Spot the Shapeshifter: A Guide to Phishing
What if you could spot a digital trickster in disguise? The sneakiest cyberattacks don't use fancy codeβthey use psychology to fool you. With new AI making fake messages more believable than ever, learning to see through the tricks is a true superpower. Let's become digital detectives! π΅οΈ
1. The Human Exploit
Imagine a castle. A cyber-hacker could spend all day trying to break down the giant wooden door (the computer's code). Or... they could just trick a guard into handing over the key! Social engineering is tricking people to get the key. It's usually easier than breaking down the door.
The Door is the hard computer code. π»
The Guard is you, the human user. πββοΈ
The Key is your password! π
A Hacker in a silly disguise tries to trick the guard. π₯Έ
Which of these is the "key" hackers want most?
Mini-Game: Match the Attack!
Click an attack type on the left, then click its matching description on the right. Let's see how fast you can get all four!
- π£ Phishing
- π― Spear Phishing
- π Vishing
- π¬ Smishing
- A targeted email using personal info found online.
- Fake texts about package deliveries or bank alerts.
- A general fake email pretending to be from a popular service.
- A phone call from a scammer pretending to be tech support.
2. Spot the Phish (Shapeshifters in Disguise)
Look at each email carefully. Is it real or a phishing attempt? Click your verdict β if you're right, we'll highlight the clues for you!
Dear PayPal Customer,
We have detected unusual activity on your account. To avoid permanent suspension, you must verify your identity within 24 hours.
Please click the link below to restore your account:
http://paypal-account-verify.secure-login.net/restore
PayPal Security Team Β· Β© 2024 PayPal Inc.
A new sign-in on Windows
Your Google Account ([email protected]) was just signed in to from a Windows device. If this was you, you don't need to do anything.
Review your account activity
You received this email to let you know about important changes to your Google Account and services.
Google LLC Β· 1600 Amphitheatre Pkwy Β· Mountain View, CA 94043
Hello,
We attempted to deliver your recent Amazon order but were unable to complete the delivery. A $1.99 redelivery fee is required to release your package.
Please update your delivery information and payment details here:
https://amazon-redelivery.com/update?order=7723
Amazon Logistics Β· Delivery Services
π΅οΈ Evidence Hunt: Spot the Clues!
Let's turn this into a game! Click on the red flags in the fake PayPal email below. Each time you click a clue, you'll have to identify the trick. Find all three to complete the mission!
Please click the link below to restore your account:
http://paypal-account-verify.secure-login.net/restore
Your Detective's Guide to Red Flags
π Advanced Challenge: Unmask the Sender
The 'From' line can be easily faked. The truth is in the 'Received' path. Click on the line in the code below that reveals the true origin server of this email.
Return-Path: <[email protected]>
Delivered-To: [email protected]
Received: from mail-server.bad-guy.net (123.45.67.89)
From: "Netflix" <[email protected]>
Subject: Your account is suspended
π Pro Challenge: Use Browser Dev Tools
Use your browser's real detective tools. Right-click the fake link in the example email and choose 'Inspect'. In the code that appears, find the `<a>` tag and look at its `href` attribute. This is how security pros check links without ever having to risk a click.
Challenge: Think Like a Hacker (Mad Libs Edition!)
The best way to spot a trick is to learn how it's made. Let's build a (harmless) phish. Fill in the blanks below to create your sneaky message!
4. How to Read a URL
The URL (web address) is where attackers hide their best tricks. Think of it like a train: you need to find the engine to know where it's really going.
The Rule: The real domain is the "engine" right before the first slash (`/`). Always check the engine! π
Phish vs. Hoax: What's the Difference?
A Phish π£ wants your password or money. A Hoax π» just wants your attention. If a message says "Share this to 10 friends for good luck!", that's a hoax. It's annoying, but not trying to steal your account.
π§ Pro Trick #1: Typosquatting
Hackers register common misspellings of popular sites to catch people who type too fast. Always double-check your spelling!
π§ Pro Trick #2: Sneaky Subdomains
Sometimes safe sites use subdomains for different sections. The "engine" rule still works! The real domain is the part at the end.
5. Sneaky Brain Tricks
Phishing works because it's designed to hack our brains, not just our computers. Let's see if you can spot the trick.
Scenario 1: π± A pop-up screaming 'VIRUS DETECTED!' appears while you're playing a game. What brain trick is the hacker using?
Scenario 2: π©βπ« A message from your 'principal' asks for your password to a new school portal. What brain trick is this?
If an email, text, or message feels weird, urgent, or too good to be true, stop and take a 5-second pause. Ask yourself: "Did I expect this?" If not, ask a parent or trusted adult before you click ANYTHING. It's about having a teammate to help you spot the trick! Remember to never share personal info like your full name, address, or school name on strange websites.
π¨βπ©βπ§ Parent Corner: From Learning to Doing
Great job working through this! Now is the perfect time to level up your family's security together. Here are two missions:
- Conversation Starter: Ask your explorer, "If a message from a friend seemed weird, how would you check if it was really them?" Their answers might surprise you!
- The "Go Direct" Rule: Make a family rule that for any urgent email from a bank or service, you NEVER click the link. Instead, you always open a new tab and type the website address in yourselves.
- Co-Op Mission: Set Up 2FA Together! Two-Factor Authentication (2FA) is a superpower against password theft. Ask your child to help you turn on 2FA for one of your important accounts (like your email). Learning how to do it together makes you both safer!
π΅οΈ Security Clearance Quiz
Prove you can think like a cybersecurity analyst!