|This article has links to websites or programs not trusted by Scratch or hosted by Wikipedia. Remember to stay safe while using the internet, as we cannot guarantee the safety of other websites.|
Phishing is a scam where somebody tricks a user into giving their personal and sensitive information away. The word "phishing" is a homophone (a word that is pronounced the same as another word but differs in meaning and may differ in spelling) of "fishing" which relates to the idea of somebody fishing for a password. People phish for various reasons, all of them bad. Real world cases include identity theft and getting access to bank accounts or credit cards. On Scratch, it can be to embarrass someone, delete their projects, or get them banned.
|Warning:||If you feel like you are getting phished, stop immediately, tell a trusted adult, and report the phishing user. Never try to phish others.|
How Phishing Works
Phishing usually happens when a website asks for the account username and password and promises an exchange for good stuff such as getting featured and followers. For example, a site that says "Click here to get 5000 followers for free!" and asks for your Scratch username and password is dangerous. Never enter them into an untrusted website. If credentials are entered, the phisher will have access to your account.
Another situation could be a webpage that looks exactly like the Scratch homepage, but lies on a server with a different address. Here, the login password will be phished if the account attempts to log in. Therefore, do not trust an internet address sent by any means, even if it looks like a familiar site. It is highly recommended to look at the URL - scratch.mit.edu is the real site; anything else is fake.
A third type of phishing scam is in the form of an email from someone claiming to be an administrator and asking for an account password. An example would be an email saying "We have accidentally banned your account. Please log in here to avoid your projects being deleted. [link to a fake webpage]" or "Please activate your account today! Your projects will be deleted tomorrow if you don't activate it to a Scratcher rank! [link to a fake webpage]".
A fourth type is a project with a cloud list or variables asking for the user's password. While users would be able to input a fake password, those types of projects should be reported.
The phished password could also give access to the computer, and malware could be installed alongside to infect it, making changing the account password harder, and causing damage to the computer, some that is irreversible without reinstalling the operating system.
In any case where phishing is suspected, it is advisable to change the account password immediately, even if the page afterwards says that the action is successful.
How to Avoid Getting Phished
- If a website seems suspicious, do not use it. Never input an account password on an untrusted site.
- Do not use links from suspicious emails.
- An administrator of a site never needs any account password to fix something on the account.
- Only tell a trusted adult (such as a parent or guardian) the account password.
- It is recommended that the account password is changed every few months.
- Do not use the same password for different sites. One of them might be hacked so that it phishes the account password to be used on the other webpages.
- Remember to make passwords easy to remember but hard to guess. Using uppercase and lowercase letters, numbers, and symbols makes it harder to guess, however, this does not help against phishing. Do not use common passwords like the infamous "password" or "123456".
Good password examples:
Bad password examples:
- See also: Password#Examples of Weak Passwords