Regardless of which side of the political spectrum one is or what qualifications one has or what terrible deeds one has done (or alleged to have done), the fact is that phishing attacks aren’t very easy to avoid (you’d be fooling yourself if you believe you’d never fall for one). You can ace all the phishing email tests your company routinely sends you and still fall for a more sophisticated attack or fall for something that in retrospect seems stupid because you were preoccupied or stressed or had other serious things going on in life.
Victim blaming and questioning how she could believe that she’s qualified for some position is the wrong thing to talk about, and is also disgusting in certain ways.
What would be better, at least in a tech focused community, is to find out more details on how this happened and where the gaps (that are obvious in hindsight) are. I wish someone like Brian Krebs (of Krebs on Security) could get more information on this and do a detailed write up. That would be more insightful and useful to everyone than rants about the victim.
Thank you for posting that. There are obviously way too many people here (and elsewhere) who think they're way too smart to fall for phishing and other forms of scams unlike "stupid" grandmas, journalists, etc.
The reality is that we all do things when we're distracted and not really paying attention. Or we get caught up in the excitement of something and we don't stand back and ask ourselves whether it really makes sense. And anyone who thinks otherwise is just arrogant and misguided.
It may well be true that phishing scams can be easy to fall for, but it is not relevant to this story. Razdan tweeted that she was joining the Harvard's Faculty of Arts & Sciences as an Associate Professor. Regardless of how convincing the phishing attempt was, this is incredibly naive; Razdan does not have a PhD or any publications and Harvard's FAS does not have any professors in journalism.
Not to mention that universities typically don't hire people at the associate professor level. The first rank is called "assistant professor," followed by "associate professor," and then "full professor." Associate and full are tenured ranks, which is why there isn't much hiring at that level.
Also, one would expect any open position at a US university to be advertised, most likely in The Chronicle of Higher Education. This is something perhaps only someone who's got a little familiarity with the academic job market may know, so, I suppose one could be forgiven for not knowing it, but I would assume that one would at least google for open positions at Harvard to find out if it really exists.
That said, naïve or not, I also don't think victim blaming is a productive thing to do here. All it does is discourage people from speaking out about their experiences, which means we can't learn from them. It may also discourage people from seeking help when they think they might be getting phished.
As others have pointed out on Twitter, I am not sure who is the victim here; Nidhi Razdan apparently had multiple speaking engagements where she was introduced as Harvard faculty:
I don’t understand. Are you saying people are claiming she made the whole thing up and was just going around saying she was an associate professor at Harvard?
To be honest, NDTV is one of the top English channels in India and Nidhi Razdan is a very well respected and recognized journalist.
It makes no sense for her to fake all of this for some "clout" as some on twitter suggested - she does not need it. Unfortunately there is a lot of cynicism for anything media (and in turn politics) related in India and people love to speculate.
What you are suggesting here makes this already interesting story even more interesting. Perhaps there are holes in her story but if she really knowingly faked the whole thing, why would she resign from her job?
It's possible there's an innocent explanation but Occam's Razor does suggest she just made up her Associate Professor at Harvard title and, when called out for it, concocted a story about it really being Harvard Extension School and phishing. Which was vaguely plausible so long as you don't think too deeply about it and ignore that, if this were the case, the initial Twitter post was deceptive.
By “resigned” I am assuming you mean she was fired. If she were fired why would her previous employer allow her to use their website to publish this story?
Who knows? Maybe the Occam's Razor conclusion isn't in fact the right one. Maybe the publication thinks it saves them face as well as her. (Journalists who lie look bad for news publications even if they're fired.)
Ok? I never said anything about PhDs. What I said was that people typically aren't hired in at the associate level. Those that are would typically be professors who have tenure at another institution, meaning that they're already at the associate level or higher. People who are denied tenure at their current institution and want to continue in academia would apply to an assistant professor job and negotiate a shortened tenure clock, meaning that they would be assessed for tenure in fewer than the standard 6 years that a brand new, never held a professorship of any type assistant professor would have.
Again, this is a lot of esoterica about the academic job market that not many people outside of those circles is going to know, so I don't blame anyone for not knowing it.
As I responded elsewhere, that's not what she wrote in the post that people are responding to. I would agree that if it were the case that she was offered a full faculty position after a 90 minute remote interview, that wouldn't pass the sniff test. But that's not what she claims in this post. It's very plausible that a working journalist would teach at Harvard Extension School. Though it's at least a bit of a stretch that Harvard would relocate someone from India to do so. And it does seem that her story is changing.
ADDED: And, yes, there seem to be different claims on twitter than what is stated in this post.
I am not sure how much more clear I can be with you. Nidhi Razdan claimed on Twitter that she was joining the Harvard Faculty of Arts and Sciences as an Associate Professor. The Harvard Extension School has absolutely nothing to do with any of this. Here is the original tweet:
Again, this is irrelevant. I find it hard to believe how often I have to repeat this. The Harvard Extension School does not hire tenured professors. You do not become a tenured faculty, let alone an associate professor, at Harvard's FAS if you have no research background. The story should fail a minimal scrutiny test from a layperson, let alone a journalist with more than 20 years of experience. This just doesn't add up.
Why do you repeatedly say "I can't believe I have to repeat this" and then say something you haven't mentioned in this thread?
What an "associate professor" is isn't common knowledge, even for a journalist. It both means something different in Commonwealth countries and the definition of "associate" is "entry level" which doesn't fit either version of an associate professor.
I'd absolutely expect an experienced American journalist to have a pretty good idea of how academia operates in the US. I do and I don't have a research background. I have no idea though how things operate in India.
The title is still fishy though even if she (as a journalist!) took some liberties in implying she was a professor at Harvard University (and what that implies) even though she wasn't. Just as if I said I graduated from Harvard when I got a degree of some sort from HES, that's clearly misleading. If you look through the faculty directory of HES, it doesn't look as if HES generally gives titles; most of the titles given are the faculty's positions at other institutions where applicable. (There are a few Lecturers in Extension.)
You don't need to have a PhD to be a professor in a "creative" field like journalism/art/writing/etc. For example Jamaica Kincaid is a professor at Harvard and if I recall correctly I don't think she even graduated from high school.
This. And the effectiveness of targeted phishing is why we must replace SMTP-based email, and eventually block SMTP on public networks. It isn't suited to the 21st Century Internet.
Hence, the mnm project[1] (open source client & server) and TMTP[2][3].
Hmm, the value proposition of MNM here (in preventing phishing) seems to derive from the design goal of not allowing arbitrary content on first contact between arbitrary users, or do I misunderstand?
This strikes me as a cure worse than the disease. There’s a strong social need for people—especially those who are public figures or soliciting job offers—to be reachable by “never before seen” contacts.
There’s also a strong social need to allow people to send emails from self-provided (I.e. unverified) names or identities, given the currently burdensome process of getting “verified”.
I think you could argue that there’s an opportunity to move business email to “real ID”-verified identities (e.g. with SMIME), but I struggle to see how that’s a problem with SMTP or how replacing the protocol will help there.
This reminds me of how if you ask almost anyone if marketing works on them, they'll say no or not the deceptive parts. Yet, logically, marketing must work on most people or Coke wouldn't spend 4 billion dollars a year on it. Feels hubris-y to me. We forget we all have the same equipment.
Interesting article. I know the big CPGs have been challenged by digitally native brands like harrys and the shave companies. It's also clearly not true if you're not a globally known brand with a lot of monopolies. I wonder if it holds true in all markets for the big brands. I also wonder if it would open them to more competition from smaller brands over time. Like the other commenter said, hard to name too many non coke/pepsi carbonated beverages.
I just wanted to comment on the Coke point specifically. They already have achieved market penetration at such a high level that I wonder is it really still worth it for them to keep spending 4B on ads a year. Uber also had a similar experience: https://news.ycombinator.com/item?id=25623858
I'm not sure if I understand you correctly, but at least around here thers RC Crown Cola, Solo, Farris, Pepsi, Pepsi Max, Eplerose, Oscar Sylte Pærebrus, Monster energy, Red Bull, 7-up etc and I don't think I am special at all for knowing them.
In case it matters, a number of these don't advertise, at least not in the same league as coke (multiple national campaigns a year).
> I don't think I am special at all for knowing them.
I would guess that at least 80% of people off the street would only be able to name advertised carbonated beverages. In that case, yes I think you are special.
I remember in a state of heavy depression filling out some random email spam survey and being about fourty questions into it before asking myself what the hell I was doing
A clever element of this is the cross-cultural nature: the Harvard name internationally known, yet someone not in that milieu would not be able to detect a number of "red flag" anomalies. In fact if the author was phished by someone in India (a likely case) then the perpetrator could make a cultural error that would be undetectable by the victim as they might share the same set of assumptions.
I say "cross cultural" but by that I also mean "cross domain" which is how financial scams can entrap victims who aren't familiar with the details of financial jargon.
It's also why people can believe conspiracy theories which are absurd to someone familiar with the domain.
I have yet to see a scam which would fool me. And I have seen many already.
All the scam and phishing mails I saw in my whole internet career were somewhere between totally obvious and embarrasingly blunt.
I can't agree with your assessment. If someone is naïve, they are at risk. Same applies for overconfidence. These are personality traits which are easily exploited. In real life as well as on the Internet. We cant protect everyone from everything. Neither in healthcare nor in VR.
No offense, but you’re likely a “nobody.” So you’ve only come across the generic scams. This is a famous person. The phishing attempt was designed specifically for her. You don’t know if you’d fall for it because 1) nobody would invest that much effort into phishing you, and 2) “we’d like you to come teach at our university” is a plausible thing for her to hear but not you or I.
One that was successful at my company recently was an e-mail sent to an electrical engineer from the CEO saying that the CEO needed a gift card from Target for an employee birthday, and had forgotten to pick it up. The EE went to Target and bought the card. The instructions including to reply to the e-mail with the card # so the CEO could include the number in the birthday card and not need the actual plastic.
The spoof was believable at first glance. It used the CEOs actual first name and obscured the actual source e-mail address with his company e-mail as the name. What should have given the engineer pause (among other things) was the context. There was no reason that the CEO would ask an engineer to do this task at my company. Nonetheless, the engineer was perhaps overly deferential to the chain of command and the suspicion didn't emerge until he had embarrassed himself.
That's rough. I got a phishing email from my CEO asking about something similar with money and had a brief 'oh shit' chain of command moment before my incredulousness kicked in. I get it.
We had an employee fall for this exact scam, the only reason it failed is we are a smaller company so rather than reply our employee physically handed the cards to our CEO. She had bought 2k worth of target gift cards. Needless to say, our CEO was very confused. I looked at the phishing email, and in Gmail it looked very legit, since by default the email address isn't visible. The email had the correct first & last name of the CEO, only clicking on the header showed the from email didn't match our CEOs email.
I was shocked that a company as small as ours was targeted, this phishing attempt was clearly not bot generated and the English in the email was very good, the only thing that was fishy was the request for gift cards.
I've recently also heard "the email address is not visible by default" in a postmortem. This is a UX problem which leads to increased vulnerability. It needs to be fixed.
In this case, it was his boss's boss's boss (I am his boss's boss). This particular engineer is highly valued at the company, including by me personally. It was at the same time surprising, but paining to see his consternation, and I certainly do hope he doesn't leave us. I'll gladly endure a $100 mistake to have his talents and attitude as an engineer.
> I have yet to see a scam which would fool me. And I have seen many already.
That's because you have never been targeted. It's that simple.
There is a small segment of society who are: a) savvy, and b) not actively engaged in commerce/business/community/career/friends/family, so any solicitation over email is likely suspicious.
Everyone else is at some level of risk. And sometimes it only takes one failure.
Even untargeted scams can fool a savvy person by coincidence. I followed my accountant when he switched accounting firms. Within two weeks of that, I got a generic accounting email SharePoint document share. It linked to the actual ms domain and used some redirection trickery to end up on a pixel perfect copy of the office 365 login screen. I only didn't get scammed because my password manager refused to auto fill.
Had the email come after I had learned the name of the new accounting firm, I never would have even clicked on the link.
>Even untargeted scams can fool a savvy person by coincidence.
And you can pick them up 99 times out of 100. But that 100th time, you're tired, rushing to get out the door, etc. and they get you.
I'm definitely more cautious than I was when phishing was just starting to be a big thing. Back then I don't think I ever fell for anything but there was once or twice when I wasn't really thinking and started down the path of providing information.
Maybe not but you will. If you live long enough you will suffer inevitable cognitive decline until one day you will be vulnerable to such a scam. We all will. No amount of good diet, meditation, fish oil and exercise will keep that from happening.
You pretty much nailed it. I am filtering a lot of stuff because I refuse to use certain modern flashy technologies. Office 365, yeah, go away. Firefox? Only on a dedicated machine if I really need it.
Emacs, SSH, tmux, old fashioned email (text only) and a linux virtual console is all I need to be productive, fast and especially happy.
A big part of what makes these attacks work is the tech stack in use on the recipients side. I recently heard about a Emotet attack, and was told "Well, you know, the problem is that Outlook only shows the name but not the address by default". Oh well, what can you say about that?
If it fooled you well enough you might not have noticed you were scammed.
Scams run from laughably blunt like the Nigerian prince to remarkably close to the real thing, like the callcentre that rang me pretending to sell phone contract upgrades that used exactly the same crap phone sales techniques my actual network used when they (coincidentally) called me a week later, and had a 1-letter different email address with the URL redirecting to the same website
TLDR: *It's not very useful to have an interpretation by a person who mis-interpreted a situation, without concrete real-world examples of what they actually interpreted: screenshots of conversations & email addresses/other contact info (at least domains such as @something.edu) , so I can at least say "Yeah, this was obviously phishing" or "wow, this phisher was really incognito".*
I'm interested in seeing the email address domain of the person who phished this author. And other specific details about the conversation-- such as screenshots and other evidence.
- "what appeared to be an official Harvard email ID" Did the phisher have a @harvard.edu sort of email address or not? I don't care about "what appeared to be" (i.e. insinuating the author interpreted the account to be official.) I want to know what the actual domain of the email address was -- not that in the author's opinion it seemed to not be fake.
- I know some professors have their own websites & use their own custom domains-- still, I'd see this as phishy unless it specifically came from a @harvard.edu account. And even then, the phisher could still have somehow accessed an available account. But, then I'd simply try to find their faculty page. Also, I would expect other people or gorup-email-accounts in HR to be CCed on the emails, not just some individual contacting me.
To be honest, I am surprised this author does not provide concrete details. She tells how things happened, and what steps she took. But provides no screenshots of her conversations, no specific details about the online personas of the phisher.
It’s already an embarrassing situation to share. 99% of people would not share it. The screenshots might be even harder to share because the signs seem so obvious in retrospect. I agree that more would be valuable but understand why we may never get it.
I suspect that's exactly why they did not provide specific details. Which for me, negates the value of the article.
In which case-- this article is more of a "Don't get phished. But I won't show you how not to get phished and what it looks like when you're getting phished."
The article has some value, which is to make people aware of the fact that this happens, and happens in highly bespoke ways to powerful/influential people. It’s in all of society’s interest that powerful people don’t get phished (imagine this journalist getting phished, compromising photographs being stolen, and then blackmailed to say “talk positively about this political candidate and ensure they win or we will leak these photos.” Not at all far fetched.
I would expect a journalist to share this information. Many journalists don't shy away from sharing the details when they are reporting a story on someone else.
There's something about this story that feels... incomplete to me.
As the victim here - and as a journalist no less - it's in her own interest to present the attack as being incredibly sophisticated so as not to appear naive for being deceived. In reality, perhaps the attack was not as sophisticated as her narrative suggests.
> It's not very useful to have an interpretation by a person who mis-interpreted a situation, without concrete real-world examples of what they actually interpreted ...
I second you. This being the Hacker news I'm really interested in how the phishing worked and the postmortem of the scam. This is a golden opportunity to learn about such high profile attempts, but no one's talking about it. It's sad to see that neither the author, nor her detractors are making any attempt to analyze the situation rationally.
Also, the term "sophisticated" is almost meaningless here, and that's usually the case when talking about these kinds of issues. Pretty straightforward Nigerian prince style scam is now "sophisticated" phishing attack.
We already had enough issues in infosec with companies claiming they're all attacked by "APT" and "state-sponsored actor". It just seems an easy way to dodge embarrassment and looking silly.
Of course, there are real cases where the person/company may actually be a victim of a sophisticated phishing attack (or APT/state-sponsored attack, etc) but the terms lose their weight when they are being thrown around like this.
> I'd see this as phishy unless it specifically came from a @harvard.edu account
This, 100%. Just about every university in the US has a policy that all official school business must be communicated through your institutional email address- be it a question about the class or setting up an appointment for office hours. Most of my instructors have explicitly told us they will ignore any emails not sent from an @uni.edu email.
On a different note, how many schools set up a different email address structure for students versus faculty/staff? For my community college, students were first.last@g.communitycollege.edu and at my current uni students are FirstLast@my.university.edu. Is this standard practice?
Whenever I'm changing jobs, I spend at least half my time worried sick that I'm being scammed somehow. Until now, the "rational" part of my mind thought this was very silly, but I think this goes to show that it's a legitimate concern.
The fact of the matter is that when joining a new institution one lacks the contacts and the context to discern normal institutional behavior because it so often deviates from (seemingly) ordinary, sane human behavior even when nothing is wrong. Having autism, no part of my mind is naturally attempting to cover up this discrepancy: it remains jarring until I manage to "manually" reset expectations.
> The fact of the matter is that when joining a new institution one lacks the contacts and the context to discern normal institutional behavior
That was the case for me at a couple of very early jobs in my career, but hasn’t been the case for the last couple of decades. New jobs come by way of old colleagues, friends, etc. in such a way that I’m basically never walking in to a completely unknown situation.
If you’re not great at relationship maintenance, use something like LinkedIn. Reach out to former coworkers who you worked well with or got along with, and ask about jobs. Odds are very high that they’d like to work with you again, and will get a referral bonus if it happens!
I've gotten out of the blue recruitment calls, but after my first job via on campus recruitment out of grad school, every job (just a few of them) have been directly through people I knew. Except for essentially pro-forma reasons, I've probably never really needed a resume.
It's been particularly hard interviewing during the pandemic. In usual times, at least you would visit the office and meet some real people in person. Not saying you can't get scammed in person, but it's definitely harder to impersonate reasonably large organisations like that.
SPOILER: If you want to see an example of scamming people by sneaking into an office and pretending to work in it, watch "Charade" with Cary Grant and Audrey Hepburn.
Unless maybe it was somewhere I knew people well, I'd be very hesitant to switch jobs in a situation where I only had communicated virtually--unless I had no choice in the matter.
I 100% agree. All the hoops you have to jump through and things you need to enter regarding personal information always makes them feel like a honeypot. Not one moment in initial onboarding process do I feel like I'm legitimitely giving my info to HR but some scammer in god knows where.
While it's clear that this was a sophisticated and personally-targeted scam, I feel the blog post would have been more useful with information about which Harvard email addresses were used to communicate with her, and perhaps some screenshots. Were they actual harvard.edu email addresses, which means somebody had access to an official address for replying to mails from her? (That makes the scam deeper and involves US authorities.) Or was it something like harvardhr@gmail.com? Which means she should not have fallen for it.
I just saw this tweet from someone senior at her former employer about how she uploaded a reference letter to an official-looking site but again, no screenshot or URL referenced.
She writes: "what appeared to be an official Harvard email ID". No further description is given.
This could be something as simple as "someone@harvard-faculty.org".
For the recipient, this is effectively indistinguishable from a legit address. Not just because people are unsophisticated, but because many orgs really do use this sort of ancillary domain for conducting real business.
I've seen Fortune 50 corps, hospitals, and banks make this mistake.
Even if Harvard does not, has not, and will not ever make this mistake, an outsider would not be surprised to see it.
Sure, but you wouldn't expect the average person who doesn't have a deep interest in tech and lives in a country where the .edu suffix isn't even a thing to know this. I doubt even most hackers here validate the ownership of the URLs every time a recruiter reaches out with a plausible-sounding personally-targeted opportunity (as opposed to a 'dear customer please sign in here' mass-mailing)
Exactly. No concrete details and examples so safe to assume the emails were not actual @harvard.edu ones. But I blame it on organizations and esp universities. Each school/lab get their own prefix which makes it harder for people to spot a fake address.
> to assume the emails were not actual @harvard.edu ones
If that is so... so what? Plenty of organizations use different domains. Fidelity staff uses "frm.com"-- as an example-- while most customers know them as fidelity.com.
Well, of course, SMTP headers are trivial to spoof, but for this scam to work, the scammer would need actual POP/IMAP access to the harvard.edu account to receive her replies and respond to those, which is not as trivial.
The lack of DMARC records, even if it could facilitate spoofing, won’t magically make reply emails addressed at a valid @harvard.edu address land in a spoofer’s inbox. A different Reply-To address is possible but then you can’t claim a lack of warning signal. There’s something else going on.
No idea on harvard, but alumni are often allowed to keep their addresses and for every alum that still takes full advantage of that, ten may not notice anything. Similarly, old group addresses may mostly go into the void.
I suspect it is quite easy to make it look like many people from an institution are in a thread and a passive participant is an email address from a 3rd party job portal.
I don’t know a single reputable U.S. institution that doesn’t replace your @university.edu address with @alum[ni].university.edu after you leave. I’ve been affiliated with two and have friends all over the place, including Harvard.
For decades, Harvard issued alumni email addresses of *@post.harvard.edu. [1] Given that “post” could either refer to “after” or “postal”, I would imagine someone who didn’t know many people at Harvard might think that a post.harvard.edu email address is a normal thing for current employees.
MIT uses @alum.mit.edu. I don’t think I know former employees there but at least former students I know lose mit.edu addresses, a fact also easily confirmed with a Google search. So, your point being?
Edit: You added
> *Might your own cultural expectations open you to attacks from a place with MIT's (recent if not current) network culture?
after my reply. I’m not sure how it is relevant to your claim that “alumni are often allowed to keep their addresses”. In fact the question doesn’t make any sense to me; I’m not gonna accept an MIT job offer from an alum.mit.edu address (or more relevant to me, alumni.stanford.edu/alumni.princeton.edu), regardless of network culture.
Edit 2: Reread your question and realized you were implying that MIT "recently" allowed alumni to keep @mit.edu addresses. Well, you'll need to show some proof.
Your expectations are very specific to what you know about US schools right now. MIT would let a machine receive email, many institutions would forward email to a users alum address, etc.
This approach to identifying phishing is ultimately insufficient.
I do not have much sympathy for her, given my low opinion of English-speaking Indian Media and their faux-elite mannerisms. Certainly some level of Schadenfreude. But, I won't go into that here.
This seems more like a targeted public embarrassment operation than an attempt at identity theft. Objectively, Nidhi made a ton of elementary mistakes that would be inexcusable for a journalist. This includes non-technological mistakes such as not contacting the Dean or prospective collaborators who presumably voted to have her on the faculty. There is an immense amount of hubris on display as well. That being said, the scammers were incredibly sophisticated and committed to the ruse.
Either ways, this sets a bad precedent. The internet allows for sophisticated scams like never seen before. A public embarrassment in the world of twitter can easily end careers.
I hope she finds some quiet in the midst of this public show where she has been made an unwilling jester. She should have handled this in private. Now that it is out on Twitter, trolls will make sure she never forgets what I presume has been incredibly traumatic.
Not sure why you're smearing Indian English journalists like that. I'm an Indian as well and there are some really slimy journalists / organizations in the media industry (just like there are the obvious ones in the US) - but NDTV or Nidhi is definitely not one of those. She's a pretty well regarded journalist.
Is there anything major you think she's done in her career that makes you say that?
Well, in some sense, I say that due to Hindi Journalists like Ravish Kumar at NDTV. The Hindi news media is strongly insulated from western media due to language differences. This affords them a certain independence and humility that the English wing seems to lack. Their fates are more directly coupled to India and its concerns. Eloquence and virtue signalling don't matter as much. They NEED to have a better finger on the country's pulse than English media. Lastly, the hindi and regional language press is distributed. There is no geographical power center and there are too many outlets. Thus, it cannot be controlled in entirety.
The Indian English news media is consumed by an incredibly small fraction of the population. Nepotism is rampant and tiny cliques determine your fate. While Hindi media affects politics, English media affects global outlook and economics. They wield a disportionate power for their size and this power is lent to them because the West reads these outlets.
This made it the one that was most important & possible to control. The Indian English press rose in the era of Congress domination. These select few journalists, all owe their fates and meteoric rise to currying favor with the Gandhis and the bias shows. There is also a strong faux-left bias (Vox esque) but I would not blame them for it if they were transparent about it. Their 30 year track record on the Gandhi Family, Anything Hinduism related and Communists is proof of it. It is no surprise that Narendra Modi had a US visa ban, but terrorists and genociders from India and around the world never were.
These people live their lives out of Luthyens Delhi, completely out of touch with India. Their bad takes are never scrutinized, because the West and hyper-urban Indians have no idea what the rest of India looks like. Lastly, there is an offensive level of Elitism and need to associate with the Elites (NYT, WaPo, UN, Diplomats and the Glitterati) that is completely absent from Hindi media. This debacle epitomizes it.
Their opinions appear to be handed down from NYT and college campuses. They never bite the hand that feeds them and worst of all, they like to act smart while making lazy commentary.
Recently,I have been digging what ThePrint and Caravan magazine have been producing. Both are run on subscription models (yay) and take journalistic values seriously. Even when I disagree with them, I get something useful out of it.
TL;DR: Old Indian English Media is like MSNBC, Vox & CNN, but shallower, more elitist and nepotistic.
What the heck is going on with the victim blaming -- both here and by Harvard staff on twitter? It's gross.
I'm sure this was an opportunity of a life time-- not enough of one to come off as totally implausible, but enough to paper over some of the red flags. Most scams are obvious in hindsight and from an external view.
Believing that you couldn't fall for a scam is probably one of the best ways to increase your vulnerability.
I agree. There are good reasons to be skeptical of the story at this point. But if, for purposes of argument, one ignores other claims and goes by the original post only, it falls into the category of vaguely plausible. Vaguely to be sure. But not quite so vaguely that I'm going to say that no experienced journalist could ever fall for it. (Although, the more I think about it, the harder it is for me to believe that she wouldn't have made one phone call or sent one email to the dean or whoever to ask "Hey, I seem to be being given the runaround" before quitting her job. Journalists aren't known for being shy about picking up the phone.)
You get the feeling that this was not phishing scam with the ultimate goal of financial crime. This (to me) smells more like a specific, personal attack on this woman with the intent to humiliate and embarrass her professionally.
I did not want to speculate, but when I think of someone wanting to humiliate and embarrass, the first name that came to mind was "IT cell". But one of my friends said, the "IT cell" usually sends rape threats, they are not so sophisticated.
You either know about the "IT cell" or please google it ... all the links on it are non-authoritative.
Yeah, who would spend the 90 minutes doing a fake interview for a random phishing victim. Even one with questions that are convincing enough to her.
Assuming the scammers are Indian, and the victim would be expecting some Americans interviewing her, I wonder how they scammers got some Americans to join in the scam. Hire some American actors and tell them it's for a prank TV show maybe?
This exact situation occurred a couple years ago to some people in the US. I don’t know their names, and I didn’t investigate the situation internally, so I don’t know just how smart the phishers were vs their victims. What I do know is that I got a call from the front desk people at our Boston office that said someone is here for their first day of work and we have no record of them being hired. Did I know anything about this? I didn’t. After some investigation it was revealed to be an identity theft scam, and within a week several other people were also found to be a victim of the same scam.
Before you judge too harshly, keep in mind that often the people affected by this often aren’t very technical, don’t know what to look for when it comes to phishing, and are just doing what comes naturally in the situation. The scammers in this case are obviously at least somewhat technical and have a huge advantage in terms of being able to scattershot communicate with a very large group of people (potentially millions, although more likely 10’s of thousands in the case I describe). Also, while I’m sure no one reading this has ever been phished (cough), it has been _repeatedly_ found that phishing is effective, even for highly technical audiences. When it comes to recruiting, it is all too plausible that the person you’re interacting with doesn’t work for the company you’re “interviewing” with, and many recruiters start a conversation not even revealing who they recruit for. In fact, there are recruiting agencies that may as well be phishing organizations, because they will claim to have a role simply to get your resume and then, once they have your information, will start shopping it to companies in an attempt to get paid.
In short, I have a ton of sympathy for people affected by this, and think the assholes who do this kind of thing are pretty much evil.
If this is all true, This was a very personal attack. This doesn't seem to be for financial gains but personal vendetta.
Putting that aside, she should be equally blamed for falling for it despite being a fact checker for 21 years and also attending seminars, advisory meetings, talks and interviews as "Harvard Professor" without even going to a lecture hall once.
There are multiple interviews of her talking about her upcoming appointment, her class structures, here (non-existent) syllabus.
It seems like another possible interpretation of the events is that she made this all up, then blamed it all on a vague "phishing attack" to defuse any responsibility. In the months prior, her career received a boost from all the media attention. Now, she also has some level of additional fame, that while not exactly positive, could help her launch into the next phase of her aspirations
I find it hard to believe a journalist with 21 years of experience wasn't aware of this. When someone reaches out to me regarding a new job opportunity, I always do some basic research.
> Contrary to what many are tweeting, Harvard has a school called the Extension School offering a Journalism Degree Programme[1]. The actual programme is called the Master of Liberal Arts, Journalism degree.
I also wonder what degree of ego played into this.
Who does Harvard contact out of the blue? If they contacted me out of the blue by email my first thought would be "Why would they contact me-- who am I? What have I accomplished that I would be on the radar that people are talking about me at Harvard to the point where I am invited to interview?"
To me, that would be phishy-- Unless I was some award winning, well-published, and/or well-credentialed journalist.
- Looking on Amazon, I see 1 book by this author: "Left, Right and Centre: The Idea of India". I also see a blank LinkedIn page, which mentions she lives in India.
- On Wikipedia, I see she has " done documentaries from Pakistan-administered Kashmir, Tibet and the United Kingdom after the train bombings." and "has been the diplomatic correspondent of NDTV 24x7, which is an English language television channel that carries news and current affairs in India, owned by New Delhi Television Ltd network.": https://en.wikipedia.org/wiki/Nidhi_Razdan
Those aren't trivial accomplishments. But I don't know that they represent the pinnacle of journalistic achievement to the degree that Harvard would reach out, out of the blue.
https://www.youtube.com/watch?v=SzCcVGbO9rw - Interview with Raghuram Rajan, who was the Governor of Reserve bank of India, was chief economist of IMF, and now a professor in US
I am sure I can find more examples, but the point is that during a 21 year career, of which a few years as a prime time host, you build a lot of network, you get a lot of local awards, that when a US school comes fawning, it may be a small surprise, but you take it in the stride.
> Raghuram Rajan, who was the Governor of Reserve bank of India, was chief economist of IMF, and now a professor in US
Raghuram Rajan has been a professor at the University of Chicago since 1997 except for a 3 year period from 2003-2006 when he served at the IMF. He was given a "public service" sabbatical from the University of Chicago to serve at the RBI.
That's an intense level of con. Timed with the pandemic, it could have been hard not to fall for. I hope there is a follow up on who pulled it off. Did the perpetrators know the victim, did they send more of these "letters"? The con seemed pretty specific for a certain target. A lot of work to pull off.
Also wonder if, and hope, Nidhi got her old job back. With a great story.
>Timed with the pandemic, it could have been hard not to fall for.
It didn't start there though. The offer letter supposedly came in January 2020 when things were perfectly normal in the vast majority of the world; I was traveling around Europe without a thought of pandemics at that time.
It seems a little weird that there would be a job offer after just a 90 minute phone interview. And moving halfway around the world seems a pretty big deal and one would think someone in that situation would be looking for a bit more motion on the logistics. On the other hand, we're talking Harvard Extension School and she's in India so maybe not a complete red flag especially given she had some apparent prior contact with the school. But certainly the pandemic allowed them to string things out for whatever reason.
It does seem as if there are different stories floating around though.
It seems more specific to Harvard. I wonder if the documents she was given by scammers were just believable or accurate. If they mirrored actual Harvard recruitment process then it's possible that whoever did this wokred or applied there.
Or maybe it wasn't about the money? Maybe she was targetted specifically for her previous roles and knowledge?
I wouldn't find it suspicious if some professors preferably refer people who speak on the campus over the database of spontaneous CVs, and there is a process regardless of how it initiates.
I think it is equally easy to imagine that she made it up (and pressured co-workers to lie?) to falsely claim harvard credentials with a good out as it is to imagine that a political organization wanted to discredit a journalist and get her to resign, probably expecting her to go quietly.
Since politicians are being given special access to advanced phishing, I think it is prudent to treat the story as real. How can this not raise demand for similar attacks using software from the US/Israeli/Italian/etc firms that specialize in state sponsored crime?
If this is legit, this is an insane amount of work to get someone's money. I add "if this is legit" because it does seem so unbelievable that someone would fake a 90 minute interview with someone. This leads me to believe it was personal because a scammer could have scammed a lot of other people in the amount of time and energy they put into scamming this one person.
It would be more helpful if she uploaded screenshots of the emails, including the sending address, and pictures of the letterhead. Assuming she's telling the truth about everything this would be by far the most elaborate phishing attack I've ever seen.
She is remarkably circumspect about these details. Lots of references to people being allegedly from Harvard or appearing to be from Harvard. It does feel disingenuous to put that out there and not provide a single example.
Wow, very surprised to see no DMARC records in place for harvard.edu or their various subdomains. It may be possible that a single DNS record could have prevented this whole madness.
A single DNS record and distributing the signing key to probably thousands of machines able to send mail, some of which are probably 30 years old and unable to do the dmarc crypto...
This episode makes me wonder: how many times an anonymous source “verified” by a journalist is just someone pretending to use an organization’s official email address.
This is why journalists generally try to confirm information before publishing. I wouldn't say it never happens, but there is supposed to be some amount of verifying that wouldn't have been done on a personal job offer.
How do we establish trust in a virtual world? There are a lot of cues in an meatspace social interaction that can trigger a “gut reaction” one way or another on trust. In digital interactions it’s significantly easier to be social engineered.
Everybody gets a public key certificate, possibly since birth. There needs to be some way of establishing that which keys belong to which person, perhaps via some government registry, and a way to invalidate old/compromised keys. Overkill?
Kind of like ID cards in Estonia? You have a chip on the card that holds your private key and the government has a list of people and their public keys. Services and other people can check that. You can even sign and encrypt documents with it.
I was probably a really bad joke by someone who did not like her. I can't see how you could get any financial gain from it. Scammers are usually slick, but very lazy.
The one thing the attacker definitely achieved was to reveal that a particular journalist is not very good at an essential part of their job, fact checking.
I'm confused. I don't know why you're incapable of falling for optical illusions, but that video did not have one.
It explained the concept of attention blindness. If you look for something else, then you may miss the gorilla in the room, even though it is as obvious as can be. Same goes for job offers. You're primarily looking to get the great job, and involuntarily and unknowingly enter a kind of tunnel vision.
And that tunnel vision includes not even looking at the department which supposedly offers that job to you?
Since everyone seems to beat the same horse, I feel like I have to declare that of course, everyone can make a slip up, nobody is free of failure, we are all human. This is so obvious that I feel stupid stating it.
But we're talking about a journalist. The protagonists of a story do have an influence on its perception.
> In January 2020, I got an email from an alleged Harvard Human Resources person from what appeared to be an official Harvard email ID,
it would have been interesting if she would have shared exactly what that email address was. Was it hr@harvard.com or maybe hr@harverd.com? I doubt that it was hr@<something>.edu since it is hard to register .edu domains. But if someone did, that would be news to me.
A url containing 'harvard' and redirecting to an actual faculty website is going to convince most people if the communications are plausible. Many large organizations use multiple url forms for emails, especially for quasi-separate divisions like business schools or extension programmes.
A particularly sneaky scammer without access to Harvard mailboxes might register a plausible-sounding domain with an .ac TLD (which resembles the .ac reserved for universities in many national domain systems including the author's, but is actually a freely purchasable domain supposedly associated with Ascension Island)
Yeah. The alumni emails probably follow a pattern. Get a list of alumni and find one who hadn't set up an email forwarding address previously and set up an account.
Maybe something like @harvard-school-of-journalism.com, although that's too wordy. The article mentions "Harvard Extension School", so, it could be some variation of that.
Edit: I tried harvard-extension.school in the browser, it redirected me to http:harvard-education.edu (not https!), which seems to be a clone of extension.harvard.edu . The WHOIS records of harvard-extension.school/.education are pretty new (registered last year), and they're registered on GoDaddy and 1API GmbH respectively. A Germany-based registrar? Would Harvard use them?
One thing I haven't seen mentioned is that there is a name for these kinds of advanced phishing attempts, which is "spear-phishing". Normal phishing is broadly targeted and fairly generic - "You just won a cruise", online parking ticket due, etc. It's usually easy to spot once you're aware of it.
Spear-phishing, in contrast, targets a specific audience with a message that includes specific details that make it more convincing - your boss's name, company, job title, bank account number, mortgage loan start date, health provider name, etc. The more specific, the better. These can be very hard to detect. If I've just been to the doctor, I'm expecting to get an email about a hospital bill, and I'm pretty confident that the hospital's online payment site will look like it hasn't been updated from the 90s. TBH, half the time I'm paying a medical bill online, I'm crossing my fingers that it's actually going to the right place...
this was all over Twitter in India yesterday when she first tweeted about it. People where making fun of her and NDTV (her previous employer) which I thought was somewhat deserved considering they (she and her NDTV colleagues) pretend to be righteous, above all others, calling others with names like ‘Fake Media’, graduate of WhatsApp University, etc. They claim themselves to be true journalists and guardians of truth.
This must be a reality check and sobering moment. (fun-fact: NDTV also runs a program named ‘Reality Check’)
They are certainly biased to the left. But they are definitely better than any of the alternatives in India... Have your seen what kind of garbage is reported by Indian news channels? There was the entire bullshit non issue about Rhea Chakroborty and the SSR suicide that was extremely disappointing to watch. And you can in no way defend the kind of nonsense that is spread on WhatsApp groups in India.
I once got an email from our dean that he needed to see me urgently in his office. I first believed this was true but then this was very unusual to the dean who never communicated with me before to urgently needing me in his office. Once I double checked I realized it was a scam and many of my colleagues also got the same email.
I think the attacker expected that I would reply and ask what it is about and would have asked me to do something phishy I guess. The email was his full name @gmail.com
I figure if it's actually important, they'd personally meet me or call. You don't respond over email hoping an instant response. It's obvious from the start of the email.
Depending on what rung you're on in the corporate ladder, if the head of the institution "needed me" immediately, I'm extraordinarily skeptical they do not have a means of contacting me directly. Especially if they have assistants and other immediate VP's. Hell a corporate directory to look up my number...
If a CEO is gonna want me fired because I'm being skeptical of the veracity of an email, I wouldn't want to work at such a place.
I guess it depends on the nature of the request. I got an email from our CEO a few weeks ago asking for my number to talk about something and I work for a 10K+ person company. (I also know him pretty well and I was pretty sure what this was in reference to.) A lot of execs don't have a problem with reaching out to people directly. Now, if he sent me an email asking me to go to some sketchy website or complete some financial transaction for him that would be something else.
Hmmm...I guess I am one of those folks who practices trust but verify through independent sources and would have pick up the phone and called the Harvard HR Department using a known good number vice only relying on and communicating on email. Second, some posters have said that you can pass company phishing training and be still be victimized by this cyber criminals...true to some degree; however, a cursory check of the smtp email header and or embedded http links would probably have provided clear indication that something was amiss. But I agree victim blaming is not and will not ever be appropriate.
Unless harvard’s email severs were breached, this seems like a case of user error... Harvard.edu has SPF headers which should be enough to detect fake emails right away. If i’m not mistaken you’d have a really tough time spoofing those emails.
This is ridiculous. This journalist doesn't even have a PhD or any publications.
To those who are downvoting this because of the misleading comment below, note that she claimed on Twitter to be joining the Harvard Faculty of Arts and Sciences, not the Harvard Extension School. Nobody becomes an Associate Professor at the Harvard FAS without a PhD.
I’m not here to debate this specific claim of phishing, but this is just factually false, _especially_ for applied / practiced humanities. Here are two examples of well respected authors / journalists who are more senior than associate prof at Harvard’s FAS...and this was on just the first link in my first search:
HBS likewise has business practitioners without phds on faculty. Their expertise is of value regardless of on-paper credentials.
These are two very well respected writers. Often, in more research oriented disciplines, the “experts” have phds, by necessity. But especially for applied humanities like creative writing and journalism, the experts w the most experience quite often _do not_ have doctorates, and that does nothing to diminish their expertise or professional credentials.
This was Harvard Extension School. You're not talking a tenured Harvard professor position. One of my mentors undergrad was a former Newsweek editor who lectured a couple days a week and also didn't have a PhD or academic publications. (He had written books.)
This is just misleading. Razdan claimed on Twitter that she was joining the Harvard Faculty of Arts, not the Harvard Extension School. Harvard FAS does not have any journalism professors or offer degrees in journalism, and if it did, you would certainly need a PhD.
I’m not here to debate this specific claim of phishing, but this is just factually false, _especially_ for applied / practiced humanities. Here are two examples of well respected authors / journalists who are more senior than associate prof at Harvard’s FAS...and this was on just the first link in my first search:
HBS likewise has business practitioners without phds on faculty. Their expertise is of value regardless of on-paper credentials.
These are two very well respected writers. Often, in more research oriented disciplines, the “experts” have phds, by necessity. But especially for applied humanities like creative writing and journalism, the experts w the most experience quite often _do not_ have doctorates, and that does nothing to diminish their expertise or professional credentials.
All I know is what she wrote in the post: "Contrary to what many are tweeting, Harvard has a school called the Extension School offering a Journalism Degree Programme. The actual programme is called the Master of Liberal Arts, Journalism degree. The Extension School lists 500 faculty of whom 17 are categorised as journalism faculty. A number of these people are working journalists. I believed I fit this profile."
ADDED: It certainly seems as if the story has changed from something implausible to something vaguely understandable.
I know, and it is irrelevant and misleading. This is what she tweeted in the first place:
"After 21 years at NDTV, I am changing direction and moving on. Later this year, I start as an Associate Professor teaching journalism as part of Harvard University’s Faculty of Arts and Sciences."
Nobody is joining Harvard's FAS as as an Associate Professor without a PhD.
I’m not here to debate this specific claim of phishing, but this is just factually false, _especially_ for applied / practiced humanities. Here are two examples of well respected authors / journalists who are more senior than associate prof at Harvard’s FAS...and this was on just the first link in my first search:
HBS likewise has business practitioners without phds on faculty. Their expertise is of value regardless of on-paper credentials.
These are two very well respected writers. Often, in more research oriented disciplines, the “experts” have phds, by necessity. But especially for applied humanities like creative writing and journalism, the experts w the most experience quite often _do not_ have doctorates, and that does nothing to diminish their expertise or professional credentials.
For those not familiar with Harvard’s Extension School, it provides classes to the general public (you have to register and pay but they are open to anyone)
I realize this is uselessly pedantic, but Harvard's Division of Continuing Education (Extension School + Summer School) is technically under the FAS umbrella, alongside Harvard College (undergrad) and GSAS (graduate arts + sciences). ~15 years ago I worked for FAS as a web developer, and the software my org developed was used by all 3 of these schools. Wikipedia confirms FAS is still organized in this way: https://en.wikipedia.org/wiki/Harvard_Faculty_of_Arts_and_Sc...
That said, yes it's extremely misleading for a DCE instructor to call themselves an FAS professor. This sort of thing does happen at all top tier schools' extension programs, though far more often it's done by students rather than instructors.
One suggestion to people is to not follow any links in emails and looking up things instead. For example, if you get an email to sign up for something, try to find that page yourself by googling it. If you get an email from someone at Harvard, try to find that person on the Harvard website to verify the email and everything else. But again, don't do it by following links in the email. Google/Bing/DDG is your friend.
‘many emails were exchanged between me and these alleged Harvard email IDs where they sought my personal information for a "work visa".‘
‘I had been told a work visa had been issued in the US for me which would be sent to me only when travel was required.‘
I think this should have been a major red flag. Work visas are not issued like that. I don’t understand why you wouldn’t interact with an embassy for visa issuance.
Definitely a targeted, very personal attack, as you can scam an order of magnitude more funds by focusing on the masses instead of making fake interviews, offer packets, etc.
I'd love more details, because there's not much to learn here. I walk away from the article with no idea about novel defensive strategies people need to take and no idea what we as technologists can do to help prevent this in the future.
The last line - "(Nidhi Razdan is former Executive Editor, NDTV.)"
That's their classic way of burning her for burning them.
Having said that, I learnt the same lesson as well a few years ago. Never quit your current unless you're 101% sure your next job is waiting for you and all the due process is taken care of.
I hope you wouldn't apply that logic to victims of other non-online crimes.
Anyway, separately, she addresses that in her article, convincingly I thought. Plus she's brave and helping others to write about this (which victim blaming doesn't encourage).
My only point is that she is a journalist working for a reputable news agency for 21 years. Her job was to fact check everything. This means that a lot of things she told in the media before should be taken with a pinch of salt.
I would expect my aunt who thinks everything on WhatsApp is true to fall for it. She is a professional journalist with lots of experience as a fact checker. I am sorry she fell for it but someone with her education level and awareness I expected more.
> I was invited to speak at an event (...) One of the apparent organisers of this event contacted me separately to say there was a vacancy for a teaching position and would I be interested (...) I submitted my CV (...) A few weeks later I was "interviewed"
This sounds exactly like the kind of job opportunity that's meant to come about by networking, getting your name out there, public speaking and so on. We are often told that this is how the best jobs are found.
Yes, up to that point it all seems very plausible whatever the victim-blamers on this thread think. Down the road, should alarm bells have started going off? Probably. But especially in the context of COVID-19, it's not hard to imagine those bells being suppressed in the excitement of a new opportunity etc.
Most phishing scams required the target to have an emotional reaction that clouds their judgement. For example, if you get an email saying that your credit card was charged in another state, if you are worried about your finances you may panic and click on the button to login and deny the charges.
The article states that all the emails appeared to be from official Harvard email addresses.
At some universities, it’s possible to create email aliases at your .edu domain, so it’s possible that the scammer had access to one or more convincing email addresses.
That greatly increases the level of sophistication.
The article doesn’t say that the emails received were “@harvard.edu” only that they appeared to be valid Harvard ids. That means she made a judgement call that the email were legitimate, but it doesn’t give very many technical details on what she judged that call on.
This makes me assume that the bits she's most embarrassed about (a fact-checker should be able to find out what the valid Harvard email domains are) are the one she glossed over.
Victim blaming and questioning how she could believe that she’s qualified for some position is the wrong thing to talk about, and is also disgusting in certain ways.
What would be better, at least in a tech focused community, is to find out more details on how this happened and where the gaps (that are obvious in hindsight) are. I wish someone like Brian Krebs (of Krebs on Security) could get more information on this and do a detailed write up. That would be more insightful and useful to everyone than rants about the victim.