructions for using a secure method to do so and be sure to reference existing instructions on an official university website. 

Be Professional, Write Well

We tell message recipients to be suspicious of poorly written emails with grammatical and spelling errors. Email sent on behalf of the university should be well-written with no errors.

If a Third-Party Vendor Sends Email

If your unit contracts with a third-party vendor for a university service, and the vendor sends email to members of the U-M community, work with the vendor to help ensure that U-M recipients can verify the legitimacy of the message.

  • Consider contacting message recipients before the vendor sends email to let them know what to watch for and why.
  • Publish a page on your website describing the communication so recipients can find further information if they check.
  • Ask the vendor to include clear information about the relationship of the service to the University of Michigan, as well as the U-M office recipients can contact if they have questions. Ideally, the message will include information about how to verify its legitimacy.
  • Work with Information Assurance to add information about your email to our Legitimate Email that Might Appear Phishy page. We will also make sure the ITS Service Center knows about the email so they can help members of the U-M community who call them with questions about the email's legitimacy. Contact us by sending email to info-assurance@umich.edu.