Real or Phish Practicing Recognizing Phishing Attacks Necessary Items Estimated Time: 15-20 minutes What You’ll Need: Copies of the “Real or Phish?” worksheet Description: Students examine phishing as an example of an common online scam. Phishing takes advantage of human weaknesses and the fact that websites use passwords for authentication. Students will get practice inspecting emails and talking about what would make an email suspicious. The activity is intentionally unplugged, but the worksheet asks how students would inspect each email if they were on a computer or phone (e.g. hovering over the link or right-clicking the button to check the link destination, or doing a search to get more information about the sender or the company named in the email). Running the Activity • Pass out worksheets and give students time to read through the instructions. • Break students into small groups, if relevant (or use as an individual activity). • Have students inspect the emails on the worksheet and decide whether they are real or a phishing attempt. They then fill out the questions for each email. • Bring the class back together. For each email, ask a group or student to share their answer for “real or phish?” then ask them to describe how they chose their answer. Engage the class in a discussion of each email using these prompts: • What did you look for? • Which one was the most difficult to tell? Why? • Which one was easiest to tell? Why? • What do you do when you see a suspicious email or message? • How confident are you in your ability to spot a phishing email? Cover these Points in the Discussion The activity is meant to feel difficult and ambiguous. It is difficult, if not impossible, to tell whether an email is a phishing attack by visual inspection alone. There are some tells for a scam email, but they aren’t foolproof. Legitimate emails still break the “rules” sometimes. Context is the most important thing. If you get an email from a bank that’s not yours, you know that it’s not for you. If you get an email about an activity, purchase, or transaction that you can’t remember, you should probably ignore it. If you get an email demanding you take immediate action, you should go directly to the site or the app and investigate your account details. Later in the lesson, we’ll talk more about the reasons why phishing works and how to avoid falling victim to a scam. Possible Answers • USPS notification: Phish • The From address has a random-sounding domain; it’s not usps.com. • The subject is “Information”, which is much less specific than you’d expect from a government agency with a reputation for being precise. • The language is awkward — especially unusual for a form notice from a government agency. A “shipping label” is what the sender puts on the package, not what the recipient uses to claim it. • Your email program tagged it with a little red flag at the top. • What link does the button show if you hover over it? • UC Berkeley library account: Phish • Do you attend UC Berkeley? Do you have a UC Berkeley library account? Receiving a phishing email for an account you don’t have is an easy way to identify a scam. • If you had an account, how likely would it be that it would suddenly expire due to inactivity? Is it likely that a university library would require students and staff to log in frequently to maintain an account, or would they keep the account active as long as the person was associated with the university? • Did the university tell you anything about account expiration when they gave you the account? • If you could see the From address, you could check whether it was in the berkeley.edu domain. • What do the reactivation and email-for-help links look like if you hover over them? Do they match the text you see? • If you had a UC Berkeley library account but you really weren’t sure if the email was legit, you could type the URL directly into the URL bar, and check your password settings from there. Answers • BestBuy order: Phish • The From address has a random-sounding domain; it’s not bestbuy.com. • The email is addressed to “dave” but the email says “Sir/Madam.” Most, though not all, real emails are addressed using your name. • It’s suspicious to ask you to fill out a separate form to correct the address. • The language is awkward, especially the message about timing. • It threatens you with deducting $17 from your refund, which is a random amount and doesn’t seem likely for Best Buy to do. • Did you even order anything from Best Buy recently? • On the other hand: The boilerplate parts of the message, like the footer, seem very standard for an online retailer. • Zoom password: Real • Do you have a Zoom account? • If you have an account, did you just request to change your password? • Sent from an email address in the zoom.us domain, which matches the name of the service it claims to be from. But .us is a slightly unusual top-level domain for a big service company; how do you know that it shouldn’t be zoom.com? • If you click on the dropdown next to the To line to get the full header, is the Reply-To address also in the zoom.us domain? • The body of the message includes the recipient’s real name. • What do the links look like if you hover over them? 1.Bank payment: Phish •Have you ever used a service called “epayment.com” to receive money? Do you know whether your bank is associated with such a company? •Are you expecting someone to wire money to you? •The name in the From address says “Bank” instead of the name of a bank. •The Reply-To address is a Gmail account (which would be unusual for a bank), and it doesn’t match the From address domain. •The language is awkward. •You shouldn’t open zip files from unexpected senders. Image Credits for “Real or Phish?”: 1.USPS notification: Screenshot by David Ellis for Security Metrics. (Copyright phishy author.) 2.UC Berkeley library account: Screenshot by Teaching Security from the Berkeley Information Security Office’s phishing email collection. (Copyright phishy author.) 3.BestBuy order: Screenshot by David Ellis for Security Metrics. (Copyright phishy author.) 4.Zoom password: Screenshot by Teaching Security. Email text copyright Zoom.us. 5.Bank payment: Screenshot by David Ellis for Security Metrics. (Copyright phishy author.) • Alternative Exercise • The activity “Something’s Phishy” from our sister project Teaching Privacy has a similar structure, but includes mouseover popups rather than leaving further inspection as an open topic for discussion.