91ºÚÁÏÍø

The information included in the top section of the email (From, To, CC, BCC, Subject) gives the first impression. Make it a good one.

• People tend to be more suspicious of emails from non-VU addresses (as they should be). Send emails from a university address (@vanderbilt.edu), where possible.
  
• Sending emails from an external address is sometimes necessary. For example, many campus offices use 3rd party products and services, such as Oracle, Box.com, SerVU, etc., and it can be necessary to send emails from the product/service to notify users. In these cases,
  • Take extra care in constructing the body of your email. Include context and references.
  • Consider sending an awareness message from a university contact or leader first, letting people know that it is coming and is legitimate.
    
  • If it is going to be a mass email sent campus-wide, contact cybersecurity@vanderbilt.edu for more specific guidance.

Remember, just because it is from @vanderbilt.edu does not guarantee it is legitimate. Conversely, all emails from an external address are not inherently malicious. 

• Include a clear subject line. Do not leave it blank.
• Use BCC sparingly. Understand that using BCC, where all recipients are hidden, can increase suspicion. It can be incredibly helpful for avoiding reply-all mistakes or protecting recipient privacy, so sometimes it is warranted. If used, be sure to put extra thought and care into the body of the email message so that it has clear and meaningful explanation and context.

A poorly written email message, or body, is more likely to raise suspicion. 

• Always address your recipient, preferably using their name (e.g., Good afternoon, Jane). Try not to use generic intros such as Dear Sir or Madam.
• Write something. For example, don't include an attachment but leave the message completely blank. Give explanation and context, especially if it is a message that the recipient is not expecting. State the purpose clearly and provide contact info for who they can reach out to if they have questions.
• URLs: Links are sometimes unavoidable and are not innately bad. But they can also raise suspicion. If you need to include links, use them wisely.
  • Where possible, point to a university page or subpage (vanderbilt.edu).
  • If the link is to an external site,
    • Spell out the link entirely so recipients can more easily see where they lead.
    • Consider not making the link active, or clickable, so recipients can navigate themselves if they chose.
    • Provide alternate navigation instructions.
      • "Don't like clicking links? Go to 91ºÚÁÏÍø's website and search "cybersecurity"."
  • Avoid linking certain types of sites:
    • Sites that are not SSL (http instead of https), or
    • An IP address (https://129.xx.xxx.xxx).
• Attachments: Similar to URLs, sometimes attachments are necessary. When used,
  
  • Avoid using in mass emails. These can sometimes be system flagged as spam or phishing.
  • Make sure they are appropriately and accurately titled (e.g., Document1.docx is generic and suspicious).
  • Avoid attaching certain file types (e.g., .exe, .html, .vbs, .scr, .cmd, .js)
  • Instead of an attachment, consider posting the document in a university cloud storage location (e.g., OneDrive) and give navigation instructions.
• DO NOT ask for the recipient to reply with sensitive info via email. If such info is needed, request a phone call or reference a location where they can enter that info safely.
  
• Use spell check and proofread your message.
• At the end of your email, include a signature. Even better, include a signature with your/your offices credentials to add professionalism and legitimacy, such as the one below:
  
  • 

• Phishing Guidance
• Student Scam Protection Tips