Phishing is a scam where somebody tricks a user into giving their password away. The word "phishing" is a homophone (a word that is pronounced the same as another word but differs in meaning and may differ in spelling) of "fishing" which relates to the idea of somebody fishing for your password. People phish for various reasons, all of them bad. Real world cases include identity theft and getting access to bank accounts or credit cards. On Scratch, it can be to embarrass someone, delete their projects, or get them banned.
How Phishing Works
Phishing usually happens when you go to a website that asks for your username and password and promises an exchange for good stuff such as getting featured and followers. For example, a site that says "Click here to get Scratch running on your mobile device for free!" and asks you to type in your Scratch username and password is dangerous. Never put them into a website that you do not trust. If you did enter your credentials, the phisher will have access to your account.
Another situation could be a webpage that looks exactly like the Scratch homepage, but lies on a server with a different address. Here your login password will be phished if you try to log in. Therefore, do not trust an internet address given to you, even if it looks like a familiar site.
A third type of phishing scam is in the form of an email from someone claiming to be an administrator and asking you for your password. An example would be an email telling you "We have accidently banned your account. Please log in here to avoid your projects being deleted".
The phished password could also give access to your computer, and malware could be installed alongside to infect your computer, making changing your password harder.
In any case where you suspect to have been phished, you are advised to change your password immediately.
How to Avoid Getting Phished
- If websites seem suspicious, do not use them. Never input your password on an unverified site.
- Do not open websites from emails you do not trust
- An administrator of a site never needs your password to fix something on your account
- Only tell a trusted adult your password.
- Do not use the same password for different sites. One of them might be hacked so that it phishes your password and use it on the other webpages. Remember to make your passwords easy to remember but hard to guess. Using uppercase and lowercase letters, numbers, and symbols makes it harder to guess, but does not help against phishing.
Good password examples:
Bad password examples: