Links in Emails: Guidance

Information Security Office offers this guidance on the judicious use of links in email, hosted on MyCampusPortal:

And recreated here for your convenience.


Guidance on email links and attachments, and mass emails.

Phishers rely on email to deliver malicious links and attachments so as to harvest credentials.  This is especially effective because good people and services still rely on email to send perfectly valid links and attachments to multiple recipients.  It becomes increasingly risky to open /any/ link or attachment, and vigilance is required even when links appear to be to trusted repositories such as the UMS or campus portals, MaineStreet, Blackboard.  

Mass emails are still the primary method of distributing single communiques to multiple recipients. The University discourages placing links or attachments in unsolicited mass emails.  Due to the dangers of phishing, we instruct faculty and staff to not click on links or open attachments in any email that leaves doubt.  Therefore if you send emails with links or attachments, you may confuse the readers, encourage risky behavior, or get less that desirable readership because the material likely won’t be read by vigilant employees.

However, this is not an absolute.  We have seen that while many attackers will add logos or use other masquerading techniques, most attackers don't perform enough reconnaissance work to add much context to the emails. With sufficient context links or attachments can be effectively used.

If you must include links and attachments in your emails, adopt the following precepts:

  • Let your prose comprise the initial text body of the email, providing context to help email recipients understand that your link is good.  Don't use a link where the online location of the resource can be described.  The email should contain content that is specific and familiar to add credence. 
  • Put brackets "[.]" around the dot between umaine and edu. This will prevent the recipients' browsers or email programs from automatically creating a link from the email. That means that they may have to retype the URL or copy and paste and remove the brackets, but it keeps people more vigilant.
  • If you don't want folks to discard your email as a matter of course, don't use html or rich text to rename hyperlinks to something like "click here" as the Mail Scanner will add a red warning message. While that warning will alert people to be more vigilant, and some people know how to read that URL in the lower corner of their browsers, others won't trust the link and will delete the email.  
  • If the emailed link is to a location that requires a log in (like behind the portal, MaineStreet, or Provant) then ask the user to sign into that that place (not with a link) before they click on the link. Otherwise when they click on the link they will get the log in page and the email will certainly resemble a credential harvesting scheme.
  • Remember, phishers will attempt to trick you, for example is likely valid, but
  • http://www.maine.e.du/about-the-system/ is not; notice "maine.e.du" which could be a malicious domain.


Print Article


Article ID: 134183
Thu 7/8/21 6:20 AM
Wed 2/1/23 4:04 PM
Applies To