Students, Staff, and Faculty Targeted by Phishing Scam

Over the past two weeks, more than 1,000 graduate and undergraduate students, faculty, and staff have been targeted in a phishing email scam that aims to compromise personal data.

On Feb. 12, unidentified attackers posing as Harvard representatives began sending out emails asking recipients to update their account information by clicking on an included link, according to Christian Hamer, Harvard’s Chief Information Security Officer. The link led to a fake login screen requesting the user's HarvardKey or PIN.

“At this time, we know that only a handful of people provided their credentials,” Hamer wrote in an emailed statement.

The attackers were able to use account information garnered from a few users to gain access to PeopleSoft, Harvard’s human resources system, according to Hamer. Once inside PeopleSoft, the scam’s perpetrators could attempt to view targeted individuals’ W-2 forms, if existent.

W-2s, federal tax forms provided to Harvard employees each year, report an individual’s income, taxes withheld, and Social Security Number, among other information.

“We believe the intended goal of accessing W-2s was to file fraudulent income tax returns to obtain tax refunds,” Hamer wrote.

Harvard Information Security first became aware of the scam on Feb. 14 and took immediate action. HIS staff blocked the attackers’ access to the University’s network, locked the Harvard accounts of individuals who had responded to the phishing campaign, and took down the fake Harvard login page, according to Hamer.

On Monday, Hamer sent an email to all students, faculty, and staff warning of the phishing attack, offering an example of the phishing email, and detailing what steps email recipients should now take. Information Security is continuing to contact individuals whose W-2s were accessed by the attackers, according to Hammer.

Scams and technology attacks one are far from new to campus. In 2006, University social organizations were the targets of a fundraising scam. Last June, a security breach to the Faculty of Arts and Sciences and central administration information technology networks may have compromised individuals’ email login credentials. More recently, two Harvard freshmen said they were scammed out of more than $1,500 in a phone scam a little over a month ago.

In light of the recent phishing attempt, Hamer urged all Harvard affiliates to remain vigilant.

“Phishing is one of the most common scams on the Internet,” Hamer wrote. “We discover phishing campaigns with varying targets daily. We all need to be alert for phishing emails every day.”

–Staff writer Hannah Natanson can be reached at hannah.natanson@thecrimson.com. Follow her on Twitter @hannah_natanson.