Campus & Community

Avoiding cyber attacks

3 min read

Harvard expert offers best practices to thwart phishing expeditions

Of all the cybersecurity risks at Harvard, phishing is always at or near the top of the list. The fraudulent emails that try to trick recipients into giving up personal information, money, or both have been steadily on the rise across campuses everywhere, including here in Cambridge, according to Chief Information Security Officer Christian Hamer.

“While Harvard IT has made significant progress protecting individuals against phishing — particularly with the addition of more robust spam detection filters, malware detection software, and the activation of two-step verification on HarvardKey accounts across the University — we still need our community to stay vigilant,” Hamer said.

“Phishing has become much more sophisticated and much harder to distinguish from the real thing. Trusting your gut is the right thing to do. If something seems off, don’t click on links or reply to the email until you can verify its legitimacy. And continue to report suspicious emails to,” he said.

A successful phishing attack can be devastating for individuals, who find themselves the victim of identity theft or ransomware, and catastrophic for institutions that risk unauthorized access to a treasure trove of vital data and research. Many large data breaches originate from a single successful phishing attack.

“There’s a reason cyber attackers use phishing emails — they are cheap, low-tech, and they work,” said Hamer.

To stay safe online, Hamer recommends the following best practices.

  • Don’t click links or attachments in suspicious emails. Until you can verify that an email is legitimate, skip the links. Dangerous URLs, often hyperlinked with friendly language like “click here,” and attached documents may contain malware or ransomware, or lead to a fraudulent website set up by attackers.
  • Trust your instincts. In some cases, phishing emails and fake websites can look official. Phishing emails may even appear to come from a known sender. What gives them away may be subtle — an unusual salutation, an urgent or uncharacteristic request, an unofficial-looking URL. If something seems odd or surprising, be suspicious: It could be phishing.
  • Don’t be intimidated. A common phishing tactic is to threaten penalty, loss of service, or other consequences for not acting quickly. Slow down and look at the message carefully. Could it be a phishing attack?
  • When in doubt, reach out. If you don’t trust an email, the best course of action is to call or text the alleged sender, or open a browser and type in the official website URL to learn more.
  • Never, ever give up your username and password. Legitimate organizations, including Harvard IT support staff, will never ask for your username or password, especially via email.

Report suspected phishing that is delivered to a Harvard email account by forwarding emails to More information on how to “Click Wisely” can be found on the Information Security Office website.