Hmmm...I guess I am one of those folks who practices trust but verify through independent sources and would have pick up the phone and called the Harvard HR Department using a known good number vice only relying on and communicating on email. Second, some posters have said that you can pass company phishing training and be still be victimized by this cyber criminals...true to some degree; however, a cursory check of the smtp email header and or embedded http links would probably have provided clear indication that something was amiss. But I agree victim blaming is not and will not ever be appropriate.