Main content
Internet safety
Course: Internet safety > Unit 1
Lesson 9: Going deeper with recognizing and avoiding online scamsPhishing attacks
Sal explains how evildoers on the Internet can take advantage of you. Created by Sal Khan.
Want to join the conversation?
- My sister noticed that the email from which this was sent is misspelled(epaiypal instead of epaypal). Is this also a clue that it is a phishing attack?(9 votes)
- Yes, misspelled email addresses are a big red flag.(12 votes)
- Let's assume I just got a phishing email from PayPal which asks for me to click on the login link to secure my account. If I accidentally click on the login link, is there any harm in just clicking the link? Will my IP adress get exposed?(8 votes)
- It really depends on what they want from you. They could be advanced enough to do that, but usually it’s just a fake login to steal your password.(7 votes)
- Do email accounts usually block phishing accounts automatically? I think mine puts everything with a suspicious link in the spam folder…(3 votes)
- Hm, that's cool! My mom gets a LOT of these types of emails, and I'm left putting them into the spam folder XD(1 vote)
- How can you tell when some one phishing you? Easy! Just look for the information they say they are and find the false information. BOOM! You found someone who was trying to phish you.(1 vote)
- Yes, but it’s risky. The person who does it may be very advanced and can even fake the name by putting something on top of it. You might have clicked on an email which looked supposedly innocent, but was really a phishing attack.(3 votes)
- Is that even the paypal logo?(1 vote)
- Yes, I think they copied it.(1 vote)
- can u do soemething about the viruses(1 vote)
- What is pishing attacks? Who knows? Write sipmle and vote(1 vote)
- Phishing attacks are things that people try and "fish" you into a website that looks real but isn't real and steal things from you. With reference to~ 1:35(1 vote)
- i sent a virus to a microsoft scammer(1 vote)
- i didnt catch any malware(1 vote)
- I heard that it is possible to use cyrillic characters in a domain name, besides, you never know what the legit address is, scammers can have a domain that seems VERY legit, with no spelling mistakes whatsoever, except that it is called some wired combination of something.paypal.something.com and it might very well be some legit email from PayPal.
Could someone please tell me how to ACTUALLY check if a domain is legit? Every person on YT and everywhere just says: oh yeah, all you have to do is check if the domain is real, but they never address the 1000 corner cases that make it impossible to do of the average user.
If someone knows a database of ALL legit email/domains for all the major websites that can make sure no cyrillic characters are in use and the other multitude of ways you can make a website look very legitimate, please put it here.
Also, the part about Google having the worlds best security: Google was literally displaying fake ads for OBS and VLC recently (ads linked to fake websites with malicious downloads). And it's not like they can't modify the official wikipedia link so there is no way to check, there is no service you can really really trust. How do you trust anything after that?(1 vote)
Video transcript
- [Instructor] Let's say
you get an email like this, where it looks like it is from PayPal. It says "Response required" really big, so this is a little bit scary. And it says, "Dear," you, "We emailed you a little while
ago to ask you for your help "resolving an issue with
your PayPal account." This seems really serious. "Your account is still temporarily limited "because we haven't heard from you. "We noticed some unusual login
activity with your account. "Please check that no one
has logged into your account "without your permission." This is scary: To help us with this and to see what you can and
can't do with your account until the issue is resolved, log in to your account or
go to the Resolution Center. As always, if you need
help or have any questions, feel free to contact us. We're always here to help. Thank you for being a PayPal customer. Sincerely, PayPal. What would you do in this situation? Well, I think for a lot of
us, our emotional response is, hey, PayPal, some of my
money is involved, there. They're talking about other
people maybe trying to log in. I definitely wanna resolve this. And just in the heat of the moment, you might click on this "log in," or you might go to the Resolution Center, and that might start you down
a little bit of a scary path. Because even though
this looks like PayPal, you really need to verify
that it really is PayPal. And there are some clues here that make it clear that it is not PayPal. See if you can find those. Well, the biggest clue is up
here on the email address. So, it says service@intl.paypal.com
as its name, but when you look at the actual email address right over here, notice it actually isn't
a PayPal email address. It says @outlook.com. So, this is a pretty good clue
that this is not from PayPal. And so, what is this? Well, this is known as a phishing attack. Why is it called a phishing attack? Well, I think it's
probably based on the idea that when you're trying to catch fish, you dangle some bait for the fish and you see which fish are going to bite. And so, this isn't exactly fishing. They spelled the "Fuh" sound P-H because what they're really doing is they're dangling some
bait in front of you and see if you're going to metaphorically get your cheek cut by the fish hook or whatever happens to fish
before they get pulled out. And how would that happen metaphorically? Well, when you click on this, it probably goes to this phishy
company or person's website. And that website might look like PayPal, but it's not going to be paypal.com. It's going to be some other web address. And so, one way to avoid
doing that beyond looking at that this is a phishy email address is that in some browsers
or in some email readers, you can scroll over this and you'll see what the website would be. Or you can right click on that. You could, say, copy the URL and you could put that in a text document to see what the actual URL is. And it's very likely that that is not going to be a PayPal URL. In fact, I would
guarantee you in this case it would not be. It would look like PayPal
when you get there, and what they'll probably
try to get you to do is type in your username and password for your PayPal account. Why is that valuable for them? Well, you just would have
then given them your username and password for your PayPal account, which then they could use
to steal money from you or to do something else to you. So, be very careful where you get these
urgent emails or texts. I got a text recently saying that, "Your Amazon account has been compromised. "Click here fast in order to make sure "that no more fraud
happens on your account." Well, it turns out that the URL, the web address there was not amazon.com. It was going to take
me to a shady website, and that shady website
looked a lot like Amazon. And so, if I acted really quickly, I would've given them my
Amazon username and password. So, be on the lookout for
these phishing attacks, and the main way to catch them
is be skeptical of anything that's talking about fraud, about something that you
would scare you and say, "Hey, do I really think
this is happening?" And then, if you really
think it might be happening, verify the email addresses,
verify the web addresses that they're really coming
from who they say they're from. And it doesn't matter if the
name is @somethingpaypal.com. You have to look at the
actual email address and it doesn't matter what it says here. It matters what the actual URL is that it clicks to to make
sure that it isn't fishy. No pun intended, or actually,
that pun was intended.