Sense of Urgency and a Demand for Immediate Action
When you think of cyber criminals, what do you picture? The mind paints an image of cascading green code and fingers feverishly submitting commands line by line against an unsuspecting victim. While there are kernels of truth to this hacker mythology, much of what we consider cyber crime is far less sophisticated. Many cyber crimes begin with a simple fraudulent email hoping to trick a user into giving up account information or installing a file. We call this sort of email a phish. Because of its ease of use and high success rate, it has become a common tool in every cyber criminal’s toolkit.
Clicking a link in a phishing email can lead to several unpleasant outcomes. You might be sent to a page that looks exactly like your Harvard login page or online banking portal- but is controlled by cyber criminals. Anything you type will be sent to them. Even if you don’t type anything in, some phishing sites contain malware that can infect your computer simply by visiting the page. File attachments are another risk, as malicious code can be hidden in many innocent looking files.
The risk of phishing is real, but a little skepticism goes a long way in outsmarting cyber criminals. When you see a link or a file, follow this advice.
Slow down. There is no phishing 5-second rule and the back button isn’t an undo button.
Read the URL. Anything can be made into a link, but the URL will show you where that link goes. On a computer, you can hover over the link and the URL should pop up. On a mobile device, press and hold the link to see the URL. If the link says one thing and the URL says something else, this is a good reason to be suspicious.
Check the Sender. From where is the email coming? Read the domain at the end of the email address. If it doesn’t match up with what you would expect, that’s another sign of fraud. Maybe you trust the sender, but the message is out of character. Call them up, someone could be using their account to send phishing messages!
Be Skeptical. If something seems off, trust your instinct. If the message says it’s coming from HR, call and check. Don’t be afraid to delete an email that looks phishy.
While the bad news is that phishing is common, the good news is that most of it is easy for a savvy person to spot. And now that you’ve read this, you’re savvy enough to spot them too. / Common Phishing Traits
- Sense of urgency and a demand for immediate action
- Short messages, eg “Check out this file.” or “Here you go! ;)”
- Obvious grammatical errors
- Threats of penalty or promises of monetary gain
- Requests to confirm account numbers
How to Read a URL
URL stands for Uniform Resource Locator. The part you should look for is the domain name. In the URL the key part is “havard.edu”. A common trick for cyber criminals is using a close, but not quite right, URL. This might include “harvard.something.com”, “something.com/Harvard” or “Harvard.edu.something.com”. Be skeptical of these types of links and make sure you know the real site you are visiting before you choose to click.
At Harvard
Phishing is very common, and for the most part phishing emails should be deleted. If you get a phishing email that has Harvard branding or logos, contact your service desk immediately. That sort of phishing is targeted, and when we know it is happening, we can take steps to protect the University from further attack.
For more information, visit security.harvard.edu.