Regardless of which side of the political spectrum one is or what qualifications one has or what terrible deeds one has done (or alleged to have done), the fact is that phishing attacks aren’t very easy to avoid (you’d be fooling yourself if you believe you’d never fall for one). You can ace all the phishing email tests your company routinely sends you and still fall for a more sophisticated attack or fall for something that in retrospect seems stupid because you were preoccupied or stressed or had other serious things going on in life.
Victim blaming and questioning how she could believe that she’s qualified for some position is the wrong thing to talk about, and is also disgusting in certain ways.
What would be better, at least in a tech focused community, is to find out more details on how this happened and where the gaps (that are obvious in hindsight) are. I wish someone like Brian Krebs (of Krebs on Security) could get more information on this and do a detailed write up. That would be more insightful and useful to everyone than rants about the victim.
Thank you for posting that. There are obviously way too many people here (and elsewhere) who think they're way too smart to fall for phishing and other forms of scams unlike "stupid" grandmas, journalists, etc.
The reality is that we all do things when we're distracted and not really paying attention. Or we get caught up in the excitement of something and we don't stand back and ask ourselves whether it really makes sense. And anyone who thinks otherwise is just arrogant and misguided.
It may well be true that phishing scams can be easy to fall for, but it is not relevant to this story. Razdan tweeted that she was joining the Harvard's Faculty of Arts & Sciences as an Associate Professor. Regardless of how convincing the phishing attempt was, this is incredibly naive; Razdan does not have a PhD or any publications and Harvard's FAS does not have any professors in journalism.
Not to mention that universities typically don't hire people at the associate professor level. The first rank is called "assistant professor," followed by "associate professor," and then "full professor." Associate and full are tenured ranks, which is why there isn't much hiring at that level.
Also, one would expect any open position at a US university to be advertised, most likely in The Chronicle of Higher Education. This is something perhaps only someone who's got a little familiarity with the academic job market may know, so, I suppose one could be forgiven for not knowing it, but I would assume that one would at least google for open positions at Harvard to find out if it really exists.
That said, naïve or not, I also don't think victim blaming is a productive thing to do here. All it does is discourage people from speaking out about their experiences, which means we can't learn from them. It may also discourage people from seeking help when they think they might be getting phished.
As others have pointed out on Twitter, I am not sure who is the victim here; Nidhi Razdan apparently had multiple speaking engagements where she was introduced as Harvard faculty:
I don’t understand. Are you saying people are claiming she made the whole thing up and was just going around saying she was an associate professor at Harvard?
To be honest, NDTV is one of the top English channels in India and Nidhi Razdan is a very well respected and recognized journalist.
It makes no sense for her to fake all of this for some "clout" as some on twitter suggested - she does not need it. Unfortunately there is a lot of cynicism for anything media (and in turn politics) related in India and people love to speculate.
What you are suggesting here makes this already interesting story even more interesting. Perhaps there are holes in her story but if she really knowingly faked the whole thing, why would she resign from her job?
It's possible there's an innocent explanation but Occam's Razor does suggest she just made up her Associate Professor at Harvard title and, when called out for it, concocted a story about it really being Harvard Extension School and phishing. Which was vaguely plausible so long as you don't think too deeply about it and ignore that, if this were the case, the initial Twitter post was deceptive.
By “resigned” I am assuming you mean she was fired. If she were fired why would her previous employer allow her to use their website to publish this story?
Who knows? Maybe the Occam's Razor conclusion isn't in fact the right one. Maybe the publication thinks it saves them face as well as her. (Journalists who lie look bad for news publications even if they're fired.)
Ok? I never said anything about PhDs. What I said was that people typically aren't hired in at the associate level. Those that are would typically be professors who have tenure at another institution, meaning that they're already at the associate level or higher. People who are denied tenure at their current institution and want to continue in academia would apply to an assistant professor job and negotiate a shortened tenure clock, meaning that they would be assessed for tenure in fewer than the standard 6 years that a brand new, never held a professorship of any type assistant professor would have.
Again, this is a lot of esoterica about the academic job market that not many people outside of those circles is going to know, so I don't blame anyone for not knowing it.
As I responded elsewhere, that's not what she wrote in the post that people are responding to. I would agree that if it were the case that she was offered a full faculty position after a 90 minute remote interview, that wouldn't pass the sniff test. But that's not what she claims in this post. It's very plausible that a working journalist would teach at Harvard Extension School. Though it's at least a bit of a stretch that Harvard would relocate someone from India to do so. And it does seem that her story is changing.
ADDED: And, yes, there seem to be different claims on twitter than what is stated in this post.
I am not sure how much more clear I can be with you. Nidhi Razdan claimed on Twitter that she was joining the Harvard Faculty of Arts and Sciences as an Associate Professor. The Harvard Extension School has absolutely nothing to do with any of this. Here is the original tweet:
Again, this is irrelevant. I find it hard to believe how often I have to repeat this. The Harvard Extension School does not hire tenured professors. You do not become a tenured faculty, let alone an associate professor, at Harvard's FAS if you have no research background. The story should fail a minimal scrutiny test from a layperson, let alone a journalist with more than 20 years of experience. This just doesn't add up.
Why do you repeatedly say "I can't believe I have to repeat this" and then say something you haven't mentioned in this thread?
What an "associate professor" is isn't common knowledge, even for a journalist. It both means something different in Commonwealth countries and the definition of "associate" is "entry level" which doesn't fit either version of an associate professor.
I'd absolutely expect an experienced American journalist to have a pretty good idea of how academia operates in the US. I do and I don't have a research background. I have no idea though how things operate in India.
The title is still fishy though even if she (as a journalist!) took some liberties in implying she was a professor at Harvard University (and what that implies) even though she wasn't. Just as if I said I graduated from Harvard when I got a degree of some sort from HES, that's clearly misleading. If you look through the faculty directory of HES, it doesn't look as if HES generally gives titles; most of the titles given are the faculty's positions at other institutions where applicable. (There are a few Lecturers in Extension.)
You don't need to have a PhD to be a professor in a "creative" field like journalism/art/writing/etc. For example Jamaica Kincaid is a professor at Harvard and if I recall correctly I don't think she even graduated from high school.
This. And the effectiveness of targeted phishing is why we must replace SMTP-based email, and eventually block SMTP on public networks. It isn't suited to the 21st Century Internet.
Hence, the mnm project[1] (open source client & server) and TMTP[2][3].
Hmm, the value proposition of MNM here (in preventing phishing) seems to derive from the design goal of not allowing arbitrary content on first contact between arbitrary users, or do I misunderstand?
This strikes me as a cure worse than the disease. There’s a strong social need for people—especially those who are public figures or soliciting job offers—to be reachable by “never before seen” contacts.
There’s also a strong social need to allow people to send emails from self-provided (I.e. unverified) names or identities, given the currently burdensome process of getting “verified”.
I think you could argue that there’s an opportunity to move business email to “real ID”-verified identities (e.g. with SMIME), but I struggle to see how that’s a problem with SMTP or how replacing the protocol will help there.
This reminds me of how if you ask almost anyone if marketing works on them, they'll say no or not the deceptive parts. Yet, logically, marketing must work on most people or Coke wouldn't spend 4 billion dollars a year on it. Feels hubris-y to me. We forget we all have the same equipment.
Interesting article. I know the big CPGs have been challenged by digitally native brands like harrys and the shave companies. It's also clearly not true if you're not a globally known brand with a lot of monopolies. I wonder if it holds true in all markets for the big brands. I also wonder if it would open them to more competition from smaller brands over time. Like the other commenter said, hard to name too many non coke/pepsi carbonated beverages.
I just wanted to comment on the Coke point specifically. They already have achieved market penetration at such a high level that I wonder is it really still worth it for them to keep spending 4B on ads a year. Uber also had a similar experience: https://news.ycombinator.com/item?id=25623858
I'm not sure if I understand you correctly, but at least around here thers RC Crown Cola, Solo, Farris, Pepsi, Pepsi Max, Eplerose, Oscar Sylte Pærebrus, Monster energy, Red Bull, 7-up etc and I don't think I am special at all for knowing them.
In case it matters, a number of these don't advertise, at least not in the same league as coke (multiple national campaigns a year).
> I don't think I am special at all for knowing them.
I would guess that at least 80% of people off the street would only be able to name advertised carbonated beverages. In that case, yes I think you are special.
I remember in a state of heavy depression filling out some random email spam survey and being about fourty questions into it before asking myself what the hell I was doing
A clever element of this is the cross-cultural nature: the Harvard name internationally known, yet someone not in that milieu would not be able to detect a number of "red flag" anomalies. In fact if the author was phished by someone in India (a likely case) then the perpetrator could make a cultural error that would be undetectable by the victim as they might share the same set of assumptions.
I say "cross cultural" but by that I also mean "cross domain" which is how financial scams can entrap victims who aren't familiar with the details of financial jargon.
It's also why people can believe conspiracy theories which are absurd to someone familiar with the domain.
I have yet to see a scam which would fool me. And I have seen many already.
All the scam and phishing mails I saw in my whole internet career were somewhere between totally obvious and embarrasingly blunt.
I can't agree with your assessment. If someone is naïve, they are at risk. Same applies for overconfidence. These are personality traits which are easily exploited. In real life as well as on the Internet. We cant protect everyone from everything. Neither in healthcare nor in VR.
No offense, but you’re likely a “nobody.” So you’ve only come across the generic scams. This is a famous person. The phishing attempt was designed specifically for her. You don’t know if you’d fall for it because 1) nobody would invest that much effort into phishing you, and 2) “we’d like you to come teach at our university” is a plausible thing for her to hear but not you or I.
One that was successful at my company recently was an e-mail sent to an electrical engineer from the CEO saying that the CEO needed a gift card from Target for an employee birthday, and had forgotten to pick it up. The EE went to Target and bought the card. The instructions including to reply to the e-mail with the card # so the CEO could include the number in the birthday card and not need the actual plastic.
The spoof was believable at first glance. It used the CEOs actual first name and obscured the actual source e-mail address with his company e-mail as the name. What should have given the engineer pause (among other things) was the context. There was no reason that the CEO would ask an engineer to do this task at my company. Nonetheless, the engineer was perhaps overly deferential to the chain of command and the suspicion didn't emerge until he had embarrassed himself.
That's rough. I got a phishing email from my CEO asking about something similar with money and had a brief 'oh shit' chain of command moment before my incredulousness kicked in. I get it.
We had an employee fall for this exact scam, the only reason it failed is we are a smaller company so rather than reply our employee physically handed the cards to our CEO. She had bought 2k worth of target gift cards. Needless to say, our CEO was very confused. I looked at the phishing email, and in Gmail it looked very legit, since by default the email address isn't visible. The email had the correct first & last name of the CEO, only clicking on the header showed the from email didn't match our CEOs email.
I was shocked that a company as small as ours was targeted, this phishing attempt was clearly not bot generated and the English in the email was very good, the only thing that was fishy was the request for gift cards.
I've recently also heard "the email address is not visible by default" in a postmortem. This is a UX problem which leads to increased vulnerability. It needs to be fixed.
In this case, it was his boss's boss's boss (I am his boss's boss). This particular engineer is highly valued at the company, including by me personally. It was at the same time surprising, but paining to see his consternation, and I certainly do hope he doesn't leave us. I'll gladly endure a $100 mistake to have his talents and attitude as an engineer.
> I have yet to see a scam which would fool me. And I have seen many already.
That's because you have never been targeted. It's that simple.
There is a small segment of society who are: a) savvy, and b) not actively engaged in commerce/business/community/career/friends/family, so any solicitation over email is likely suspicious.
Everyone else is at some level of risk. And sometimes it only takes one failure.
Even untargeted scams can fool a savvy person by coincidence. I followed my accountant when he switched accounting firms. Within two weeks of that, I got a generic accounting email SharePoint document share. It linked to the actual ms domain and used some redirection trickery to end up on a pixel perfect copy of the office 365 login screen. I only didn't get scammed because my password manager refused to auto fill.
Had the email come after I had learned the name of the new accounting firm, I never would have even clicked on the link.
>Even untargeted scams can fool a savvy person by coincidence.
And you can pick them up 99 times out of 100. But that 100th time, you're tired, rushing to get out the door, etc. and they get you.
I'm definitely more cautious than I was when phishing was just starting to be a big thing. Back then I don't think I ever fell for anything but there was once or twice when I wasn't really thinking and started down the path of providing information.
Maybe not but you will. If you live long enough you will suffer inevitable cognitive decline until one day you will be vulnerable to such a scam. We all will. No amount of good diet, meditation, fish oil and exercise will keep that from happening.
You pretty much nailed it. I am filtering a lot of stuff because I refuse to use certain modern flashy technologies. Office 365, yeah, go away. Firefox? Only on a dedicated machine if I really need it.
Emacs, SSH, tmux, old fashioned email (text only) and a linux virtual console is all I need to be productive, fast and especially happy.
A big part of what makes these attacks work is the tech stack in use on the recipients side. I recently heard about a Emotet attack, and was told "Well, you know, the problem is that Outlook only shows the name but not the address by default". Oh well, what can you say about that?
If it fooled you well enough you might not have noticed you were scammed.
Scams run from laughably blunt like the Nigerian prince to remarkably close to the real thing, like the callcentre that rang me pretending to sell phone contract upgrades that used exactly the same crap phone sales techniques my actual network used when they (coincidentally) called me a week later, and had a 1-letter different email address with the URL redirecting to the same website
Victim blaming and questioning how she could believe that she’s qualified for some position is the wrong thing to talk about, and is also disgusting in certain ways.
What would be better, at least in a tech focused community, is to find out more details on how this happened and where the gaps (that are obvious in hindsight) are. I wish someone like Brian Krebs (of Krebs on Security) could get more information on this and do a detailed write up. That would be more insightful and useful to everyone than rants about the victim.