By: Jennie Delisi, Jay Wyant, Ken Rodgers, Kim Wee, David Andrews, John Israel, Microsoft Enterprise Disability Answer Desk.

We have all done it – clicked on a link too fast in an email. We don’t always take the time to:

• verify the sender is who we think it is, and
• check that the link goes to where we think it will go.

You are the first line of defense for phishing scams that target both personal and professional email accounts. When you receive emails asking you for sensitive information, payment, to log into your account, or to open an attachment, you must be sure it is safe to do so.

Instructions are easier to find for those with vision, and for those who use a mouse. But, what if you use a screen reader or an alternative access method like switches? If you write cybersecurity updates for your organization, how do you write instructions to ensure all employees can follow the directions, including those who use assistive technology (AT)?

Everyone should be able to stop phishing attacks. This month we tested methods for verifying email addresses of senders and URLs of links. The instructions below were verified using Outlook Office 365 Pro Plus (desktop application), Outlook 2016, our keyboard, and JAWS 2020.

And why the long list of contributors for this blog? When the Office of Accessibility reviews an issue, we validate the instructions or resources available online. This review often requires a team of internal, and in this case, external contributors, until we can solve any issues. A truly inclusive workforce means having solutions that work for everyone. Thank you to all the contributors that helped ensure we had solutions for both Office 365 Pro Plus and Outlook 2016!

Check Sender Email Address

For each of these instructions, the email must be open, not just in a reading pane.

Easiest Method

Inspect the email address itself, not just the name at the beginning of the contact.

For example, if it says it is sent from the Department of Health in the “From field,” review the actual email address because it could have something different than expected:

• It may end with gmx.com or other odd ending instead of a standard government email address.
• It may have the person’s name in the first half of the email address with a single letter misspelled.

But what if the contact name is there, but you don’t get the full email address available to inspect? For example, you may have stored their name in your contacts (the display name), but cannot see not their actual email address. Then use one of the following set of steps, based on your app’s version.

Office 365 Pro Plus Desktop Application

Using a Mouse

1. Hover over the sender’s display name to expose their email address.
2. Carefully read the email address and verify that it matches your expectations.

Keyboard option 1: check the Contact Card for the Email Address

1. Use Shift + Tab until you have focus on the reply button.
2. Shift + Tab one more time (this may not have focus).
3. Use Shift + F10 to open the context menu.
   1. You may have to select the email address in order to get this menu to appear, then open the context menu.
4. Select N to open the contact card where the email address will be displayed.
5. For screen reader users: once the contact card is open, use Tab to navigate to the email address.

Keyboard option 2: start a Reply to Review the Email Address

1. Select Reply (Control + R).
2. Use Shift + Tab to bring focus to the “To field.”
3. Check the email address in the “To field.”
4. Delete (or “discard”) the email draft.

Outlook 2016 Desktop Application

Review Email Address in Outlook Properties

1. Ensure the message header is available using Alt + H, A, 1, O, M. Note this is a toggle and only needs to be done once.
2. Use Shift + Tab from the message until focus is on the From address.
   1. If you are using a screen reader, and hear the person’s name but do not hear the word button after their name, you may need to Shift + Tab once more.
3. Shift + F10, then select Open Outlook Properties.
   1. Note if you get cut, copy, paste in this menu: use Escape, then Home. Repeat Step 3 to bring focus to the beginning of the From address.
   2. You may get an option for Open Contact Card – this will work as well.
4. Tab through the properties (or contact card) to the email address and review.
   1. For some screen reader users, you will need to go to the Actions button, navigate to the email button, then use Shift + Tab to review the email address.

Check the URL for a Link with Meaningful Text

Meaningful text for a URL helps many people, including those with cognitive disabilities and those using assistive technologies. An example of meaningful text for a URL is Links and Hypertext. The instructions below are not a reason to stop using meaningful text for links. We want to ensure that everyone can review a URL before using the link.

Some email services rewrite web links for security, marketing, tracking, or simplification purposes. These links may start out with a different domain name than the site you are visiting. For example, the URL for the Office of Accessibility blog post on accessible documents begins with mn.gov/mnit. If I copy it from a post in Twitter, it has a Twitter URL that begins with https://t.co.

In these cases, we advise that you not only check the URL before selecting the link, but also check the URL in the address bar of your browser after arriving at the destination site. In our examples above, they were safe URLs, but not all links you see will be. If you are at all unsure about the validity of a link you want to visit, you can enter it directly in the address bar of the browser yourself rather than selecting any links.

Using a Mouse

1. Hover over the link’s meaningful text to expose the URL.
2. Carefully read the URL to verify it is valid.

Keyboard option 1: copy link to another location to review

1. Use Tab to bring focus to the link.
2. Use Shift + F10 to open the context menu.
3. Use C, ENTER to copy the link.
4. Open another non-web location where you can paste the URL such as a blank new email or text file.
5. Use Control + V, T to paste a text version of the URL.
   1. The T may not be necessary if no paste options are revealed.
   2. Note: you may have to select Control again to expose the letter option: Control + V, Control, T
6. Inspect the URL to verify the address is where you expect it to go.
7. Delete the pasted location.

Keyboard option 2: create a reply or forward to review

1. Use Control + F to begin to forward the email.
2. Navigate to the link.
3. Control + K opens the Edit Hyperlink dialog.
4. If not automatically placed in the address field, use Tab to navigate to it.
5. Review the URL.
6. Delete the draft you have created.

What if I identify a phishing email?

If you are suspicious of the email, and this is a professional email account, report it! Follow your organization’s reporting process.

Want to learn more about cybersecurity and how you can protect yourself? Minnesota IT Services has /mnit/about-mnit/security/index.jspsecurity tips and resources.