With a recent rise in phishing, the scam efforts in which outsiders attempt to snare sensitive corporate, academic, or personal information by gaining access to computer systems through unsuspecting users, The Gazette talked with Christian Hamer, the chief information security officer for Harvard, to discuss cybersecurity at the University, and the consequences of falling for a phishing email.
GAZETTE: The hack of the Democratic National Committee over the summer, which resulted in leaked emails and now a federal investigation, started with a simple phishing email. Could something like that happen here at Harvard?
HAMER: Harvard has made great strides in enhancing our information security posture, particularly in the last 18 months. And as we keep enhancing our posture, cyber attackers will keep looking for vulnerabilities to gain access to our data, networks, and systems. Phishing scams have been around a long time, but expect to see a continued rise in phishing scams targeting members of our community. So, to answer your question, yes, phishing attacks on members of our community have happened, and will continue to happen.
GAZETTE: How effective are phishing campaigns?
HAMER: Very effective. The more sophisticated ones are extremely hard to spot. Attackers are doing their homework and sending more personalized campaigns. While most scams are trying to trick users into handing over login credentials or other personal information, some attackers have shifted to sending attachments that contain malware or ransomware. Ransomware is especially tricky as it encrypts all of the files on your device, and then the scammers demand payment in order to unlock them.
We caught a really interesting scam just last week. A fake email purporting to be from Harvard Human Resources was sent, alerting members of our community that their W-2 forms were ready for online viewing. The scammers had done enough research to know that Harvard uses PeopleSoft and ADP. The only giveaways were that the links went to a non-Harvard URL, and the login screen wasn’t HarvardKey. This particular scam was designed to steal login credentials. Because we now have two-step verification linked to our HarvardKey account, the real owner of any stolen credentials would be alerted through two-step verification that someone was attempting to log in using their account, at which time they have the power stop the attack by denying access.
- Trust your gut. If something seems off, call or text the sender to verify authenticity.
- If you get a suspicious email, do not click on links or attachments.
- Report phishing to email@example.com.
GAZETTE: Harvard recently required the use of two-step verification. How is that helping?
HAMER: It’s made a tremendous impact. Unauthorized access through VPN and HarvardKey has dropped substantially, nearly 100 percent in the population where the two-step rollout is complete. And we are hearing from the community that they find it pretty easy to use, especially when using the “Remember me for 30 days” option. I definitely would encourage people to do that. HarvardKey and two-step have absolutely moved the needle on the security of our logins, but we still need to be vigilant online.
GAZETTE: What else should people be doing to protect themselves from these types of cyberattacks?
HAMER: When you spot a phishing email, forward it to firstname.lastname@example.org. When you report an email, our information security team can take the appropriate actions to protect our community. Some phishing emails are pretty obvious, and people can generally identify them as scams. But many of them are hard to tell from the real thing. Many of these attackers know how to exploit human nature to make an impact, and it really works.
There’s no singular way to identify a phishing email that will work in every situation, but there are some general things that people should look out for, and you can find those tips on our website, security.harvard.edu. With the less-obvious ones, something may feel just a little bit off. We see a lot of emails that are supposed to be from the IRS, or are about a parking ticket, or maybe an unpaid invoice, or maybe your account is going to be shut off. One of the important things to do is just stop and think: Does Cambridge parking enforcement really have your email address? Is this how you’d expect them to contact you? And if you are really unsure, pick up the phone and call the sender, or find some other way besides email to verify the sender’s authenticity before clicking on links or attachments. Never enable macros (instructions that expand to perform broader tasks) in a Word or Excel file unless you know exactly what that file is, and you’re certain who it came from.
GAZETTE: I usually delete these types of emails. Is it OK to forward them?
HAMER: Yes, but you should only forward it to email@example.com. Don’t forward it to your friends or colleagues to say “Hey I think this is phishing,” because that’s effectively distributing it to an even larger group.
GAZETTE: What is Harvard doing to protect our community from phishing attacks?
HAMER: Like virtually all organizations, we use technology to try to filter out as many of these messages as we can before they hit an inbox. One of the challenges is that it only takes one phishing email to get through and one person to fall for the scam to cause problems. What we’re trying to do now is really kind of flip that equation on its head by asking people to report phishing, because if we just get one person to report it, now we can take steps to protect the whole community. You will also be hearing more from us through a phishing awareness campaign to help our community spot phishing and to report it.
GAZETTE: What other advice can you give to the Harvard community to keep safe online?
HAMER: Keep software patches up to date for your operating system, applications you use, and for your phone. Many of these things now have a way to set them so they automatically apply updates. That is one of the simplest and most effective things that you can do. The other thing is you should know your data. Get rid of sensitive data that you don’t need, protect the sensitive data that you do need, and make sure that all of your important data, whether it’s sensitive or not, if it’s important to you, is backed up securely somewhere other than on your computer. And as we talked about before, please report phishing to firstname.lastname@example.org.
Browse here for help in identifying phishing messages: http://security.harvard.edu/click-wisely