If you're seeing this message, it means we're having trouble loading external resources on our website.

If you're behind a web filter, please make sure that the domains *.kastatic.org and *.kasandbox.org are unblocked.

Main content

Course: Archived AP CSP content > Unit 1

Lesson 7: Archived Cybercrime and prevention
Computing
Archived AP CSP content
Archived AP CSP Internet content
Archived Cybercrime and prevention
© 2024 Khan AcademyTerms of usePrivacy PolicyCookie Notice

Phishing and password attacks

Google Classroom
The Internet is a network of computers filled with valuable data. Cyber criminals want to get a hold of that data, so security engineers are constantly coming up with mechanisms to prevent their access, like firewalls, software patches, and antivirus software.
But there's always a weakest link: the human. If a cyber criminal can convince a user to email their credentials, or download a file, then they don't need to go through all that effort to circumvent security software. If a cyber criminal can easily guess a user's password, then they don't need to crack encryption algorithms.
These days, cyber criminals often find it easier to attack users than attack software, since there are so many users on the web that are not following best practices for security.
Fortunately, a little bit of information can go a long way to protecting users and their data. Let's learn more about how to be safer online.

Phishing attacks

In a phishing attack, a cyber criminal tricks a user into divulging their private information.
Illustration of a phishing attack. A cyber criminal has a fishing line with a hook through a web browser. The web browser has a password field with "UsersR3alP@ssword" filled in.
A phishing attack typically starts with an email that claims to be from a legitimate website, like a banking website or online store:
Screenshot of a phishing email. Subject line says "Your PayPal Access Blocked !". Email is from "PayPal paypalaccounts@mailbox.com". Email body has heading "Your PayPal Account is Limited, Solve in 24 Hours!" and body "Dear PayPal Customer, We're sorry to say you cannot access all the paypal account features like payment and money transfer. Click here to fix your account now. Why is it blocked? Because we think your account is in danger of theft and unauthorized uses. How can I fix the problem? Confirm all your details on our server. Just click below and follow all of the steps. Confirm Account Details Now." There are two hyperlinked parts of the text.
An email that claims to be from PayPal
The goal of the email is to obtain private data from the user, so it either asks the recipient to reply with personal information or it links to a website that looks remarkably like the original site:
Screenshot of a phishing website. Web browser shows web page title "Log in to your PayPal account". Address bar shows "paypal--accounts.com". Main area of screen contains login box with PayPal logo: an input field for email or mobile number, a password input field, and a "Log in" button.
A website that claims to be a PayPal login screen
If the user is convinced and enters private details on the site, that data is now in the hands of the cyber criminal! If the user filled in login details, they can then use those credentials to log in to the real website, or if the user provided credit card details, they can use the credit card to make purchases anywhere.

Spotting a phishing attack

Fortunately, there are some tell-tale signs of phishing scams:
  1. Suspicious email address: Phishing emails will often come from addresses at domains that don't belong to the legitimate company.
Screenshot of phishing email, cropped to show just the from line. Email is from "PayPal paypalaccounts@mailbox.com". The email address is highlighted with a circle.
Email looks like it's from PayPal but is actually from mailbox.com.
  1. Urgency and scare tactics: Phishing emails use psychological manipulation to lower our guard and get us to respond quickly without thinking through the consequences.
Screenshot of phishing email, cropped to show part of the body. Email body has heading "Your PayPal Account is Limited, Solve in 24 Hours!" and body "Dear PayPal Customer, We're sorry to say you cannot access all the paypal account features like payment and money transfer. Click here to fix your account now. Why is it blocked? Because we think your account is in danger of theft and unauthorized uses." The heading and final line are highlighted with circles.
  1. Suspicious URL: Phishing emails will usually link to a website with a URL that's very similar to the legitimate URL, or at least contains the company name somehow.
Screenshot of a phishing website, cropped to show just the address bar. Web browser shows web page title "Log in to your PayPal account". Address bar shows "paypal--accounts.com". The address is highlighted with a circle.
URL has "paypal" in it, but isn't PayPal's actual domain.
  1. Non-secured HTTP connections: Any website that is asking you for sensitive information should be using HTTPS. Phishing websites don't always go through the extra effort to use HTTPS.
Screenshot of a phishing website, cropped to show just the address bar. Web browser shows web page title "Log in to your PayPal account". Address bar shows "Not Secure" and URL "paypal--accounts.com". The "Not Secure" warning is highlighted with a circle.
URL isn't secured over HTTPS, so browser displays "Not secure".
  1. Requests for sensitive information: Phishing emails will often ask you to either reply with personal data or enter them on a website. Most legitimate companies do not need you to verify personal information after the original account creation.
Screenshot of a phishing website, cropped to show just the login form. Login form has PayPal logo: an input field for email or mobile number, a password input field, and a "Log in" button. The email and password fields are highlighted with circles.
Every phishing scam will vary in its sophistication, so some emails may be very obviously fake while other emails can be incredibly convincing.
If you ever suspect an email is a phishing scam, do not click on any links or download any attached files. Find another way to contact the supposed sender to see if the email is legit. If the email's from a company, you can search online for their phone number. If it's from a friend or colleague, you can message them or give them a call.
🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google.

Spear phishing

There's a new type of phishing that's even more popular and dangerous: spear-phishing. That's where a phishing email targets users in a particular company, with the goal of gaining access to the company's data.
If just one person in the company accidentally reveals their credentials or downloads malware onto their company computer, the cyber criminal can potentially breach their entire company database. That's not just one person's data, that's thousands or millions of people's data. 😬

Password attacks

Passwords protect access to just about every piece of digital information about us: bank accounts, private email, social networks, chat conversations, and much, much more.
These are the most common ways to discover a user's password:
  • Guessing
  • Brute-forcing, which is basically computer-assisted guessing at a much larger scale.
  • Stuffing, where attackers find credentials for one service and try them on another service.
  • Malware, especially keyloggers.
  • Phishing scams, which we just discussed.
Users can defend against malware and phishing scams by being careful about what they download and what emails they believe.
To defend against the attacks of guessing, brute-forcing, and stuffing, users need a strong password that can’t be easily obtained by someone with ill intent.

Picking a password

A strong password is:
  • Irregular, to avoid simple guessing. Have you ever “changed” a password by putting a "1" or a "!" at the end of it? A cyber criminal will change it the same way!
  • Complex, to avoid brute-forcing. A strong password is long and includes more variety than just the letters of the alphabet, like numbers and symbols. There are 268 possible passwords that are 8 characters long and just made of lowercase letters, while there are 5212 possible passwords that are 12 characters long and made up of both uppercase and lowercase letters. That's 208,827,064,576 versus a whopping 390,877,006,486,250,200,000 possibilities. A little bit of complexity goes a long way.
  • Single-use, to avoid stuffing attacks. If a cyber criminal manages to discover a user's password for one service, they shouldn't be able to use that same password to get into all their other services.
At the same time, passwords need to be memorable. If a user forgets their password constantly, then it's not a very good password.
Here are ways that users can make passwords that are both memorable and strong:
Create an initialism. Simple words and common phrases are easier to guess. An initialism is made up of all the initials of a phrase. For example, you could take the phrase “I want to create a strong password” and turn that into a complex password like Iw2CR8a!!!pw. You could also make initialisms based on favorite song lyrics, and then you'll be singing your way through login screens. 🎶
Combine unrelated words together. Imagine you have a real paper dictionary (and maybe you do!). You randomly turn to a page, randomly point, and choose the word under your finger. Do that four times, combine the words with symbols, and you'll have a strong password like vivid-wrung-octopus-misapply.
Use a password manager. Perhaps you now have a few strong, memorable passwords in your head-- but can you actually remember 40 of those? Password managers to the rescue! A password manager application can auto-generate strong passwords, keep track of all your passwords, and let you unlock access to your passwords with one very strong and memorable password.
🔍 You can search online for "password meter" and find webpages that will calculate the strength of passwords for you. For security reasons, you should not put your actual password in those meters, but you can try out other password ideas and see how strong they are.

Want to join the conversation?

Log in
  • leaf green style avatar for user ishrak jalaluddin
    Posted 5 years ago. Direct link to ishrak jalaluddin's post “how secure are password m...”
    how secure are password managers?
    (7 votes)
    Default Khan Academy avatar avatar for user
  • winston default style avatar for user goldman323
    Posted 5 years ago. Direct link to goldman323's post “I have a question: When a...”
    I have a question: When a website (let's say that fake PayPal login page) is created, don't officials review the website? Can't these officials see a similarity in the real and fake PayPal websites? Can't they just deny access to it because of the stealing of already created property (ex. the PayPal symbol/logo)?
    (1 vote)
    Default Khan Academy avatar avatar for user
    • hopper jumping style avatar for user pamela ❤
      Posted 5 years ago. Direct link to pamela ❤'s post “No, there's no official t...”
      No, there's no official that checks all sites on the internet. You could create a fake PayPal website tomorrow. If PayPal happens to see that website--like if customers report the site--then PayPal can take legal action, like sending a cease & desist letter from a lawyer. Web browsers and ISPs could also take action, if they discover a site is being used for malicious purposes. Google Chrome will often warn you if it knows that a site is malicious. But, it usually takes someone reporting it first. So if you see something, say something!
      (2 votes)