video

Lesson video

In progress...

Loading...

- Hello, and welcome to lesson two of our Security Unit.

I'm Ben, and this lesson is all to do with non-automated cybercrime.

Now, all you need for this lesson is a computer, a web browser, and if you've got a pen and paper, that'll also be really useful.

So if you can clear away any distractions that you might have, if you've got a nice, quiet place to work, that would be really fantastic, and when you're ready, let's get started.

so in this lesson, we're going to describe different forms of attack, in the context of cybersecurity.

We'll also identify non-automated forms of attack, and how humans can be the weak point in an organisation.

So before we get started, I thought we would have a recap of what we did at the end of lesson one, And that was to answer some of the questions on your worksheet.

So you may wish to open your worksheet from Task One so you can compare the answers that I'm gonna go through, with your answers, that you actually gave.

So if you want to do that, then please, pause your video now, open your worksheet, and then, once you've done that, unpause the video, and we'll go through some of the answers.

so I'm assuming that you've got that open, or you've done what you wanted to do, so let's go through some of those questions.

So the first question was, what was the definition of cybersecurity? Well, the cybersecurity is the practise of protecting systems, networks, and programmes from digital attacks.

And then, we looked at the definition for network security.

Now, that is any activity designed to protect the usability and integrity of a network, and its data, by managing access to the network.

So remember that network security is cybersecurity, but it's a subset of cybersecurity.

Whereas cybersecurity is more of a broader term, that covers networks, but other things, as well, such as our data, personal devices, and the likes.

So question three, who does cybercrime effect? Well, the answer is everybody.

It can even occur if you don't have a computer, if your data is stored somewhere, on an electronic device, then you are a potential victim of a cyber attack.

So you might not even own a device yourself, and still be vulnerable.

So why does cybercrime cost businesses money? This question required you to think a little bit, about what we talked about, and really think deeply about some of the wider consequences.

Well, it costs businesses money, because of the direct threat to capital.

The direct threat to the money that they have to spend.

And we looked at that, and the fact that money can actually be stolen and transferred, it may well be, that it costs money to recover the data.

It may well be, it costs money to actually put things in place, to stop these things happening again, in future.

But it can also cost them, in terms of lack of business, people taking their business elsewhere, 'cause they don't trust them anymore.

If you've had your data stolen from an organisation that you trusted, and you pay, then you might decide, "I don't want to work with that organisation anymore." And also the cost of security professionals, and equipment, additional equipment, that you might need, to protect yourself, against any cyber attacks.

So move on.

So question five, roughly what percentage of businesses and charities, in the UK, identified a cyber attack in the last 12 months? Well it's 32% of businesses, and 22% of charities.

Why are networks vulnerable? Well, networks are vulnerable because they're connected.

And so, without proper security, viruses can spread instantly.

And then I asked you to give three motivations for cyber crime.

Now the Eagle-eyed amongst you, will work out that I've got more than three bullet points, there, but that's because there were more than three answers, I only asked you to produce three of those.

So the kind of things that I came up with were things like criminal greed.

It might be that they want to just hack for curiosity's sake.

They might be with actual malicious intent, with the intent to do damage, or cause disruption.

It might be ideological, it might be like the hacktivists we talked about, trying to hack in and cause some disruption, to promote a message, or disrupt a company, because they don't agree with the ethics, of how they conduct their business.

But it might also be that planting the flag concept that we talked about, such as trying to impress their peers, by hacking very famous organisations.

So that was all to do with last lesson, before we get going with this lesson, I've just got a bit fun for us to do, and I've developed this quiz, and I'd really love for you to have a go at it, Now this quiz will help you determine which rockstar you are most alike, So what I'd like to do is open your web browser, and type in the URL that you can see there.

All you need to do is run your programmes.

Got a few questions.

If you answer the questions at the end of it, it'll tell you what rockstar you are most alike, So I can't wait to find out the answer.

So pause the video now, have a go at that, and unpause, when you're done.

So did you have a go at that? Which rockstar are you most alike? Or have you worked out by now, that this was actually a scam, and what you've just done there, is you may potentially have given the hacker, access to data, that they'll be able to do damage with.

Now before we go any further, I don't want you to worry at all.

That programme was set up by me, and it's not recording any of your inputs, or anything you answered was not stored anywhere.

And just prove that, you can click on, "See Inside", and you'll be able to see that the data's not being stored at any variables, and it's not being stored anywhere else, either, so just put your mind at rest.

But let's say it did happen that way.

And let's say, I'm sure you may have already seen, on social media, some awesome apps, where you can type an answer to the questions, and it will tell you that kind of thing.

Maybe which cartoon character are you like, with rockstar you are most alike, et cetera, like that, Which character on a TV series, and all those kinds of things? Now if you have answered those questions, let's just think about the one that we just looked at then, with rockstars.

What information did you give a potential hacker? Well, you gave them your name, your date of birth, your favourite band, your mother's maiden name, your favourite colour, your email address, maybe the name of your first pet.

Now let's just put that into context, about why that might be dangerous.

You might not think, you might think, "Well, you know, that's not that dangerous information", but have you ever forgotten your password, for online an account? And have you worked out, that when you forget your password, you're prompted with some questions, such as, "What's your mother's maiden name?" Or maybe, "What's your email address? Or "Name of first pet.

What's your favourite colour?" And if you can answer those questions, then it gives you the option to change your password, and bang.

That's the point where a hacker has access to your account.

So that gives you an insight into what we're going to learn about in this lesson, which is something called social engineering.

So let's explore what is meant by social engineering.

Now there are lots of technical ways to try and to keep data safe and secure, which we're going to explore in future lessons, but arguably, it's us, as human beings, as human users of a system, that creates the largest risk to data being compromised.

Now social engineering, is a set of methods used by cybercriminals, to deceive individuals into handing over information, that they can use for fraudulent purposes.

Now what's different about social engineering, in comparison to other cyber crimes, is that it's other humans, trying to trick and manipulate human beings, or human users of a system.

So the key here, is the fact that these cyber-attacks, are being initiated by humans, to trick other humans.

So let's have a look at some of those social engineering techniques that are more commonly used by cybercriminals.

And one of them is called blagging.

Now there's another term for that, which you may have heard of, which is called pre texting.

So this is an attack on which a perpetrator invents a scenario, in order to convince the victim, to give them data or money.

Now, this attack often requires the attacker to maintain a conversation with the victim, until they're persuaded to give up whatever the attacker's asked for.

So you'll often find something that tries to engage in a conversation.

This isn't a one-off kind of throw away email.

This is a human being, sending the email, and wanting to start a conversation.

Now it's not just email, it might be over the phone too, but there's a conversation takes place, that deliberately attempts to deceive the other human being, the person receiving the email, or at the end of the phone call.

Now there's another type of attack, called phishing attack.

Now a phishing attack is an attack in which the victim receives an email, disguised to look as if it come from a reputable source, in order to trick them to give up valuable data.

Now, the email usually provides a link to another website, where the information can be inputted.

So this is different.

This is different to blagging, because blagging tries to start a conversation, to engage you into some kind of trick.

Whereas this one, is an email that's maybe sent to you, with maybe not something so personal to you, but it's a one off attempt, to try and get you to click on a link, on an email, for example.

So why is actually called phishing? Well, it's called phishing, and you may notice how it's spelled, so phishing with a "Ph" rather than a "F", However, it's deliberately meant to sound like fishing with an "F", because the idea is, a line thrown out into a place where there are many potential victims, or fish.

So imagine this scenario of a fishermen, throwing out a line and trying to catch a fish.

Now often a fishermen will put something on the end of his line, to court with, which is called bait.

Now that's meant to trick the fish into thinking it's maybe something that it can actually eat.

So it kind of, it goes towards it, to eat it.

So the bait is something on the email, trying to entice them in, maybe make them think that it's something real, that they can, make them think that it's an email that is real, that they want to engage with.

And then if the victim bites, IE, if the fish bites the bait on the end of the line, the fishermen would reel them in.

Whereas this one, the victim bites, they're hooked in.

It means if they click on the link on the email, then they're hooked in.

So what happens with a phishing email, once they find that link? The link might take them to a fraudulent page, it might even look like their bank's website.

So when they click on the link, it looks like an actual bank's website.

You start putting in the username and password, and bang, you've been hooked in, and you've fallen victim, and all of a sudden, that attacker has your details.

So how do we know if we've, how do we distinguish between a normal email, and a phishing email? Well, a phishing email would be an unexpected email, with a request for information, for example, something that you weren't really expecting, maybe from a bank that you may be not a member of, or maybe, it might be that, for example, your TV licence has expired, and you need to click on this link, well you might think, "Well, I don't actually have a TV licence, or I have got a TV licence, I know I've got a TV licence." So that will be unexpected.

Maybe the message content contains some spelling errors.

Maybe it might be suspicious hyperlinks in the email.

Now I'm not sure have you ever done this before? But if you've got an email in, sorry, if you've got a hyperlink inside an email, what you can do sometimes, is hover your mouse, and you'll see the URL for the email, or you can Right-Click and copy the URL, and maybe just have a look at it, and paste it somewhere else.

And you'll be able to see that it's maybe not from the source that you thought it might be.

If it was from your bank, you'd expect to see the bank's URL's name inside the hyperlink detail somewhere.

Now it might just be a generic email.

One that doesn't address you by name, or contain any personal information, that you would expect the sender to know.

So it might say, "Dear Sir, or Madam", or maybe "Dear visitor" or something like that, not something that would actually, you'd expect them to know your name.

So we've got a worksheet for you to do.

Now this is Miss Ella Geecat has been sent an email, warning that her bank account has been hacked.

Now what you need to do, is I'd like you to spot as many of the 10 clues, that you can spot in the email, that might make you think that the email isn't genuine.

So I'd like to spend five minutes finding those clues.

So you're looking for 10 of them, see how many you can get.

And then also, if you finished that, try and think, are there any other types of scams that you can think you've heard of, that are convincing, that might maybe hook people in, So I'd like to pause the video now, I'd like you to go over to Task One, on your worksheet, read the email, you might want to highlight it, but see if you can note down 10 facts about that email, that you thought maybe made it, indicate that it's a phishing email, So pause the video now and unpause when you're done.

So hopefully you've done that.

How many did you come across? Did you find all ten? Well, let's go through some of the answers then.

So first of all, we found that that was the wrong Lloyd's Bank logo.

So you might notice, this email is meant to look like it came from Lloyd's Bank.

And actually, although that's a really similar looking logo, it's not the actual logo.

So yes, it's a black horse, but it's not the right one.

You might have also noticed that there was an impersonal greeting.

For example, it said, "Dear valued customer".

Now, if you're a member of a bank, you'd expect them to know your name, there's no actual information about your accounts, such as your account number.

There was a sense of urgency there.

Some kind of scare tactics.

Let's face it, if there's something very urgent, going on with your bank.

Then they would contact you, maybe by a phone call, or something like that.

Or there wouldn't be this kind of sense, to pressure you into doing something.

Number five, although the dropdown description is correct.

The link for Lloyd's Bank is different, So it's actually a fake link there, Now number six, incorrect use of English.

So it says "in tact", instead of "intact", so two separate words, rather than one word, or "belief", instead of "believe".

So sometimes when you read it, you think, "Oh, it doesn't sound quite right." It's not necessarily grammatically correct.

Or even might not, there might be spelling mistakes.

There's also use of contradictions, in a very formal email.

It says "don't" instead "do not".

The domain name is misspelt.

So it's got "loydsbank" instead of "lloydsbank.

com", So it's got one "L", instead of two.

Now nine, you are being asked to click a link to take action, And like I said, that's pressuring you, like we mentioned before.

And then number 10, the domain name does not match the email address.

So how many of those did you get? So for example, you can see that lloyds@gmail.

com, that's not quite right, is it? 'Cause you wouldn't get a Gmail account, I don't think, for a Lloyd's Bank account.

Anyway, so how many of those 10 did you get? Did you match what I managed to get? So let's move on.

So let's now explore, we've explored two types of social engineering.

We've looked at blagging.

We've looked at phishing.

So let's look at some other types of social engineering.

So there's shouldering, name generator attacks, tailgating, pharming and eavesdropping, so let's explore them.

So first of all, shouldering.

Now shouldering is exactly what it sounds like.

It's also known as shoulder surfing, It's essentially an attack designed to steal a victim's password or sensitive data, by really watching the victim, or looking over their shoulder, while they provide sensitive information.

Now those types of type of attack might be familiar.

It's often used to find out someone's pin at a cash machine.

For example, I'm not sure whether or not you've ever been in your IT lab, at school, and you've started typing in your password, and you've noticed one of these friends, looking over your shoulder, trying to sneak and guess what your password is.

That would be an example of shouldering.

But actually another example of shouldering might be hidden webcams, somewhere.

Some cybercriminals might put a webcam just above the pin area of the cash machine.

And that might enable them to be able to see what you're typing in, for your pin number.

And of course, once they've got this information, that they're able to obtain, just by watching, then they're able to maybe access your account, or steal money or something like that.

So that's shouldering.

Now name generator attack.

Now you should be familiar with the name generator attack, because if you did the rockstar one, that's the kind of attack that you would fall victim to.

So these are attacks in which a victim is asked in an app or a social media post, to combine a few pieces of information, to complete a short quiz, to produce a name.

So attackers do this to find out key pieces of information, that can help them answer security questions, that protect people's accounts.

So let's move on to social.

So to tailgating, sorry.

Now tailgating is, I mean the term tailgates is a bit of an American term, but it means essentially, going close to someone, driving behind them, and following them, driving around, But however, in this context, it means it's a physical security breach, in which an unauthorised person follows, an authorised individual, to enter secure premises.

For example, it may well be, that they've opened the door, and the other person's snuck in behind them, before the door is able to close.

So that'll be tailgating.

Now eavesdropping, again, you can imagine what that is.

It's literally listening out.

So it's a social engineering tac, being physically present, to overhead confidential conversations.

So there's listening to what's being said, to help maybe gain some key information from people, just by listening to them.

And again, I mean, being physically present, listening, that's one example, but it might be some kind of, a really sophisticated cyber attack, might be some kind of listening device, activated on the computer, so when the computer is open, it activates a microphone, and maybe they can hear what's being said.

now there's one more, which I want to talk about, which is pharming.

and pharming is a type of attack, which redirects victims to a bogus site, even if the victim has typed in the correct web address.

So basically, what this means is, they hack into the DNS server, of your account, of your ISP.

So what you would do is you type in, for example, your bank name, so let's say lloydsbank.

com, and then, so you type it in a hundred percent correctly, and then what happens is, your DNS server redirects you to a fake account.

So what's happening there is that you might think you've typed in correctly, you totally trust it.

It takes you to a fake account, which looks just like the bank's website, and then you type in your username and password, and all of a sudden, then that attacker has got your details.

Now we've learned about some social engineering tacs, so far, in this lesson.

So what I'd like you to do is create a helpful quick read, to help people avoid a social engineering scam of your choice.

So your quick read should your point out the key features of the scam, and how to avoid becoming a victim.

But I'm going to leave it completely up to you, about which social engineering attack that you choose to create your quick read on.

So you can choose from phishing, blagging, shouldering, name generator attacks, tailgating, pharming, or eavesdropping.

So you can pick any one of those, to create your quick read.

So what I'd like to do is head over to Task Two on your worksheet now, where you've got all those instructions, and also a template that you can work on, to create your quick read, So pause the video now, have a go at that and then unpause when you're done.

So how did you get along with that? So hopefully you did a bit of research, and you went back over the slides, and you created some really good guidance or advice, that you'll be able to pass to somebody, to give some advice about how to avoid becoming a victim.

Now maybe because you've made that, could you pass that on to anybody? Could you pass that to maybe your parents or your carers, or any elderly relatives that you might have, and maybe help them become, protect them and become more secure against these types of attacks? So your last challenge for this lesson, is to go to Task Three on your worksheet, and complete the questions.

So the questions will help you recap on the things that we've learned in this lesson.

So head over to Task Three now, pause the video again, and then unpause when you're done.

So that's all for this lesson, and I really hope that you've enjoyed learning about the social engineering attacks that people fall victim to.

They're really sophisticated attacks, but remember what's key about them, it's the human trying to trick or manipulate other humans.

So in the next lesson, we're going to look at the more automated forms of attack that people become victim to.

So if you'd like to share your work with us, we would really love to see anything you've done this lesson.

So I'd really like to see maybe that quick read that you made, then we could share with other people, to help them make sure that they're safe too.

So if you'd like to share your work with us, please ask your parents or carer to share your work on Instagram, Facebook, or Twitter, tagging @OakNational, and using the hashtag #LearnWithOak So I'm looking forward to seeing you next lesson.