This message was sent to Central Administration staff on Friday, December 9, 2022:
Dear Colleagues:
Phishing attacks are increasing in sophistication and frequency, and have become the greatest threat to our privacy and security today. Cybercriminals use email and text messages to pose as trusted sources to trick you into revealing passwords, installing malicious software, and/or providing personal information – all of which often lead to financial loss.
To help our community better recognize phishing emails, Harvard’s Information Security and Data Privacy (ISDP) office will begin sending simulated phishing emails to Central Administration staff next week.
You will receive a simulated phishing email approximately once a month, and they will be modeled on actual phishing attempts seen at the University:
-
As with any phishing attempt, you should forward it to phishing@harvard.edu. You will then receive a reply indicating whether the email you reported was a simulation
- If you click any of the links in the simulated phishing message, you will see a page that reassures you that this was just a simulation and highlights the warning signs to watch for in the future
The intent of this program is to provide staff with experience identifying and reporting phishing emails in a safe environment, in addition to gathering valuable metrics to help improve our security services. The University will not:
-
Send “gotcha” emails using messages more sophisticated than we typically receive
-
Directly impersonate Harvard departments or services
-
Report the identities of those who click
- Assign mandatory training or take punitive action against those who click
We all have a role to play in keeping our systems and data secure. Simulated phishing is a safe and effective way to become familiar with tactics used in actual phishing attempts. You can find more information about the program on the ISDP website.
Sincerely,
Meredith Weenick
Executive Vice President
Klara Jelinkova
Vice President and University Chief Information Officer
Michael Tran Duff
University Chief Information Security and Data Privacy Officer
FAQs
How can I spot a phishing email?
While phishing can take many forms, there are a few common signs that an email may be a scam:
-
Urgent sounding messages that attempt to scare you into immediate action
-
Overly generic messages that require opening links or files to learn more
-
A message that asks for personal or account information, or to send money—even if the email appears to be sent from a person and email address that you recognize
What happens when I report a phishing email?
When you forward an email to phishing@harvard.edu, Harvard Information Security and Data Privacy (ISDP) will assess the risk and take the appropriate actions based on that risk. For instance, they may block access to a malicious link or quarantine a message system-wide so that others will not fall victim to the same phishing attempt.
What should I do if an email seems suspicious, but I’m not sure if it is phishing?
-
Do not open any links or attachments in the email
-
Go to the source to verify the email's legitimacy. Call or text the sender, or visit the sender’s official website through your browser or app
What should I do if I think I’ve fallen for a phishing scam?
Please report the incident to ISDP immediately.