CyberCrimeMarketingSecuritySecurity ManagementSocialMedia

How To Explain Phishing To A Five-Year-Old

Duncan MacRae is former editor and now a contributor to TechWeekEurope. He previously edited Computer Business Review's print/digital magazines and CBR Online, as well as Arabian Computer News in the UAE.

Follow on:

The definitive definition of phishing (not fishing) from the experts for the kids (and adults, too)

Alexandru Catalin Cosoi, chief security strategist at Bitdefender

“By the broadest definition, phishing would describe someone impersonating a trustworthy source with the purpose of acquiring sensitive information. In the IT world, such information usually includes usernames, passwords, or credit card details.

“If you remember the movie Home Alone, you probably remember the ‘police officer’ who visited the McCallisters the day before they left for vacation. Although he was a burglar, his convincing law enforcement impersonation led the McCallisters to volunteer information about where they were going and for how long. Abusing the trust that came with the uniform, he was able to ‘phish’ for information. Knowing when and for how long the house would be empty was enough for the burglar to plan a housebreaking. Sometimes it’s hard to spot a fraudster, especially if he’s good at pretending. The trick is to always pay attention to who you’re talking to.”

Alex Jarrett from Phish’d by MWR InfoSecurity

“Imagine you were in the playground and one of the school kids gave you a wrapped present and said that it was from one of your best friends. As you know, you shouldn’t accept things off strangers, but because you think it has come from a friend and the boy seems to be nice, you accept the gift.

“Excited about your present, you sit down and start unwrapping the gift. Is it Lego? Is it a yoyo? Is it sweets? After opening the wrapped box you find some football playing cards, which are a bit boring and rubbish so you continue playing with your other toys.

“What you didn’t realise when opening the box was a horrible bug climbed out and run up your sleeve. This nasty bug is very naughty and likes to bite. Sometimes it bites straight away or sometimes it hides up your sleeve for a long time waiting for the right time to bite you.

“If you ever receive a gift that you were not expecting, be very cautious and ask an adult (IT Security) to check it first.”

Scott Tyson, sales director at email security company Mailprotector

“Imagine you were going through your Match Attax football cards with your mates and showing them all the special 100 club and Man of the Match cards you have. A kid who is new to your school starts acting like they are one of your friends and wants to share their lunch with you and also has a keen interest in your football card collection.

“You think you have become close friends and you trust him with your entire collection during a playtime and whilst you were away, your best 100 club card was taken by this trusted friend and when you return you find the album minus the 100 club card sitting on the seat and your ‘friend’ gone.

“Basically, phishing is an attempt to steal important information by pretending to a be trustworthy (I.e. Friendly) application.”

Amy Baker, VP of marketing at Wombat Security Technologies

“Sometimes bad guys send electronic notes to us on computers trying to get us to share our secret information so that they can use it to pretend to be you and steal your stuff. They can pretend to be your friend online and ask you where you keep your money and how to get to it so that they can steal it. Bad guys can pretend to be someone you know and call you on the phone to ask you secret information like where you keep your favorite toys so that they can steal them later.”

David Emm, principal security reseacher at Kaspersky Lab

“Mummy and Daddy have always told you not to talk to strangers, because you never know what strangers are going to do.

“So imagine a stranger comes up to you in the playground, and starts asking you lots of questions. Questions like; ‘Where do you live?’ ‘Is your Mummy at home?’ ‘Who’s going to pick you up after school today?’ ‘What time does your Daddy come home from work?’

“These questions sound friendly, and you might think the stranger is trying to help you. But they could just be trying to gather up information on how they can break into your home, and steal all of your toys.

“That’s what phishing is: trying to trick you into telling someone information that it’s best to keep secret . Except that it’s more than just your toys that are at risk.

“Imagine the stranger isn’t right in front of you, but sends a message to your computer asking questions like; ‘What’s your Club Penguin or Moshi Monsters password?’, ‘What’s the password to your computer?’, ‘What’s your address and phone number?’

“Again, this stranger may sound friendly. They might even pretend to be another little boy or girl. But they are actually going to use the information they ask for to try to break into your computer, and steal all of your secret information for themselves.

“NEVER tell anyone other than your Mummy or Daddy your secret information.”

Ian Trump, security lead, LogicNow

“Daddy and mummy do a lot of important things on the computer. They order books, toys and clothing for you. Sometimes they order the weekly food shop too. The postman or delivery service brings a lot of things to the house they order. Sometimes bad people send emails to mummy and daddy, as they want money or they want the passwords to those places your parents order from. The bad people are tricky and mean. When they send email this is known as P-H-I-S-H-I-N-G, because the bad guys are using a baited hook to trick mummy and daddy.

“The bad people will lie and say things like ‘your cousin is in trouble and needs money’, or’“mummy or daddy won a vacation!’ It’s not true. They are trying to be tricky and get passwords.

“You can help mommy and daddy protect themselves from P-H-I-S-H-I-N-G attacks. Make sure you tell them to never click on email links from people they don’t know! You can also tell them to use complex passwords with letters, numbers and funny characters like “&” “#” or “£”!” –”

Gavin Watson, professional services and social engineering team manager at RandomStorm

“Phishing is like in Little Red Riding Hood, where the big bad wolf puts on Grandma’s clothes and pretends to be Grandma. Little Red Riding Hood is suspicious, so she asks lots of questions like, ‘Grandma, why are your ears so big?’ and he puts on a voice and answers, ‘All the better to hear you with’. All the time the wolf is pretending to be her grandma, he is really getting ready to eat Little Red Riding Hood.

“In the real world, sometimes bad people pretend to be people who know you, so that they can get close to you and persuade you to share secrets with them. To find out the secrets they might ask where you live and how to get into your building, who you sit next to in class, who your family are, what your pet’s name is, what your favourite games are and how to get into your computer so that they can play them with you. Little Red Riding Hood was able to see that the wolf looked different to her Grandma, but on computers it’s hard to tell who is asking you for information, so you have to be extra careful about what you tell them.”

snow whiteTK Keanini, CTO at Lancope

“Phishing is like an magic trick where you think one thing is going to happen, but another does and it ends up bad for your computer.

“Phishing is a trick like when Snow White is told to eat the apple, which appears to be harmless, but when she does, the evil queen puts a spell on her and she sleeps until prince charming can uninstall the malware and reboot her. :-)

“There are bad people on the Internet that want to trick you. They are good and everyone, even experts and very smart people have been tricked by these bad people. You must not believe everything you see on the Internet because some of it is just there to trick you into clicking on something or downloading some software. This software is harmful to the computer and the Internet as a whole. Don’t click or download anything you cannot verify with your mom or dad to be safe.”

Thomas Labarthe, managing director Europe at Lookout

“Phishing attacks try and trick you into giving up information about you or your family online. This could be an email that is designed to look like an urgent message from someone important to you, such as your teachers or parents. For instance, bad guys might send emails with subject lines like: ‘Missing homework’ or ‘Confirm your place on the school trip’ to lure you to phony websites that look similar to the real ones they’re impersonating.

“Thinking that you have landed on the school’s webpage, you might enter your name and password – unknowingly giving away your private information to the bad guys. For adults, banking, donation and government sites are some of the most frequently targeted by phishing attacks.

“Phishing attacks have also ‘gone social’. Suppose your Mum receives a Facebook message with a link asking: “Hey, do you remember this photo?” She clicks, expecting to see a picture and is taken to the Facebook login page. However, if she isn’t paying close attention she may not notice that she’s been redirected to a scam site that is just pretending to be Facebook and the information she enters will be visible to the bad guys.”

Brandon Ackroyd, head of customer insight, Tiger Mobiles

“Fortunately, phishing is one of those technical words that sounds a lot more complicated than it really is. In very basic terms, phishing is just tricking people into giving information. This is actually easier than you’d think to explain to a child, since most children try to ‘phish’ for info as much as they can! Consider examples that your child can relate to. Things like trying to get mum to reveal what Santa is bringing for Christmas. Or trying to get siblings to tell them what they’re getting as a birthday present.

“Phishing is when the bad guys try to get you to tell them your secrets. Those secrets might be your username on Candy Crush, or it could be your phone number or a password. Children instinctively understand secrets, so these kinds of explanations should make sense to them. The important thing to remind your child of is that all information is private unless you’re talking to close family members. When in doubt, don’t say anything, should be the rule! In the same way that you school your kids not to talk to strangers on the street, they shouldn’t talk to strangers on the phone- whether that stranger is calling, texting or messaging inside a game or app. Stranger danger is just as important on the phone or online as it is in real life!”

MacRae castleThomas Fischer, principal threat researcher, Digital Guardian

“Phishing is an evil trick baddies use to steal secrets from your computer. Secrets you don’t want them to know, like your magic passwords or where you live. Imagine that your computer is a big castle, with big walls around it and locked doors to protect your magic passwords. The baddy wants to steal them but he isn’t strong enough to break down the doors or climb over the walls. So instead, he tries to trick you into telling him your magic passwords without realising. Of course, he knows you wouldn’t just tell him your passwords if you know he’s a baddy, so he pretends to be someone you already know.

“Sometimes he might pretend to be a friend who will give you some sweets if you tell them your magic password. Other times he might pretend to be your school teacher who needs to know your passwords for something important. But if you fall for his trick and tell him you passwords, he won’t give you any sweets. Instead he will use them to break into your castle, take all of your stuff and make a big mess. Luckily, a lot of baddies aren’t very clever and it is easy to spot their tricks. But the baddies are getting more clever so make sure you don’t get tricked!”

Tony Neate, CEO, Get Safe Online

“There are two different sorts of fishing – one sort is when you go with your Mum and Dad and you use a fishing rod to catch lots of lovely fish. This is the good kind of fishing. But there is also a bad kind of fishing called ‘phishing’.

“This is where an evil baddie sits at his computer and instead of fishing for fish, he phishes for information that belongs to other people and which he plans to use to steal people’s money and upset them. To do this, he pretends he is actually a Fairy God Mother, a person who everyone trusts and wouldn’t think would want to hurt them. So, with his best Fairy God Mother disguise, the baddie messages people on his computer and asks them to tell him their deepest secrets and share all their information. Of course, they all think they are talking to the Fairy God Mother who would never use these secrets to cause harm so they tell him everything.

“The baddie lets out a load cackle! With all of this information, he can go to the bank, pretend to be different people and take all their money. He can then go to the shops and use that money buy lots of expensive things. To stop the evil phishing baddie, make sure you keep an eye out for any messages that ask for secrets and check with the Fairy God Mother to see if it is really her asking questions.”

goldfishJason Steer, chief security strategist EMEA, FireEye

“Imagine you are a goldfish and someone walks by your fish tank trying to tempt you with a really tasty treat. Not some boring fish flakes but something you rarely get, something really yummy, like a strawberry. You swim up and up to get the tasty treat, but when you get there and try to take a big bite you discover that it isn’t a real strawberry! It looks and smells like one, but it’s not real and now you are caught on a painful hook. Whilst it looked so real, it was all a trick…if only you hadn’t been tempted.

“Hackers are like the person luring the fish to eat a tasty treat, only they work on the computers and create tasty and tempting offers to trick you into clicking on them. This is called phishing, not fishing.”

Ramsés Gallego, international vice president of ISACA and security strategist & evangelist with Dell Software

“Phishing is the art of stealing (or “fishing” for) information through disguise. It’s a method the bad guys use to siphon off your personal information by making you feel safe and believe that they are someone or something that you can trust.

“Phishers send you emails with URLs that direct you to a what looks like a reputable web page, but is actually a site they set up to infect your device with a virus, or in the most serious cases, demobilise an entire network.

“It’s a stealth attack that comes without notice, with a link that often leads you to play a game, read an article, etc. However, through sophisticated hacking methods, in reality it is actually stealing your personal information and sometimes even your whole digital identity.

“The increasing frequency of these attacks requires us to be more vigilant about the links we click, and there also needs to be greater education and awareness promoted about these attacks if we are to win this battle.”

Orlando Scott-Cowley, cyber security expert at Mimecast

“Phishing is a bit like fishing; sending out a line with tempting bait into the sea, hoping to catch a big fish. When you ‘phish’ online though, instead of using a rod and line with a hook and a worm, a bad guy sends an email to a company with bait inside…and you’re the fish he’s trying to catch! The bait in the email is a good reason to click on a link or download a file and when you select it (or get hooked) then the phisherman gets access to your computer. The people who do it are trying to get to private information about you and your company and use it to cause trouble or make money. It’s important to learn how to avoid it and stop it from getting to your inbox – that way you can protect yourself and your business and make sure you don’t get hooked.”

Trey Ford, global security strategist at Rapid7

“Phishing is when a criminal uses email or social media to try to trick a person into opening an attachment or clicking on a link. This helps them do something bad to your computer, phone or tablet, or a website you use. For example, they might send you an email offering you a free toy or game, and when you click on the link, they take you to a webpage that infects your computer with something nasty. Or it asks for information that lets them pretend to be you on the internet. Maybe they know you like kittens, so they send you a picture of a kitten as an attachment, and they hide the nasty thing in the picture file, so when you open it, your computer gets infected.

“The best thing to remember is never to click on links or look at attachments from people you don’t know. Be careful what kind of information about yourself you share publicly on the internet as this can help people create emails that will target you more effectively. For example, if you talk about puppies a lot on the internet, a bad guy will know you will be more likely to look at their email if they include something on puppies.”

lockerRobert Arandjelovic, EMEA security evangelist at Blue Coat

“Phishing is when someone uses electronic communication – typically email – to pretend that they are an official or trusted person in order to get the target to give up important private details like passwords or banking information. Phishing attacks are often just sent out to as many people as possible, casting a wide ‘net’ where they hope to collect as many of those details as possible (hence the name), with the plan to sell those details in bulk on the black market. Think of it as accidentally giving someone the combination to your school locker: that person could then take any notes or valuables inside of your locker without having to break into it (which would make noise and leave a trace).

“Of late, phishing attacks have become smarter, using news from current events or personal information from the internet and social media to tailor their phishing emails more closely to the target’s life so it’s much more believable, and thus more likely to “hook” them. Phishing has also been used as a first step in launching a bigger attack on organizations or important people. “Spear phishing” emails target employees at a specific company, collecting the details needed to pretend to be a legitimate user and gain access to the corporate network. Once inside the network, it’s possible to access bigger and more important systems which contain valuable information.”

Tim Cox, CTO at SecureData

“Think of a young child going out to fish. As a beginner he puts a worm on his hook, casts and then waits hoping that something will be tricked into taking the worm – this is the basic form of a Cyber Phishing attack, a broad target with a bait that lacks subtlety and realism.

“The child learns and gets better at putting the worm on so it looks more lifelike, stays on the hook and starts to catch fish. This is the same in the Cyber world, the attacker crafts better emails with more believable addresses and forms.

“The child then decides that he is going to focus on catching a specific species, trout for example, and uses more directed and subtle techniques such as fly fishing. This is a more subtle form of Cyber-attack, the email is crafted to attract a specific type of person, a finance clerk for example, with a targeted bait such as a copy of an invoice.

“Cyber phishing is doing the same thing, putting a bait out there to tempt people to either directly send sensitive information or to allow the attacker to deploy malware on a computer, which in turn gives them the desired information.”

David Flower, managing director, Bit9 + Carbon Black EMEA

“A phishing attack is when a bad person tries to trick you into telling them things that you mustn’t tell anyone, like where you hide your piggy bank. They will often send you messages on your computer that look like they’ve come from a friend or someone you trust so that you don’t suspect anything is wrong.

“Unfortunately, the bad people are getting much better at finding out about you, so they know exactly what to say to get you to tell them what they want to know. They can also really easily get past the common security tools that people use to protect their computer. This is why, when you’re online, it’s important to always make sure that people are who they say they are. You also need to have security tools that are always watching and recording everything that happens on your computer so you can catch the baddies and report them to your IT/Security team before they can get away.”

Mike Spykerman, vice president of product management at OPSWAT

“Phishing is a little similar to when you and your dad go out ‘fishing’, only the roles have been turned upside down: With phishing, you are the fish that the bad guys are trying to catch. Instead of using worms, which would not exactly be appealing to you, phishers use an email as bait. The email tries to ‘catch you’ by getting you to click on a link or email attachment that will download a virus on your computer, or to fill out your personal information on their website.

“The ‘phishers’ trick you by making the email seem real and important, such as an urgent email from a bank, a shipping notice of a package you ordered, or a notice to appear in court. Sometimes phishers will actually collect information about you online to make the email look even more real. Once you take the bait, the phishers will try to access your accounts, such as your bank account or email account. You can stop the bad guys by making sure your web browser is up-to-date, regularly running anti-virus updates, and being cautious about opening emails that look out of the ordinary or too good to be true.”

Peppa PigPat Peterson, CEO of Agari

“Everyday email remains one of the most exposed access points in the business network. Unfortunately, the unavoidable issue for organisations looking to maintain email correspondence with their customers – whether to let them know about the latest fashion trends, the next big toy sale or changes to their bank account – is how can they expect their busy customers to spot poisoned emails from bad guys when the message they receive looks innocent.

“Phishing is when cyber-criminals send out a fake email that looks like the real-thing to try and steal someone else’s personal information. A phished email encourages the recipient to click on a link or enter personal data that can then lead to a data breach. For example, you could receive an email from Toy R Us telling you that if you click on the link, you can buy the newest Peppa Pig DVD. You would want to click on it, right? However, this was just to convince you to click on the link and when you do, it takes you to another website, which steals your information. This is called ‘Phishing’.”

Grayson Milbourne, security intelligence director at Webroot

“Phishing is an online scam that conmen use to trick you into providing personal details. They use spam, fake websites constructed to look identical to real sites, email and instant messages to get you to provide passwords, bank details and credit card numbers. Once you take the phisher’s bait, they can use the information to create fake accounts in your name, and steal your money or even your identity.

“Phishers will often pretend to be real companies, and they can create really convincing sites to snag you. Websites and messaging may seem real, but a few tell-tale signs that it’s a phishing scam are:
· Requests for confidential information via email or instant message
· Emotional language trying to scare you to respond quickly
· Spelling mistakes in website addresses – similarly to when fake Gucci bags are labelled ‘Guci’ or something similar
· No customised information within a message. Legitimate emails from banks and credit card companies will often include part of your account number, user name or password.

“There are a few simple steps to stop yourself from being “phished” like keeping an eye out for the padlock icon to make sure a website it legitimate and not opening emails from people you don’t know. If you think you’ve been targeted, alert the “real” company immediately – and of course make sure your antivirus protection, firewall and antispyware software is all up to date.”

How much do you know about Internet security? Take our quiz to find out!