How to
Jonathan Crowe
Oct 2016

How to Write Security Emails Users Will Actually Read

Photo by Scott McLeod

Editor's note: This post is a excerpt from our new free guide, The Amazing Security Awareness Playbook

Okay, IT admin, you just caught wind of a ransomware campaign making the rounds. Attackers are sending out waves of phishing emails with infected Word doc attachments disguised as legitimate invoices. Once opened, victims are getting all of their files encrypted.

You think about what might happen if an employee at your company gets one of those phishing emails. Truth be told, you're less than confident.

For one thing, you've heard the vast majority of ransomware victims were running antivirus when they got hit, so you're not crazy about relying on your AV to stop an attack if one does get triggered.

For another thing, you do have backups you can hopefully use to recover encrypted files, but it's been awhile since you tested them, and you really don't want to put all your eggs in that basket, either.

You'd obviously love to avoid dealing with an attack altogether, so as an extra measure of prevention you decide to draft up an email to warn your users:

Subject: New Security Alert — Be on lookout for ransomware-infected Microsoft Office docs

A new malicious email campaign is infecting victims with ransomware, a dangerous type of virus designed to encrypt your files and hold them for ransom. Criminals are hiding the virus in attached Microsoft Office documents disguised as invoices. When you try to open the attachments they encourage you to “enable macros,” which will actually allow the virus to infect your machine.

Once the infection starts it only takes minutes or even seconds for your files to be encrypted, at which point a ransom screen will appear with instructions for supplying payment in exchange for the decryption key. What makes this latest virus especially dangerous is that also encrypts shadow copies of your files, which makes recovering them even more difficult.

To avoid losing access to your files and putting you and your colleagues at risk of downtime, do not open any invoice attachments from senders you don’t know.

If you open any Microsoft Office documents that ask you to enable macros, close them and contact me immediately.

Thank you,
Your friendly, tireless, vigilant IT person

Direct, informative, and to the point, right? It may not be the same as putting everyone at your company in a ransomware-proof bubble, but at least you did something.

Then you wait. Sure enough, three days later, one of your users let's you know their computer is acting funny and they can't access their files. And how did the infection start? You guessed it — by opening a fake invoice doc.

Really? How did they fall for this? Didn't they read your email?

The answer is no. Or not really. If anything, maybe they skimmed it. To them, it probably looked something like this:

Subject: Another non-urgent, overreactive email from IT

Hi all,

Guess what? Something that doesn’t really impact you. Blah, blah, blah. Jargon, jargon, jargon. Something about “shadow” something-or-other (Game of Thrones reference?).

In short: Don’t be dumb.

Wrapping up, here’s something I’m going to stress that you do, but, really, just get around to it when you have time. Maybe later, after you finish the hundred other things you have to do today...

Mr./Ms. Scolds-a-lot

5 Tips for Writing Security Emails that Actually Get Read

In an ideal world, email alerts are easy and effective ways to notify your users about new security threats, updates, and other relevant news. In the real world, well, we have to be realistic.

You may see your emails one way. Users may interpret them differently. You have to keep in mind they're also reading them (or not reading them) in the context of all the other messages filling up their inboxes.

The good news is by stepping back to see your emails from a user's perspective, you can change the way you write them to make them more relevant and effective. Here are five tips to get you going on the right track:

1) Be selective with the emails you send

Before you hit send, ask yourself three questions:

  • Is email the best way to deliver this message? (Would a phone call or quick face-to-face be more effective?)
  • Does the email have a clear point that’s going to yield a measurable result?
  • Is it actually going to be valuable to users?

Remember, your users’ inboxes are just as full as yours. Before you add to the pile of unread messages, make sure any emails you send are truly necessary and valuable. Otherwise, users are going to quickly learn to pass over them for the emails that are. And once that pattern develops it’s an increasingly difficult one to break.

2) Keep it short and to the point

Your emails need to be clear, relevant, and actionable. It all starts with your subject line, which should strike the right balance of urgency and let users know exactly what to expect.

When users open your emails, they should be able to immediately understand three things:

  • what the email is about
  • why they, personally, are receiving it
  • what they need to do next

Tip: Show your users you value their time by leading off emails with a short list of key takeaways or a “1-minute version” with the most important information listed at the top.

3) Learn how to speak “end user”

Your users may be more or less tech savvy depending on your organization. In general, though, it’s a good idea to keep it simple and skip the jargon. When it comes to security emails, covering technical details should often take a back seat to clarifying what the direct impact is for users and what they should do next.

Think about who you’re writing for. What’s important to them personally and in their day-to-day jobs? You'll find a worksheet to help you surface those things included in the Playbook download.

4) Get actionable

Sending an email without a good call to action is like choosing to stand instead of walk on a moving sidewalk. You’ll get to where you’re going eventually, but you’re kind of missing the point.

Calls to action don’t have to be (and many cases shouldn’t be) a big ask. But by asking your users to do something — even if it’s as simple as replying back with a quick thumbs up/down — you’re making them active participants rather than passive recipients.

Not only will that increase the chances of your information actually sticking with them, it will also get you in the right mindset of focusing on what you actually want to achieve with your emails.

5) Use visuals

The fact is we’re visual creatures — images grab and hold our attention much better than blocks of text. They’re also much more efficient at walking people through steps and processes that would otherwise take multiple paragraphs to explain.

Example in Action

With those tips in mind, let's go back to our ransomware alert example and see what a more user-friendly version might look like:

Subject: ACTION REQUIRED: 1min change to avoid dangerous virus infection

Hi all,

Note: This email skips the blah and cuts right to the chase, so please read carefully.

  • A nasty computer virus is infecting people via fake invoices and Word docs.
  • Once infected, you lose access to your files and can cause others to be infected, too.
  • This virus has already cost companies like ours millions of dollars.

What to do:

Step 1: Take 1 minute to confirm Microsoft Office macros are disabled

  • Open Word and click the Microsoft Office Button. Then click Word Options.
  • Click Trust Center, click Trust Center Settings, then click Macro Settings.
  • Confirm that “Disable all macros without notification” is checked.

Step 2: Reply back to this email with “Done”

  • I’ll be following up individually with anyone who needs help or doesn’t reply back by EOD.


Do not open invoices or Word attachments from senders you don’t know. Can you imagine losing access to all your files? Take 2 seconds to notify me, instead.

Need your help:

If you open any Word doc and it asks you to “enable macros” or “enable content” (see example below) close the document and notify me immediately.

If a Word doc looks like this, close it and notify me.

Hancitor_enable_macros_screen-1.pngThanks very much for your help!

PS: Don’t forget to reply back with “Done” once you’ve confirmed macros are disabled.

Next Steps

Using these tips will help make your emails more scannable and actionable, but you shouldn't stop there. The majority of today's cyber attacks target users and their endpoints. That makes training them to recognize potential threats and report incidents quickly more important than ever.

The truth is you don't need to hire a team of consultants or experts to train your users to be more security conscious. There are plenty of effective programs and initiatives you can develop to raise security awareness, yourself.

If you're looking for tips on how to get started, check out our new Security Awareness Playbook. It's full of advice on handling the most common problem areas (using and re-using bad passwords, falling for phishing emails, etc.), and it includes worksheets and checklists to help you figure out what your top user awareness priorities are and how to start tackle them.

One Last Thing...

As long as you're working with users, there's always going to be the risk of one of them making a mistake, right? Security awareness training is one lever you can pull to reduce that risk, but there are others that are equally important and that center around things you can actually control. Find out what they are in our blog post "4 Ways to Prepare for User Mistakes".

Jonathan Crowe

Jonathan Crowe

Jonathan covers the latest threats and cybersecurity trends from a practical perspective.


The Amazing Security Awareness Playbook

How to make user training engaging, practical, and actually effective.

Get my playbook


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.