Prevent Phishing

Be cautious of unexpected emails, texts or phone calls.

Phishing is a type of social engineering attack that involves tricking individuals into disclosing sensitive information or performing other actions that compromise security, by impersonating a trustworthy entity. These requests often come via email, text or phone calls. Here are some strategies you can use to recognize and report these attacks. 

BERJAYA

Recognizing a Social Engineering Attack

illustration of a fishing hook hovering over a mail envelope

Social engineering involves tricking individuals into revealing confidential information or taking actions that compromise security. These attacks can happen through various channels, including email (phishing), text messages (smishing), phone calls (vishing), or malicious QR codes (quishing). To protect yourself, always pause and consider the following:

  • Was I expecting this request? If not, verify its legitimacy by contacting the sender directly using their official contact details.
  • Is this request unusual? If you’re being asked to do something out of the ordinary or perform a routine task in a different way, ensure you follow policy and procedures. If still in doubt, reach out to your manager.
  • Does the request create urgency? Pressure to act quickly is a common tactic. Treat urgent or alarming requests with suspicion. For emails, use the “Report” button in the Outlook toolbar or forward them to phishing@harvard.edu. For suspicious calls, simply hang up.
  • Am I being asked for sensitive information? Never share passwords, financial details, or private data over email or phone.
  • Where does this link or QR code lead? Hover your mouse over links or preview QR codes to check the destination. When in doubt, access websites by typing the URL directly or using a trusted bookmark rather than clicking a provided link.

When in doubt: Report the email, delete the text, or hang up the phone call. Your caution helps protect everyone.

Reporting Phishing Emails

When you report a suspected phishing email, our team carefully evaluates it to assess any potential risks. If we identify it as a phishing attempt, we may take several actions, such as: disabling harmful links to prevent them from leading to unsafe websites; blocking malicious files from reaching inboxes in the future; and escalating the incident to our security operations team to investigate any compromised systems or accounts. Thanks to prompt reporting from members of the Harvard community, we’ve been able to protect others from falling victim in the past!

You can report suspicious emails in two ways:

  • Click the "Report" button in your Outlook toolbar. This will send the email directly to our IT team for investigation and automatically remove it from your Inbox to prevent further exposure.
  • Forward the email to phishing@harvard.edu.

Your quick action helps keep everyone safe - thank you for staying vigilant!

Verifying Links and Email Addresses

Phishing attacks often rely on fake links and spoofed email addresses to trick you into revealing sensitive information or downloading malicious files. Taking a moment to verify them can protect you and your data.

Verify the link

  • Desktops: Hover your pointer over a link without clicking. You will see the address pop up in a box somewhere in the bottom of the window or by pointer, depending on your browser. 
  • Mobile Devices: Press a link and hold it until the link appears in a pop up box. In most cases, you will be given the option to follow the link, copy it, or open it in a new tab. 

Look for subtle changes: Attackers often use slight misspellings or additional characters to mimic trusted websites!

Verify the Sender

By default, Outlook and Gmail only show the display name of the sender. To read the full email address, try the following:

  • Mobile device? Tap the sender’s name.
  • Computer? Hover the mouse over the sender’s name.

Be aware of generic senders: Legitimate organizations will rarely email from free services like Gmail, Yahoo, or Hotmail

If it looks suspicious, contact the sender via text, phone, or a different, trusted email address to confirm the message's validity.

Phish or Junk? Know the Signs!

Recognizing the difference between junk emails and phishing emails allows you to handle harmless spam on your own and only report truly suspicious messages, reducing unnecessary investigations. This helps IT teams focus their efforts on real security threats instead of sorting through benign spam reports. View this tip in a PowerPoint slide (HarvardKey required).

 

Phishing EmailJunk EmailWhen in Doubt
  • Asks for sensitive info (passwords, account numbers)
  • Links look suspicious or mismatched
  • Urgent threats or warnings
  • Unfamiliar sender or generic greeting
  • Tries to sell something or promote deals
  • From known companies/newsletters
  • Annoying, but not dangerous and can be deleted
  • Hover over links
  • Double-check sender
  • Report anything suspicious by forwarding to phishing@harvard.edu
    OR using the ‘Report’ button in the Outlook toolbar

What To Do If You Engage With A Phish

If you accidentally click on a phishing link, open a suspicious attachment, or provide sensitive information in response to a phishing email, it’s important to act quickly. Notify the IT team as soon as possible, by calling the Service Desk at 617-495-7777. Provide details about what happened and any information you shared. Do not attempt to rectify the situation on your own or interact further with the email. Follow the guidance of your IT/security team, who may ask you to change passwords, scan your device for malware, or take additional steps to secure your accounts and data. Prompt reporting can help contain the threat and minimize potential damage to you and the university.

Additional Resources

Phishing Simulation Program - Learn more about our phishing awareness and reporting exercises