Click Wisely

Click only links and files that are expected, and only from people you trust.

There is a reason so many cyber attacks start with a bogus email message. It works. This type of scam is called phishing, and the goal is to get you to click a fraudulent link, open an unsafe file, or give up personal information. The information below will teach you how to spot a phony links and phishing scams, as well as how to report a phishing attempt. 

Clicking Wisely

How to Read an Address

On the Internet, everything is just a simple click away. Unfortunately, those links don't always go where they look like they should go. When you read the address, you can know the website your browser will visit if you follow the link. 

Revealing the Address
Desktops Mobile Devices
Hover your pointer over a link without clicking. You will see the address pop up in a box somewhere in the bottom of the window or by pointer, depending on your browser.  Press a link and hold it until the link appears in a pop up box. In most cases, you will be given the option to follow the link, copy it, or open it in a new tab. 
Reading the Address

The link's address will show you where your browser will connect if you click the link. Knowing how to read the address is vital to making wise decisions about when to click. Read the domain name. If you have doubt, check with people you trust or do an internet search for the domain name. If you are still unsure, don't risk the click. 

 

Spotting a Phish

Phishing can come in many different forms, from obvious-to-spot frauds to sophisticated deceptions, but they share some common characteristics. Before you click a link, consider if the message you are reading contains these suspicious attributes.

  1. Sense of Urgency and Time Constraint
  2. Fear of losing money or winnings
  3. Requests to verify accounts or credit card numbers
  4. Communication from services you do not use
  5. PDF Attachments from businesses
  6. Generic email providers
  7. Poor grammar and spelling
  8. Confirmations that lack details, such as delivery locations or travel dates
  9. Any emails from the IRS
  10. Unexpected, but out of character, emails from people you know
  11. Files or links that require you to download additional software to view them
  12. Close, but not quite right, links.

 

Check it Out

Going to the Source

Many phishing emails alert you to an ominous problem with an account that requires urgent action. If you get a link asking you to do something, a good general rule is to skip the link and go to the source. For instance, if your example.com account has been suspended, ignore any links in the notification email and simply log into the service as you normally would. If there is legitimately a problem, you'll be notified when you try to log in. 

 

Check yourself before you wreck your... computer.

By reading an address you know that "example.com/harvard" or "harvard.example.com" are websites controlled not by Harvard, but by "example.com". But, does that mean they can't be trusted? There are many services we use at the university that set up addresses in this way. If everything else seems legit, how can you check an address without following the link? Simple! Do an internet search on the domain name. If you search the domain you can get a pretty good idea if the address is legit. If you're still unsure, contact someone who would know. For instance, if the email was about employee benefits, you could contact HR. 

"Why is my Dad suddenly using emoji?"

When an email supposedly came from someone you know, but it seems out of character, contact them using another method. Sometimes phishing schemes will use stolen accounts or forged email addresses. Trust your instincts. If something seems off, it just might be! Your skepticism can help protect your friends and co-workers. 

How to Report

Forward phishing emails to phishing@harvard.edu.

When we receive a suspected phishing email, we check it out to determine the risk. If it is a phishing attack, we may take any of the following steps:

  • Breaking dangerous links so they don't connect to unsafe webpages
  • Blocking malicious files from being delivered to to inboxes in the future
  • Escalating the report to our security operations team to investigate compromised systems or accounts

 Quick reporting from savvy people at Harvard has saved others in the past, so make sure to forward phishing to phishing@harvard.edu.

Infographic