Phishing and Scams

# Phishing and Scams: Online Safety & Privacy ## Learning Objectives By the end of this lesson, students will be able to: - **Identify** common characteristics of phishing emails, messages, and websites - **Explain** how cybercriminals use social engineering techniques to trick people online - **Evaluate** suspicious online communications to determine if they are legitimate or fraudulent - **Apply** practical strategies to protect themselves from phishing attacks and online scams - **Respond** appropriately when encountering potential phishing attempts ## Introduction Imagine receiving an urgent email that appears to be from your school, claiming your account will be suspended unless you click a link and enter your password immediately. Your heart races as you reach for the mouse—but wait! This could be a phishing attack designed to steal your personal information. Phishing and online scams are among the most common cyber threats today, affecting millions of people worldwide every year. The term "phishing" comes from the idea that cybercriminals are "fishing" for your valuable information by using fake bait—convincing-looking emails, messages, or websites. These scams have become increasingly sophisticated, targeting not just adults but young people too. According to recent studies, teenagers are actually more likely to fall for certain types of online scams than older adults because they spend more time online and may trust digital communications more readily. Understanding how to recognize and avoid phishing attempts is an essential digital literacy skill that will protect you throughout your life. In this lesson, we'll explore how these scams work, learn to spot the warning signs, and develop strategies to keep your personal information safe online. ## Key Concepts ### What is Phishing? **Phishing** is a type of cybercrime where attackers disguise themselves as trustworthy sources to trick people into revealing sensitive information such as passwords, credit card numbers, or personal details. The goal is usually to steal money, identity information, or gain unauthorized access to accounts. ### Types of Phishing and Scams **1. Email Phishing** The most common form, where fraudulent emails appear to come from legitimate organizations (banks, schools, popular websites). These emails typically create a sense of urgency and contain links to fake websites. **2. Spear Phishing** Targeted attacks directed at specific individuals or organizations, using personalized information to appear more convincing. **3. Smishing (SMS Phishing)** Phishing attacks delivered through text messages, often claiming you've won a prize or need to verify account information. **4. Vishing (Voice Phishing)** Phone calls from scammers pretending to be from tech support, banks, or government agencies. **5. Clone Phishing** Attackers copy a legitimate email you've received before, replacing links with malicious ones. ### Social Engineering Techniques Cybercriminals use **social engineering**—psychological manipulation—to exploit human emotions and behaviors: - **Urgency**: "Act now or your account will be deleted!" - **Fear**: "Suspicious activity detected on your account" - **Curiosity**: "You won't believe this amazing offer!" - **Authority**: Messages appearing to come from teachers, administrators, or officials - **Trust**: Using familiar logos, names, and professional-looking designs ### Red Flags: How to Spot Phishing **Suspicious sender addresses**: Look carefully at email addresses. "[email protected]" (with a zero) is not "[email protected]" **Poor grammar and spelling**: Many phishing emails contain obvious errors, though sophisticated ones may not **Generic greetings**: "Dear Customer" instead of your actual name **Requests for personal information**: Legitimate organizations never ask for passwords or sensitive data via email **Suspicious links**: Hover over links (without clicking) to see the actual URL destination **Unexpected attachments**: Files from unknown sources may contain malware **Too good to be true**: Unrealistic offers, prizes, or promises ## Worked Examples ### Example 1: Analyzing a Suspicious Email **Scenario**: You receive the following email: ``` From: [email protected] Subject: URGENT: Account Verification Required Dear Student, Your account has been flagged for suspicious activity. You must verify your identity within 24 hours or your account will be permanently deleted. Click here to verify now: http://verify-account-now.xyz/school School IT Department ``` **Step-by-step Analysis**: 1. **Check the sender**: "schoolporta1.com" uses the number "1" instead of letter "l"—suspicious! 2. **Look for urgency tactics**: "URGENT" and "24 hours" create unnecessary panic 3. **Generic greeting**: "Dear Student" rather than your name 4. **Examine the link**: The URL "verify-account-now.xyz" doesn't match your school's domain 5. **Verify independently**: Real IT departments don't send unsolicited verification requests **Conclusion**: This is a phishing attempt. DO NOT click the link or respond. ### Example 2: Text Message Scam **Scenario**: You receive this text: ``` "Congratulations! You've been selected as a winner of a £500 shopping voucher! Click here to claim: [link]. Expires in 2 hours!" ``` **Step-by-step Analysis**: 1. **Unexpected prize**: You never entered any competition 2. **Unknown sender**: No legitimate company name or verification 3. **Time pressure**: "Expires in 2 hours" rushes your decision 4. **Suspicious link**: Legitimate competitions don't distribute prizes via random text messages **Conclusion**: This is smishing. Delete the message immediately. ### Example 3: Friend's Compromised Account **Scenario**: Your friend sends you a message on social media: ``` "OMG! I found this embarrassing video of you! Is this really you? [link]" ``` **Step-by-step Analysis**: 1. **Unusual behavior**: Your friend doesn't typically write like this 2. **Emotional trigger**: Uses embarrassment to make you click quickly 3. **Suspicious link**: Generic message with a link—classic compromise pattern 4. **Verify directly**: Contact your friend through a different method (phone, in-person) **Conclusion**: Your friend's account was likely hacked. Don't click the link; warn your friend through another communication channel. ## Practice Questions **Question 1**: List four red flags that might indicate an email is a phishing attempt. **Question 2**: You receive an email claiming to be from a popular gaming platform, asking you to "confirm your account details to receive free game credits." What steps should you take? **Question 3**: Explain the difference between phishing and smishing. Give an example of each. **Question 4**: Why do phishing emails often create a sense of urgency? How does this psychological tactic work on victims? **Question 5**: A website looks identical to your school's login page, but the URL is slightly different. What should you do, and why is the URL important? ## Summary **Key Takeaways**: - **Phishing** is when cybercriminals impersonate trusted sources to steal personal information, passwords, or money - **Common types** include email phishing, smishing (SMS), vishing (voice calls), and social media scams - **Social engineering tactics** exploit emotions like fear, urgency, curiosity, and trust to manipulate victims - **Warning signs** include suspicious sender addresses, poor grammar, generic greetings, urgent language, requests for personal information, and too-good-to-be-true offers - **Always verify** suspicious communications by contacting the organization directly through official channels - **Never click** on links or download attachments from unknown or suspicious sources - **Protect your information** by never sharing passwords, personal details, or financial information via email or text - **Report phishing attempts** to adults, teachers, or IT administrators to help protect others ## Exam Tips **Tip 1: Use the STOP method in scenario questions** When exam questions present a phishing scenario, demonstrate your understanding by using this systematic approach: - **S**uspicious elements—identify red flags - **T**hink—explain why it's dangerous - **O**ptions—describe safe alternatives - **P**revent—suggest how to avoid similar threats This structured response shows comprehensive understanding and earns maximum marks. **Tip 2: Provide specific, detailed examples** Instead of writing "check the email address," write "examine the sender's email address character by character to identify suspicious substitutions like numbers replacing letters (0 instead of O) or misspellings of legitimate domains." Specific details demonstrate deeper knowledge and receive higher marks. **Tip 3: Connect concepts to real-world impact** When explaining why phishing is dangerous, go beyond "it steals information" to explain consequences: "Phishing can lead to identity theft, financial loss, unauthorized account access, and compromise of personal data that affects not just the victim but their contacts as well." Examiners reward answers that show understanding of broader implications. --- ## Practice Question Answers **Answer 1**: Four red flags include: (1) Suspicious or misspelled sender email address, (2) Generic greetings like "Dear User," (3) Urgent language pressuring immediate action, (4) Requests for personal information or passwords, (5) Suspicious links or unexpected attachments [any four]. **Answer 2**: Do NOT click any links or provide information. Instead: (1) Verify by going directly to the gaming platform's official website (type the URL yourself), (2) Check your account through the legitimate site, (3) Contact the platform's official support if concerned, (4) Report the suspicious email as phishing. **Answer 3**: **Phishing** uses fraudulent emails to trick people into revealing information. Example: An email claiming to be from a bank asking you to verify your account. **Smishing** is phishing via SMS/text messages. Example: A text claiming you've won a prize with a link to claim it. Both use deception, but through different communication channels. **Answer 4**: Urgency prevents careful thinking. When people feel rushed ("Act now or lose your account!"), they're more likely to make impulsive decisions without analyzing whether the message is legitimate. This psychological pressure overrides normal skepticism and critical thinking, exactly what scammers want. **Answer 5**: DO NOT enter any login information. Close the page immediately and navigate to your school's website by typing the correct URL yourself or using a trusted bookmark. The URL is crucial because it's the true identifier of a website—visual appearance can be copied, but the exact URL cannot be duplicated. Always verify the URL matches the legitimate domain exactly.