(Redirected from FAQ:PHISH)
|This article has links to websites or programs not trusted by Scratch or hosted by Wikipedia. Remember to stay safe while using the internet, as we cannot guarantee the safety of other websites.|
The word "phishing" is a homophone (a word that is pronounced the same as another word but differs in meaning and may differ in spelling) of "fishing" which relates to the idea of somebody fishing for a password. People phish for various reasons, all of them bad. Real world cases include identity theft and getting access to bank accounts or credit cards. On Scratch, it can be to embarrass someone, delete their projects, or get them banned.
|Warning:||If you feel like you are getting phished, stop immediately, tell a trusted adult, and report the phishing user. Never try to phish others.|
How Phishing Works
Phishing usually happens when a website asks for the account username and password and promises an exchange for good stuff such as getting featured and followers. For example, a site that says "Click here to get 5000 followers for free!" and asks for your Scratch username and password is dangerous. Never enter them into an untrusted website. If credentials are entered, the phisher will have access to your account.
Another situation could be a webpage that looks exactly like the Scratch homepage, but lies on a server with a different address. Here, the login password will be phished if the account attempts to log in. Therefore, do not trust an internet address sent by any means, even if it looks like a familiar site. It is highly recommended to look at the URL - scratch.mit.edu is the real site; anything else is fake.
A third type of phishing scam is in the form of an email from someone claiming to be an administrator and asking for an account password. An example would be an email saying "We have accidentally banned your account. Please log in here to avoid your projects being deleted. [link to a fake webpage]" or "Please activate your account today! Your projects will be deleted tomorrow if you don't activate it to a Scratcher rank! [link to a fake webpage]".
A fourth type is a project with a cloud list or variables asking for the user's password. While users would be able to input a fake password, those types of projects should be reported.
In any case where phishing is suspected, it is advisable to change the account password immediately, even if the page afterwards says that the action is successful.
How to Avoid Getting Phished
- If a website seems suspicious, stay away from it. Never input an account password on an untrusted site. This could be used to steal your information and damage your account.
- Do not use links from suspicious emails, websites, etc. If you're unsure if a website can be trusted, ask a parent or guardian.
- An administrator of a site never needs any of your account information to "fix your account" or to "make sure the website works correctly".
- Only tell a trusted adult (such as a parent or guardian) the account password.
- It is recommended that the account password is changed every few months.
- Do not use the same password for different sites. If one of your accounts gets hacked, and another one of your accounts has the same password, it could be hacked as well.
- Remember to make passwords easy to remember but hard to guess. Make sure your password is more than 12 characters and use plenty of symbols and numbers. Write down your password and keep it in a safe place.
- Don't leave your account logged in on a shared device. (for example: a school computer, a library computer, a shared family computer) Make sure to always log out when you're done.
Bad password examples
- See also: Password#Examples of Weak Passwords