Phishing Scam Hooks Some Undergrads

On top of the usual deluge of open list e-mails and Facebook notifications, some Harvard students’ inboxes have recently been hit with new trespassers: fraudulent messages asking for account passwords.

The e-mails, which seemed to be sent from the address support@harvard.edu, asked students to reply with their passwords “to complete your harvard account.” This practice—known in Internet slang as phishing—is “so common as to be routine,” said Jonathan L. Zittrain, a visiting professor at Harvard Law School who specializes in Internet law.

Students started receiving the e-mails last week, according to Noah S. Selsby ’95, a Client Technology Advisor on the Faculty of Arts and Sciences (FAS) computer services staff.

Lowell House resident Christopher N. Lewis ’09 got the e-mail two days ago and said he was immediately suspicious since it contained grammatical errors. After forwarding it to his House e-mail list, he received many replies telling him it was fake.

“It looked pretty sketchy,” Lewis said. “I don’t see how anyone can be stupid enough to fall for it.”

But Selsby said some students did believe the ploy, though computer services was able to limit any potential damage by changing their passwords. Selsby added that since many students use the same e-mail address and password for different sites, scammers could try using that combination on popular Web sites like eBay and Paypal.

Other than sending out notices reminding users to be suspicious of e-mails that ask for personal information and posting a warning on their Web site, Selsby said that the FAS information technology office can do little about the practice.

“Be skeptical,” Selsby said. “If you’re at all concerned about it, call or e-mail.”

Selsby added that it would be “very difficult” to figure out the identity of the sender since spoofers often use someone else’s computer.

“In many cases, we can trace it to a point, but after that it becomes very difficult,” Selsby said, adding that the perpetrator was probably not a Harvard affiliate.

Harvard students have received similar fake e-mails asking for personal information purporting to be from companies like Bank of America, Selsby said.

The e-mails are unconnected to the recent fire in the Science Center that shut down the FAS computer system for several hours, according to Selsby.
 
Zittrain, who is also a professor at Oxford University in England, said that the e-mails were not necessarily the work of someone looking to break into Harvard’s network in particular. He added that he received two copies of the recent phishing e-mails—one in his Harvard inbox, and one at his Oxford account.

“It’s all automated. We shouldn’t feel so special,” Zittrain said.

—Staff writer Lingbo Li can be reached at lingboli@fas.harvard.edu.