How to avoid phishing attempts. However it’s spelled, it’s bad news

Hi, everyone. Sal Khan here from Khan Academy, and I'm here with Grace Hoyt, head of Account Security Partnerships at Google to talk a little bit about online safety. Welcome, Grace.

Thanks for having me, Sal.

So let's just start at the basics. What is online safety and what's the worst that could happen?

As we spend more of our times online, we think about online safety in a way that people can go about their work or school or personal activities online in a way that they feel safe and secure. A big topic in this space that we like to provide guidance on is something called online scams, and in particular, how to avoid phishing.

Now, phishing, spelled with a P-H, P-H-I-S-H-I-N-G, what is that? It starts to evoke, people are maybe fishing for me.

That's right, Sal. Phishing does have the namesake from the word with fishing, with an F, but this phishing we're talking about is an attempt to impersonate someone, a trusted source, or reach you via email, phone, or call, and try to get access to someone's personal information, such as their bank account information, their passwords, or address, and things like that. So phishing is a way to sort of bait and hook someone into giving up personal information. Unfortunately, about 80% of all cyberattacks begin with phishing. So this is something we think it's really important for people to be able to spot and recognize on their own so that this doesn't happen to them.

And what form do these phishing attacks take?

So these can be emails impersonating a trusted source. These can come in the form of spammy text links or phone calls. One of the most important tips that we like to advise people is to not click on a URL link before verifying that it really is the source you're trying to get to. So it's always best to actually go directly to a website. For example, if you're trying to reach your bank or track the delivery of a package, type that directly into your URL, as opposed to opening a suspicious link right out of your email inbox or text message. Now, if you want to actually look more closely at a link before clicking on it, on mobile, you can press and hold down on the URL and look for suspicious aspects of that link or typos, but you can also just use the option to go directly to that link yourself, as opposed to opening it out of something that looks suspicious.

Okay, so this has definitely happened to me in the recent past, where I get these text messages for, "Fraud alert for your bank account," and sometimes it's from a bank where I don't even have a bank account, so they're just trying to see if I happen to be... "Someone just charged $10,000." I'm like, oh, my god, and then I look at it and the URL looks a little bit shady. To your point, you have to really confirm what the URL is, even if it doesn't look shady, and on mobile, you can press and hold. Sometimes you get these emails that say, "Hey. Someone has just done the following on your Amazon account. Go log into your Amazon account here," and it's probably a link to a fake Amazon website. You type in your credentials. Now they can actually log into your Amazon account or your banking account, or whatever else.

Absolutely. So unfortunately that's oftentimes a way that folks are trying to grab that password and have you hand it over to them. So you're exactly right, Sal. So we do recommend that people go straight to that URL.

Well, thanks for that. I think we're all a little bit less likely to get phished and get hooked.