When it comes to spotting phishing emails, we believe practice makes perfect. Our phishing awareness and reporting exercises are designed to give the Harvard community experience in identifying and reporting simulated phishing messages. We do this so when real phish show up in your inbox, you’ll know exactly what to do.
Why are we doing this?
Phishing is the single greatest threat to our digital privacy and security today.
While our security tools block millions of these phishing messages each month, there will always be some that make it through and into your inbox. You are our best defense against these messages. Recognizing phishing prevents it from harming you, and your reports prevent phishing from harming the community. Phishing awareness and reporting practice will help keep us alert and ready to respond to these threats.
These exercises will:
- Deliver simulated phish based on actual phishing attempts found at the University
- Give our community experience in identifying and reporting phishing emails
- Reward consistent reporters
- Provide an evidence-based understanding of our community’s phishing risks
These exercises will not:
- Send “gotcha” emails using messages more sophisticated than we typically receive.
- Directly impersonate Harvard departments or services.
- Report the identities of those who click.
- Assign mandatory training or take punitive action against those who click.
What to expect
Email users should expect to receive a simulated phish once per month. Like any suspected phishing message, it should be forwarded to phishing@harvard.edu. You will be notified that the phish was a simulation.
If you miss it and accidentally click, you’ll see a page that reassures you it’s just practice and highlighhts the warning signs to watch out for next time. Close that page and forward the message to phishing@harvard.edu anyway. After all, it’s good practice.
Have questions?
If you’d like more information on identifying phish, resources are available to you here. If you have questions, concerns, or comments about our Phish Reporting exercises please contact the Standards and Outreach team via help desk ticket.