Teens like myself always expect to know everything about what happens on the Internet, ignoring the possible risks because, of course, there can’t be any risks if we’ve got everything under control, right? Well, wrong. Even though we think that we know who we can trust and what is safe (or not), phishers know exactly how to imitate that, becoming a very real hazard to us.
A while back, as part of a Hacker Highschool project, I presented a PowerPoint to my class about phishing, so I have some knowledge about the subject and am aware of the dangers involved. Before that, I didn’t really know all that much about it, but neither did my classmates.
I used to think phishing only appeared in fishy emails or websites that told me that I had won a trip to the Maldives, but after my research I found out that nowadays phishing techniques can be hidden anywhere and it surprised me how innocent and uninformed I was in the past.
Phishing Tactic #1 Copying a Reliable App
While I was presenting to my classmates, I showed them two pictures side by side. The first picture was a screenshot of one of those fake scammy websites and the other one was a link for the login information to retrieve their Instagram password. I told them to observe them both and tell me which one would seem more dangerous if they encountered them online. The first picture was the more obviously suspicious option. When I told them that both options were equally risky a few jaws dropped.
The fact that a phisher could imitate exactly what the login information page looked like was a shock to my schoolmates and, to be fair, to me too.
After informing them of the dangers of both websites, I asked them why they thought that the first one was risky but the second one was safe. One person told me that it was because they were used to seeing those typical fishy websites send fake or risky news and on the other hand, they had never seen something so legitimate-looking turn out to be a trap. I couldn’t have agreed more, primarily because we all consider Instagram to be a really trustworthy app, so if we get an email that looks like it came from them, most teens wouldn’t bother making sure if it’s real or not. On top of that, from time to time Instagram does send us emails, so receiving one from them wouldn’t even be considered strange.
Another case of using a reliable app for phishing teens happened a couple of years ago, also with Instagram. Many apps and websites were promising to fill your account with followers, likes and comments in a matter of minutes. Although I personally wasn’t interested, many of my friends and other teens were, and they gave away passwords and accounts for it.
Of course, there were a few apps that actually did work, but a few others just kept their account information and never fulfilled their promise. None of my friends that did it seemed to have any issues until someone started posting all sorts of spam and links on their accounts.
Phishing Tactic #2 Through Fake “Rewards” for Videogames
Like I mentioned before, the promise of rewards like winning a trip to the Maldives or a new phone don’t really work on most teens because we are sophisticated enough to know these are scams, but phishers do occasionally pull one over even on the most jaded teen.
A while back, many people played the game Episode and would spend lots of money on gems and tickets, which made the game more fun. Phishers knew this, and around 2016 many videos were uploaded to YouTube claiming that there was a website that could hack the game for you and get you unlimited free gems and tickets. Supposedly this was safe and perfectly legal.
Even though now I can see that it’s clearly illegal to hack an app, and quite impossible with our knowledge, thousands of teens - some of them were my friends and I - clicked on the link with hopes of gaining unlimited supplies of goodies.
Once I clicked on the link, I remember seeing on the side of the screen a very extensive list of people that apparently already got thousands of gems for the day. This was exciting until I learned the hard way that they were just bots. Long story short, the web page wasn’t the miracle we were all waiting for, but a big phishing trap instead. It was one of those cases of “too good to be true.”
To get all these “free” gems and tickets you were asked to give them lots of personal information - name, where you live, etc. - and then you had to go through a “human verification” process in which you had to answer a ton of personal questions to just end up in the home page all over again with no access to freebies. Luckily, I never put any personal information on there due to the fact that I wanted to go through it fast, so I just put whatever I came up with at the moment.
Long story short, phishers can easily take advantage of teens by exploiting their desire for free items for their favorite games. Certainly this could catch out adults too, but several studies demonstrated that teens and young adults are far more likely not to exercise caution and fall for trips like this, especially because we have this unrealistic sense of what is trustworthy and what isn’t.
Phishing Tactic #3 The Fake Email
Here we’re talking about something different from the Instagram scam I mentioned above. When I was presenting to my classmates, I asked them to explain to me how they would differentiate an email or a message from a friend from an email sent by a phisher pretending to be a friend. Everyone’s response was pretty similar: they could tell easily just by how they talk, what expressions they use and even how they type. But a phisher determined to access your online info would study all of these things beforehand, so just by letting our gut tell us if it’s our friend or not is what gets us in the trap in the first place.
I also asked my classmates how they would identify if a person is real and has genuine intentions about what they’re asking for or if it’s a phisher, because it’s one thing to try to recognize a friend, but recognizing a stranger who is genuine is something else. When asking this question I didn’t really get clear responses; some said to see if the email address looked safe or if there was a web page linked to it that could feel fishy, but again, no real response there. I realized my classmates’ approach to a phisher would purely be by feelings and trust, two factors that could be easily manipulated by the phisher themselves.
I got an email once that said that I had activity on my Google account that wasn’t mine and that I had about thirty minutes to regain control of my account. To regain it, I had to click on a link and enter my username and password. My initial reaction was to freak out and to do it before the timer ended, but luckily enough I remembered that phishing techniques love to use pressure, and that Google wouldn’t make me rush to type in a new password.
Just because I was lucky enough to not fall into that trap doesn’t mean other teens wouldn’t have.
So basically, using a fake email most definitely is a good way to get teens to give all sorts of information to the phisher, just because we prefer to trust our gut rather than using actual research on the cause.
In conclusion, several studies have demonstrated how crucial it is to protect teens from phishers, just because we’re the most vulnerable age group to fall in their traps.
Although I consider myself lucky, because thanks to the Hacker Highschool project I had to do, I learned a lot about their tactics and have been able to be extra careful when being online, and on top of that my parents have always warned me to be cautious.
I think it’s important for parents to let their teens know that phishers can pretend to be anything or anyone they want, including family members or close friends. Even if this might sound obvious to the more informed adults, it’s really shocking for most of us teens because we think it’ll only happen in movies, when in reality, it can happen to us.