20 Second Rule for Email


Cyber criminals are taking advantage of the confusion while companies adjust to new remote workforce models. They are sending emails promising vital information about staying safe, while in reality, they are scams that push malware, ransomware, misinformation, and attempt to steal passwords and other private information.


Use the 20 second rule for washing your hands and for evaluating emails. Spend four seconds on each of the points below to ensure your inbox stays squeaky clean.

  • Don’t share personal information. Emails that request your Social Security number, login info, or other personal information usually are associated with phishing attacks. Legitimate organizations typically don’t request that type of information via email.
    • As a general rule, never respond to emails with any type of personal data unless you can verify the requestor is legitimate outside of email, such as with a phone call or text from the number listed on their website (don’t automatically trust the contact info in the email).
  • Check the email address. Verify that the email address matches the display name. Be especially careful when checking emails from your phone or tablet as they typically only show the sender’s name, not the full email address, at the top.
    • If you do not recognize the email address, or it seems suspicious, ask your IT Department how you should handle it.
  • Watch for spelling and grammatical errors. If the email includes spelling, punctuation, and/or grammar errors, those are red flags that indicate the email is not legitimate.
  • Look for generic greetings. Phishing emails typically are not personalized, instead aiming at a broader audience. If there is no greeting, or a generic one such as “Dear sir or madam”, that’s a sign to look at the email in more detail to verify its validity.
  • Don’t act on that sense of urgency. Emails that demand immediate attention, such as the threat of legal action, are designed to make you panic and proceed before thinking it through. If an email makes you say, “Oh no!”, it’s best to take a step back and reevaluate.


What’s happening during COVID-19?

These malicious people are acting as if they are from legitimate organizations, perhaps ones you already know, providing information about COVID-19.

These emails might:

  • Include attachments claiming to have the latest information and statistics
  • Links to news websites requiring you to log in before you can access content
  • Pose as one of your coworkers or your leadership team sharing new policies designed around your organization’s COVID-19 response

Need more info? Talk to your IT Department or learn how our cybersecurity experts can help.