Shortcuts:
SandCastleIcon.png This article has links to websites or programs outside of Scratch and Wikipedia. Remember to stay safe while using the internet, as we cannot guarantee the safety of other websites.
Phishing is a scam where somebody tricks a user into giving sensitive information such as passwords away. If this ever happens, contact the Scratch Team by clicking the Contact Us link at the bottom of the page on every page of the Scratch website.

The word "phishing" is a homophone (a word that is pronounced the same as another word but differs in meaning and may differ in spelling) of "fishing" which relates to the idea of somebody fishing for a password for malicious reasons. Real world cases include identity theft and getting access to bank accounts or credit cards. On Scratch, it can be to embarrass someone, delete their projects, or get them banned.

Note Warning: If you feel like you are getting phished, do not continue, tell a trusted adult, and report the phishing user. Never try to phish others.

How Phishing Works

Phishing usually happens when a website asks for the account username and password and promises an exchange for desired outcomes such as getting featured and followers. For example, a site that says "Click here to get 5000 followers for free!" and asks for a Scratch username and password is dangerous. Never enter them into an untrusted website. If credentials are entered, the phisher will have access to your account.

Another situation could be a webpage that looks exactly like the Scratch homepage, but lies on a server with a different address. Here, the login password will be phished if the account attempts to log in. Therefore, do not trust an internet address sent by any means, even if it looks like a familiar site. It is highly recommended to look at the URL - scratch.mit.edu is the real site; anything else is fake.

A third type of phishing scam is in the form of an email from someone claiming to be an administrator and asking for an account password. An example would be an email saying "We have accidentally banned your account. Please log in here to avoid your projects being deleted. [link to a fake webpage]" or "Please activate your account today! Your projects will be deleted tomorrow if you don't activate it to a Scratcher rank! [link to a fake webpage]".

A fourth type is a project with a cloud list or variables asking for the user's password. While users would be able to input a fake password, those types of projects should be reported.

In any case where phishing is suspected, it is advisable to change the account password immediately, even if the page afterwards says that the action is successful.

How to Avoid Getting Phished

  • If a website seems suspicious, stay away from it. Never input an account password on an untrusted site. This could be used to steal your information and damage your account.
  • Do not use links from suspicious emails, websites, etc. Check URLs in such emails to check whether they are real or not.
  • An administrator of a site never needs any of your account information to "fix your account" or to "make sure the website works correctly".
  • Never share an account with anyone else.
  • Try changing passwords every few months.
  • Do not reuse passwords for different sites. If one of your accounts gets hacked, and another one of your accounts has the same password, it could be hacked as well.
  • Remember to make passwords easy to remember but hard to guess. Make sure your password has more than 8 characters, plenty of symbols and numbers, and capital and lowercase letters. Write down your password and keep it in a safe place.
  • Do not leave your account logged in on a shared device (for example: a school computer, a library computer, a shared family computer). Make sure to always log out when you are done.
  • Do not use bad password examples, for example ones in this list.


See Also

External Links

Cookies help us deliver our services. By using our services, you agree to our use of cookies.