Cybersecurity and cybercrime

A key aspect of online safety that affects both children and adults is that of cybersecurity; knowing ways to minimise the risk of a cyber-attack. This involves protecting devices that are used to access online apps, games and services, but also protecting online accounts from unauthorised access. As an educator, it is important for you to understand how to teach the children/young people you work with to protect their data and devices. It is also important for you to know how to protect yourself as an individual, as well as ways to minimise the risk of cyber attacks in your school/place of work.

This deep dive will explore some of the most common forms of cybercrime that you or your learners may encounter online, specifically online scams such as phishing, and the use of malware.

Why is cybersecurity important?

Smartphones, computers, games consoles and other internet-connected devices are a fundamental part of modern life. The young people you work with may be using a range of devices to access online services and may have many different online accounts for different purposes (such as social media, online games, video sharing, email and possible finance/online banking).

Developing positive habits around privacy and security can help your learners not only protect themselves (and others) from being the victims of cybercrime, but also protect themselves from being drawn into criminal activities online.

What is cybercrime?

The term cybercrime is often used as an umbrella term to describe two types of criminal activity that involve technology:

  • cyber-enabled crime – traditional crimes whose scale or effectiveness can be enhanced by technology (for example, child sexual exploitation, blackmail, fraud, extortion, and drug smuggling).
  • cyber-dependent crime – crimes that can only occur through the use of computers, networks and information communication technology (for example, hacking, cyber espionage, data theft, creating and distributing malware, and Distributed Denial of Service (DDoS) attacks).

This deep dive will largely focus on ways that users can protect themselves from cyber-dependent crime, although many of the strategies can help reduce unauthorised access to personal data that could lead to other crimes such as fraud, identity theft or extortion.

What are the motives behind cybercrime?

Just as a user’s personal data has value to the online platform/company collecting it, it also has value to a cybercriminal. Most cybercrime is driven by a criminal’s desire to acquire the personal data of online users. With enough personal data, a cybercriminal could:

  • Use the information to access online accounts that enable them to collect/steal more personal data.
  • Sell personal data (such as credit card details, account passwords, etc.) to other criminals online.
  • Impersonate a user – either to commit fraud or to commit acts that might damage their reputation, well-being or safety.
  • Hijack a user’s accounts/devices to use in other crimes, such as using them as part of a coordinated attack alongside other hacked accounts/devices to take down a website.

However, there are other motives behind some cybercrime. For some online users, it could form an attempt to prank or trick others for their own amusement or enjoyment. In some cases, acquiring personal information might form part of a targeted attempt to damage another person’s reputation, to harass or attack them online, or to stalk them (online or offline).

It is important to recognise that some young people can also be drawn into criminal activity online. For young people with advanced digital skills, there is also a risk that their expertise leads them unwittingly into criminal activity through acts such as hacking websites, or the creation or distribution of malware.

What types of scams are there online?

Thanks to the wide variety of online services, online scams can take many different forms:

  • Romance scams – building a romantic relationship and trust in order to request large sums of money from a victim.
  • Get rich quick schemes – scams promising a quick return on a small investment but are designed purely to take money.
  • Impersonation on social media – setting up a fake account that impersonates the victim in order to add their friends and obtain personal data
  • Fake shopping sites/products – selling fake products or services in order to take a victim’s money and give nothing in return or, alternatively, providing a product of much lesser value than advertised.
  • Phishing – emails pretending to be from a genuine service (like Netflix or a bank) encouraging a victim to click a link to confirm their account details and enter personal data such as usernames and passwords.
  • Unexpected prizes/competition wins – promises of a prize in return for a small payment or sharing of personal data.
  • Fake investment offers – scams promising a large return on an investment, or seeking to pass money through a victim’s bank account and paying them a percentage as a reward (also known as ‘money muling’, a form of money laundering).
  • Extortion – threatening a victim with physical or reputational harm unless they comply with the scammer’s demands or pay them to go away. Sextortion scams involve scammers claiming they have intimate images of a victim and will release them into the public domain unless paid not to.
  • Tech support scams – unexpected contact from a tech support line or company offering to take control of your device to fix a problem. Allowing them control then permits them to install malicious software (malware) or steal personal data.
  • Malware – disguising a virus as a genuine file, software or app to encourage a user to install it onto a device in order to allow a criminal to steal personal data or files. Some software (keyloggers) allows a criminal to record all actions on a device, including keys pressed on a keyboard when inputting details such as passwords.
  • Ransomware – malware that encrypts all files on a device and will only unlock those files when a ransom is paid. As encryption is often very strong, victims are faced with the choice of paying the ransom or losing the data forever.

Regardless of the type, the motive is always the same – to trick an online user into giving away personal data or other information in order for a scammer to defraud or take advantage of another person, usually for financial gain.

Activity:

Consider the following scams and how likely they might be to affect the children or young people you work with:

•    Romance scams
•    Get rich quick schemes
•    Impersonation
•    Fake shopping
•    Phishing
•    Unexpected prizes
•    Fake investments
•    Extortion
•    Tech support scams
•    Malware
•    Ransomware


Copy the table below and add each scam to the category that reflects the level of risk to your learners.

What is phishing?

 

Phishing is a technique used by cybercriminals to trick users into revealing their personal data by impersonating popular online products and services. The most common form of phishing is an email that appears to be from a reputable source such as your bank or an online service you use (such as Netflix) asking you to confirm or update your details. These emails always include a link to a fake webpage that looks like a genuine site but is designed to capture personal data that users enter (like usernames and passwords). Criminals can then use these details to gain access to a user’s account. A similar practice can also occur through SMS messages on mobile devices – commonly referred to as ‘smishing’.

Young people can also be targeted by online scams; the Phishers’ Favorites report found that many of the top 20 impersonated brands online are ones popular with children and young people (such as Facebook, Microsoft, Google, WhatsApp, Netflix, Apple and Instagram).

This detailed article provides five things to look for to spot a phishing email:

  1. Sent from a public email domain – a message from a large genuine company will never be sent from an email address such as @gmail.com or @outlook.com.
  2. Misspelt domain name – if the email domain is misspelt, or the website it links to contains a misspelt address then these could also be clues that they are not genuine. Some scammers will buy up misspelt web addresses that closely mimic genuine ones e.g. www.göögle.com as this can easily fool people who merely glance at the address rather than studying it in detail.
  3. Poor grammar or spelling – these can be indications that the email isn’t genuine. Poor grammar is often a better indicator as scammers will often use translation tools to translate their message into the required language, so spellings will be correct, but sentence structure might be poor and easily spotted by a native speaker.
  4. Suspicious attachments or links – emails containing attachments or directing a recipient to click on a link are often hiding a piece of malicious software (malware). Files can easily be renamed to something that might tempt a recipient to open it e.g. ‘invoice.pdf’.
  5. A sense of urgency – emails that prompt the recipient to take immediate action, such as an urgent email from your boss asking you to send information, or a message that appears to be from an online service threatening to suspend your account, could be phishing attempts. Rushing recipients into taking action gives them less opportunity to examine the email closely and spot any clues that might indicate a fake.

What is malware?

Malware is malicious software that is disguised as another type of file (such as documents, music tracks, images or videos), genuine software or apps in order to trick a user into opening, downloading or installing it onto their device. Some malware can even be installed onto a device simply by opening an infected website in a web browser.

This article summarises the different types of malware that can be used to acquire personal data from others.

One form of malware that presents risks to individuals but also to organisations (including schools) is ransomware. Ransomware is malware that infects a device, encrypts all files so they cannot be accessed, and then demands a ransom from the user if they wish to decrypt those files. Because of the strength of the encryption, a user is left with the choice of paying the ransom or losing their data forever.

Several types of ransomware have gained notoriety over the years – this article details 11 high-profile attacks, many of them involving ransomware.

Advice from law enforcement and experts is that you should never pay the ransom to a cybercriminal – there is no guarantee they will return control of your files or never return in the future to extort more money. 

Ransomware is a crime and should be reported to local law enforcement – The No More Ransom project site contains details of who to report to in your country, as well as details of free decryption tools that exist for certain malware types, so that users can attempt to unlock their files rather than lose them forever.

This type of attack increasingly targets the educational sector – this report details the global major cyber attacks on educational institutions in 2022.

The importance of good passwords

One of the most effective ways to protect your data is to ensure that you use strong and memorable passwords on every online account, and use different passwords for each one.

Previous expert advice on passwords has suggested that using upper- and lower-case letters, numbers and special characters would make passwords harder to guess or crack. While this is true, it also makes them very difficult to remember!

A better solution is to make a password based on three random words. There are a number of ways you can do this – you could use a random word generator, use a strategy like Diceware, or even make your own password dice to generate unique passwords, using the ‘Making Strong Passphrases’ activity on the School of Social Networks. These are also great strategies to share with students and colleagues!

This cartoon explains why this password strategy is so effective:

Source: Diceware Password Generator

However, trying to remember dozens of passwords is still tricky! So using a password manager app on your device to store all your login details can make life easier. You can then secure the app with a strong memorable password – now you only have to remember one password in order to access all your passwords (but be sure to keep this password secret)!

It is also recommended to use a strong password for your email accounts – both personal and for schoolwork. If a cybercriminal can guess your email password, they can use your account to reset the passwords on all the services you have used it to sign up for.

What other cybersecurity strategies are important?

The following are strategies that all users (child or adult) can benefit from to strengthen their online security and reduce the chances of personal data or accounts being stolen or hacked:

  • Use two-step verification – Many accounts for games, sites and apps allow you to turn on a feature known as ‘two-step verification’ – also known as ‘two-step authentication’, or ‘two-factor authentication’ or even ‘multi-factor authentication’. This means that every time you log in (especially from a new device or location), the app/game will send you a code via text message or email. You must enter that code in order to finish logging in. This feature is very useful because it can let you know when someone has used your password to try to log in to your account. Without the special code, they can’t get into your account. If you receive one of these codes but haven’t tried to log in, then you know that someone else has and that they know your password. If this happens, it’s extremely important to log in to the account as soon as possible and change your password. Where possible, it’s a good idea to turn this feature on for your accounts and encourage learners to do the same for theirs. 
  • Keep software and devices up to date – Criminals are quick to exploit vulnerabilities in software and technology. Always ensure that you keep your devices’ operating systems and your anti-virus and firewall software updated, as well as update software/apps whenever prompted by your devices. Encourage your learners to take responsibility for keeping their own personal devices updated and to make their family aware of the importance of updates and regular scans across devices at home.
  • Check for data breaches – You can enter your email address on the website ‘HaveIbeenpwned?’ to see if it has been involved in any data breaches. It will display a list of which sites/services were affected and when. Although there is little you can do about the personal data released publicly, you can go to your accounts on those affected sites and change your passwords so no one will be able to gain access to them. Encourage your learners to do the same.
  • Be wary – Look out for unexpected or suspicious messages, and never rush into providing personal data to a website. Always use a trusted method for logging in and accessing your accounts rather than clicking a link in an email or message.

How can I support young people to be cybersecure?

  • Education – Providing regular learning opportunities for learners to understand and explore issues around cybersecurity is key to helping them develop positive strategies to protect their personal data and the data of others. Even from an early age, it is important for children to understand the importance of strong and secure passwords to protect devices and data. As they grow older, young people also need to adopt more sophisticated strategies to protect their personal data (such as the use of privacy settings on social media platforms) and develop positive habits related to the maintenance of technology (updating software and running anti-malware scans).
  • Understand your role – Your school has responsibilities under the GDPR (General Data Protection Regulation) to keep the data of learners and staff safe. It is likely that your school has Acceptable Use Policies (AUPs) for staff, learners and visitors on what is allowed when using school devices and networks. There may also be procedures to ensure that sensitive data is protected. Ensure that you are familiar with your school’s expectations around cybersecurity.
  • Be a role model – An effective way to help your learners practice good cybersecurity is to demonstrate good security habits through your professional role in schools. Regular reminders to learners of the need for strong passwords, the use of trusted online sites/services, and how to get help and support if they are worried about data theft or cybercrime can help them adopt healthy and positive lifelong attitudes to using technology safely and securely. Acting as a role model can also encourage your colleagues to adopt more secure working practices when using technology in school.

Further information and resources

  • Better Internet for Kids resources – Educational resources from across the Insafe network of Safer Internet Centres. You can search for ‘cyber security’ or ‘data privacy’, for resources in your language and for resources for different age groups.
  • Europol’s public awareness and prevention guides – Lots of accessible advice for the public on how to protect personal data online and avoid scams and other cybercrime.
  • Report cybercrime online – Europol’s site has links to national reporting websites for European countries.
  • Google’s Safety Centre – This guide provides useful advice on how to strengthen account security, including 2-Step Verification.
  • School of Social Networks – This resource for primary-aged children, teachers and parents/carers provides information and advice on a range of online issues, including privacy and security. There are accompanying activities that teachers can use in the classroom and parents can use at home.
  • European Cyber Security Month – Taking place each October, this campaign site contains a range of cybersecurity resources from different countries that can help promote positive cybersecure habits.