Main content
Course: Archived AP CSP content > Unit 1
Lesson 7: Archived Cybercrime and preventionPhishing and password attacks
The Internet is a network of computers filled with valuable data. Cyber criminals want to get a hold of that data, so security engineers are constantly coming up with mechanisms to prevent their access, like firewalls, software patches, and antivirus software.
But there's always a weakest link: the human. If a cyber criminal can convince a user to email their credentials, or download a file, then they don't need to go through all that effort to circumvent security software. If a cyber criminal can easily guess a user's password, then they don't need to crack encryption algorithms.
These days, cyber criminals often find it easier to attack users than attack software, since there are so many users on the web that are not following best practices for security.
Fortunately, a little bit of information can go a long way to protecting users and their data. Let's learn more about how to be safer online.
Phishing attacks
In a phishing attack, a cyber criminal tricks a user into divulging their private information.
A phishing attack typically starts with an email that claims to be from a legitimate website, like a banking website or online store:
The goal of the email is to obtain private data from the user, so it either asks the recipient to reply with personal information or it links to a website that looks remarkably like the original site:
If the user is convinced and enters private details on the site, that data is now in the hands of the cyber criminal! If the user filled in login details, they can then use those credentials to log in to the real website, or if the user provided credit card details, they can use the credit card to make purchases anywhere.
Spotting a phishing attack
Fortunately, there are some tell-tale signs of phishing scams:
- Suspicious email address: Phishing emails will often come from addresses at domains that don't belong to the legitimate company.
- Urgency and scare tactics: Phishing emails use psychological manipulation to lower our guard and get us to respond quickly without thinking through the consequences.
- Suspicious URL: Phishing emails will usually link to a website with a URL that's very similar to the legitimate URL, or at least contains the company name somehow.
- Non-secured HTTP connections: Any website that is asking you for sensitive information should be using HTTPS. Phishing websites don't always go through the extra effort to use HTTPS.
- Requests for sensitive information: Phishing emails will often ask you to either reply with personal data or enter them on a website. Most legitimate companies do not need you to verify personal information after the original account creation.
Every phishing scam will vary in its sophistication, so some emails may be very obviously fake while other emails can be incredibly convincing.
If you ever suspect an email is a phishing scam, do not click on any links or download any attached files. Find another way to contact the supposed sender to see if the email is legit. If the email's from a company, you can search online for their phone number. If it's from a friend or colleague, you can message them or give them a call.
🔍 Can you spot a phishing scam? Test your skills with this Phishing Quiz from Google.
Spear phishing
There's a new type of phishing that's even more popular and dangerous: spear-phishing. That's where a phishing email targets users in a particular company, with the goal of gaining access to the company's data.
If just one person in the company accidentally reveals their credentials or downloads malware onto their company computer, the cyber criminal can potentially breach their entire company database. That's not just one person's data, that's thousands or millions of people's data. 😬
Password attacks
Passwords protect access to just about every piece of digital information about us: bank accounts, private email, social networks, chat conversations, and much, much more.
These are the most common ways to discover a user's password:
- Guessing
- Brute-forcing, which is basically computer-assisted guessing at a much larger scale.
- Stuffing, where attackers find credentials for one service and try them on another service.
- Malware, especially keyloggers.
- Phishing scams, which we just discussed.
Users can defend against malware and phishing scams by being careful about what they download and what emails they believe.
To defend against the attacks of guessing, brute-forcing, and stuffing, users need a strong password that can’t be easily obtained by someone with ill intent.
Picking a password
A strong password is:
- Irregular, to avoid simple guessing. Have you ever “changed” a password by putting a "1" or a "!" at the end of it? A cyber criminal will change it the same way!
- Complex, to avoid brute-forcing. A strong password is long and includes more variety than just the letters of the alphabet, like numbers and symbols. There are
possible passwords that are 8 characters long and just made of lowercase letters, while there are possible passwords that are 12 characters long and made up of both uppercase and lowercase letters. That's versus a whopping possibilities. A little bit of complexity goes a long way. - Single-use, to avoid stuffing attacks. If a cyber criminal manages to discover a user's password for one service, they shouldn't be able to use that same password to get into all their other services.
At the same time, passwords need to be memorable. If a user forgets their password constantly, then it's not a very good password.
Here are ways that users can make passwords that are both memorable and strong:
Create an initialism. Simple words and common phrases are easier to guess. An initialism is made up of all the initials of a phrase. For example, you could take the phrase “I want to create a strong password” and turn that into a complex password like
Iw2CR8a!!!pw
. You could also make initialisms based on favorite song lyrics, and then you'll be singing your way through login screens. 🎶Combine unrelated words together. Imagine you have a real paper dictionary (and maybe you do!). You randomly turn to a page, randomly point, and choose the word under your finger. Do that four times, combine the words with symbols, and you'll have a strong password like
vivid-wrung-octopus-misapply
. Use a password manager. Perhaps you now have a few strong, memorable passwords in your head-- but can you actually remember 40 of those? Password managers to the rescue! A password manager application can auto-generate strong passwords, keep track of all your passwords, and let you unlock access to your passwords with one very strong and memorable password.
🔍 You can search online for "password meter" and find webpages that will calculate the strength of passwords for you. For security reasons, you should not put your actual password in those meters, but you can try out other password ideas and see how strong they are.
Want to join the conversation?
- how secure are password managers?(7 votes)
- Writing your passwords on a piece of paper is more secure, as paper can't be hacked. Just make sure to not let anyone else see the paper. When destroying the paper, it is best to soak it in water so that it dissolves and can't be pieced back together like it could be when it is shredded.(1 vote)
- I have a question: When a website (let's say that fake PayPal login page) is created, don't officials review the website? Can't these officials see a similarity in the real and fake PayPal websites? Can't they just deny access to it because of the stealing of already created property (ex. the PayPal symbol/logo)?(1 vote)
- No, there's no official that checks all sites on the internet. You could create a fake PayPal website tomorrow. If PayPal happens to see that website--like if customers report the site--then PayPal can take legal action, like sending a cease & desist letter from a lawyer. Web browsers and ISPs could also take action, if they discover a site is being used for malicious purposes. Google Chrome will often warn you if it knows that a site is malicious. But, it usually takes someone reporting it first. So if you see something, say something!(2 votes)