Click Wisely
Prevent Phishing
Be cautious of unexpected emails, texts or phone calls.
Phishing is a type of social engineering attack that involves tricking individuals into disclosing sensitive information or performing other actions that compromise security, by impersonating a trustworthy entity. These requests often come via email, text or phone calls. Here are some strategies you can use to recognize these attacks.
How to Report Phishing Emails
Recognizing a Social Engineering Attack
Verify Links and Email Addresses
Check Without Clicking, Go to the Source
Resources
Forward phishing emails to: phishing@harvard.edu.
Quick reporting from savvy people at Harvard has saved others in the past
When we receive a suspected phishing email, we check it out to determine the risk. If it is a phishing attack, we may take any of the following steps:
-
Breaking dangerous links so they don't connect to unsafe webpages
-
Blocking malicious files from being delivered to to inboxes in the future
-
Escalating the report to our security operations team to investigate compromised systems or accounts
Social engineering attacks are manipulative tactics used by malicious actors to deceive individuals into divulging confidential information or performing actions that compromise security. These attacks often occur digitally via email, SMS text (smishing) or voice calls (vishing). Pause before taking action and follow these guidelines:
- Was I expecting this request? Always verify the legitimacy of an unsolicited request by contacting the sender directly.
- Am I being asked to do something new, or do something normal but in a new way? Ensure you follow policy and procedures. If still in doubt, reach out to your manager.
- Is this request creating a sense of urgency? If so, consider it suspicious. Report suspicious emails by forwarding to phishing@harvard.edu, and if it's a phone call, simply hang up.
- Will resolving this require providing sensitive information such as a password, money, or data? Avoid giving out sensitive information over the phone or email.
- If I click this link, where is it taking me? Hovering over a link will display the URL, but it's best practice to open a new browser and visit the website by typing in the address or using a saved bookmark.
- When in doubt: Report the email, delete the text or hang up the phone call.
Revealing the Address
Desktops
Hover your pointer over a link without clicking. You will see the address pop up in a box somewhere in the bottom of the window or by pointer, depending on your browser.
Mobile Devices
Press a link and hold it until the link appears in a pop up box. In most cases, you will be given the option to follow the link, copy it, or open it in a new tab.
Verify the Sender
Look Closely at the Sender’s Email Address
By default, Outlook and Gmail only show the display name of the sender. To read the full email address, try the following:
Mobile device? Tap the sender’s name.
Computer? Hover the mouse over the sender’s name.
If it looks suspicious, contact the sender via text, phone, or a different, trusted email address to confirm the message's validity.
Services
If you receive an unexpected email about a lost package, security warning, or billing change don’t click the link. Simply visit the online store or service the way you normally would. If there is really an issue, you’ll see a notification there.
People
If you receive an out of the ordinary request or instruction from someone you know, make sure it’s really them. Call, text, or go face to face. Don’t email to confirm, as their email may be compromised without them knowing.
News/Entertainment
If someone sends you a link to the latest viral video or interesting bit of news, you can skip the link and use a search engine to find the content in a safer way.
