FREE! Click here to Join FunTrivia. Thousands of games, quizzes, and lots more!
Quiz about A Phishing Expedition
Quiz about A Phishing Expedition

A Phishing Expedition Trivia Quiz


Almost everybody on the Internet has received phishing emails -- attempts by scam artists to get our personal and financial information by pretending to represent banks, retailers, and other legitimate sites. Let's take a look at what's really going on.

A multiple-choice quiz by CellarDoor. Estimated time: 6 mins.
  1. Home
  2. »
  3. Quizzes
  4. »
  5. Science Trivia
  6. »
  7. Computers
  8. »
  9. The Internet

Author
CellarDoor
Time
6 mins
Type
Multiple Choice
Quiz #
278,120
Updated
Dec 03 21
# Qns
10
Difficulty
Average
Avg Score
7 / 10
Plays
1206
Awards
Top 5% quiz!
Last 3 plays: Guest 152 (0/10), Guest 175 (2/10), Guest 166 (10/10).
- -
Question 1 of 10
1. For the most part, phishing attacks arrive in email inboxes and instant messenger windows -- but despite their technical trappings, their method represents a very old category of fraud. Which of these terms best describes how phishing works? Hint


Question 2 of 10
2. "Phishing" is an odd-looking word, but its origins aren't very mysterious. The perpetrators of these attacks are fishing for sensitive information and account logons, and substituting a "ph" for a good, honest "f" is classic hacker lingo. That "ph" substitution came from phone phreaking, a popular hacker pastime in the 1980s. What did phone phreaking entail? Hint


Question 3 of 10
3. A phisher has a number of tricks available for making the URL of a phony website look like the URL of a legitimate one. For example, you might receive an email that urgently directs you to click on a link like www.YourBank.phish.com. Can you be sure that this URL belongs to YourBank? Hint


Question 4 of 10
4. Another phishing trick is to exploit the fact that, in many English fonts, different characters can look very similar -- so a link in an e-mail might look legitimate even though it's slightly misspelled. Which of these is NOT a source of confusion in many English computer fonts? Hint


Question 5 of 10
5. Here's another type of phishing misdirection: the link that's an outright lie! Suppose you receive an email, purporting to be from Legitimate Bank, that gives a hyperlink for you to click on: http://www.LegitimateBank.com. The displayed address looks good - but when you click on it, you're taken straight to http://www.EvilLaughter.com. What's the most likely explanation for this? Hint


Question 6 of 10
6. Sometimes, you can spot a phishing site by its security -- or lack thereof. A Secure Socket Layer (SSL) connection is supposed to give you some confidence that you're communicating with the site you expect. Which of these is a way of initiating an SSL connection? Hint


Question 7 of 10
7. You can always tell when you're being phished, because the look and feel of a legitimate website are very hard for a phisher to duplicate.


Question 8 of 10
8. Most phishers cast a wide net, sending their emails to millions of randomly chosen potential victims. Most of these emails have no chance of success, since most recipients have no business with the company the phisher is spoofing. But some phishers take a more targeted approach. Which of these phrases refers to phishing attacks that are tailored to a particular person or group of people? Hint


Question 9 of 10
9. Banking sites may be the most appealing targets for a phisher, but other sites -- like online stores, forums, and e-mail providers -- can also provide an attacker with a useful prize. What sort of information is a phisher LEAST likely to gain from a successful phishing attack on, say, an account at an online retailer? Hint


Question 10 of 10
10. Let's say that I sit down at my computer to find an urgent e-mail. It says it's from my bank, and that there's been suspicious activity on my debit card, so my account has been temporarily de-activated. For security, I need to click on the provided link and verify my account information.

Which of the following should I NOT do in this situation?
Hint



(Optional) Create a Free FunTrivia ID to save the points you are about to earn:

arrow Select a User ID:
arrow Choose a Password:
arrow Your Email:




Most Recent Scores
Nov 19 2024 : Guest 152: 0/10
Oct 29 2024 : Guest 175: 2/10
Oct 15 2024 : Guest 166: 10/10
Oct 12 2024 : Guest 120: 0/10
Sep 30 2024 : DaMoopies: 10/10
Sep 26 2024 : mazza47: 10/10
Sep 26 2024 : S4a4m4: 9/10

Score Distribution

quiz
Quiz Answer Key and Fun Facts
1. For the most part, phishing attacks arrive in email inboxes and instant messenger windows -- but despite their technical trappings, their method represents a very old category of fraud. Which of these terms best describes how phishing works?

Answer: Social engineering

Phishers may use a high-tech medium for their scam, but the con itself is ancient. "I'm trustworthy and important," their messages try to say. "If you'll just tell me everything, I can help you out." Like scammers from time immemorial, however, phishers plan to help only themselves.

They adopt the guise of some trusted institution and coax the victim into revealing secret information, like a password or a credit card number. The phisher can then use that information to pose as the victim and cash in. E-mails and websites designed to lure the "phish" can employ surprisingly sophisticated psychological techniques. Come with me to take a peek into their toolbox ...
2. "Phishing" is an odd-looking word, but its origins aren't very mysterious. The perpetrators of these attacks are fishing for sensitive information and account logons, and substituting a "ph" for a good, honest "f" is classic hacker lingo. That "ph" substitution came from phone phreaking, a popular hacker pastime in the 1980s. What did phone phreaking entail?

Answer: Hacking telephone services to make free calls

In its heyday, hackers saw phone phreaking as an honorable pursuit, an intellectual game rather than a serious attempt to steal services. With enough knowledge of electronics and protocols, and the right set of tools (particularly the famed "blue boxes"), a phone phreaker could prove his or her worth by outwitting the telephone company. Changing "freaking" to "phreaking" gave the phrase a pleasing visual alliteration, and a new spelling tradition was born.

The use of "ph" survived the transition to the online realm.
3. A phisher has a number of tricks available for making the URL of a phony website look like the URL of a legitimate one. For example, you might receive an email that urgently directs you to click on a link like www.YourBank.phish.com. Can you be sure that this URL belongs to YourBank?

Answer: No. It points to a page on phish.com, not on YourBank.com.

It's handy to be able to interpret a domain name, which is the part of a URL that comes after the http://, but before the next set of forward slashes. You read them right to left. The rightmost part -- something like .com or .gov -- is the top-level domain.

Some of these (like government or military domains) are legally restricted, but most are available for anyone to register a site, as long as the name you want isn't taken and you can pay the small fee. The name of the site comes right before the top-level domain, as in funtrivia.com. Anything further to the left just points you to a particular place, or a specific server, on the site. So if you're trying to get to YourBank, the domain name had better end in YourBank.com -- YourBank.phish.com is just a part of the phish.com website, with a name that's designed to fool people into clicking on it.
4. Another phishing trick is to exploit the fact that, in many English fonts, different characters can look very similar -- so a link in an e-mail might look legitimate even though it's slightly misspelled. Which of these is NOT a source of confusion in many English computer fonts?

Answer: If you type a lower-case O next to a lower-case O, it looks like the number 8.

In this technique, the URL of a "bad" site is chosen to bear a close resemblance to a legitimate site. Sometimes, it's chosen to entrap careless typists: a phisher might register BankOfCellarDoor.org to catch people who meant to go to BankOfCellarDoor.com.

In other cases, the spoof is designed to look right under a quick inspection. For example, in a research study, scientists were able to ensnare a large percentage of their study subjects with a link to the Bank of the VVest: "vv" may look like "w", but that link didn't take them to the Bank of the West. Be alert if you click on e-mail links; what seems like a small difference to a human being makes a big difference on the Internet.
5. Here's another type of phishing misdirection: the link that's an outright lie! Suppose you receive an email, purporting to be from Legitimate Bank, that gives a hyperlink for you to click on: http://www.LegitimateBank.com. The displayed address looks good - but when you click on it, you're taken straight to http://www.EvilLaughter.com. What's the most likely explanation for this?

Answer: The displayed text for the hyperlink doesn't match the place it links to.

In HTML, a hyperlink is divided into two components. First, there's the URL, or address, that you're linking to; this is where you go when you click on the link. Then there's the label or title of the link; this is the text that typically appears underlined and in blue. The Internet is a much more friendly and usable place because this is possible; it's much nicer to access this quiz via a link that says "A Phishing Expedition" rather than via a link that has to incorporate all the internal FunTrivia paths and identification numbers and so on. The downside is that an unscrupulous person can make that label misleading - like another URL that's unrelated to the actual linked address.

In most browsers and email programs, you can get the real scoop by hovering your mouse over the link, without clicking. The actual destination of the link - its "target" - should be displayed, either in a little bubble where your mouse position is, or in the lower left-hand corner of the window. But the much simpler rule of thumb is, again, never to click on an email link you weren't expecting!
6. Sometimes, you can spot a phishing site by its security -- or lack thereof. A Secure Socket Layer (SSL) connection is supposed to give you some confidence that you're communicating with the site you expect. Which of these is a way of initiating an SSL connection?

Answer: Typing https:// in front of the site address

SSL connections are designed to prevent man-in-the-middle attacks, in which someone in between you and the desired website (maybe at your Internet Service Provider or in your neighborhood) intercepts the communications you're sending back and forth. SSL opens up a secure tunnel between you and the other party -- and, as a bonus, it can authenticate either side. Here's how the authentication typically works. You type in https://www.BankOfCellarDoor.com to indicate that you want a secure connection with the Bank of CellarDoor. While setting up the tunnel, the bank sends you a certificate, which shows that some central Certificate Authority agrees that this outfit is the one true BankOfCellarDoor.com. Your browser, or your operating system, decides whether the certificate is valid and comes from a trusted company. If not, it gives you a warning; if so, it opens the connection, which will be marked by an https:// in the site address and a padlock symbol somewhere on the browser.

SSL connections are a good sign; it's not a good idea to enter your financial information into a non-SSL site. They aren't perfect, though. BankOfPhishers.com can probably get a certificate in its own name, because they are who they say they are; the certificate doesn't say anything about virtue, only identity. Some Certificate Authorities aren't particularly trustworthy themselves, and some have had certificates stolen. And some legitimate websites encourage bad habits by having users log onto a non-SSL page with completely worthless pictures of locks sprinkled around it. Unfortunately, while checking for SSL gives you a good clue to the trustworthiness of a page, it isn't conclusive.
7. You can always tell when you're being phished, because the look and feel of a legitimate website are very hard for a phisher to duplicate.

Answer: False

Sometimes there are obvious clues that a phishing attack is underway. A careless phisher might quickly type up e-mails no bank would ever send, with unprofessional mistakes in spelling and grammar. ("You're acount have been suspended," for example.)

A slicker phisher, however, can produce a very polished facsimile of the real thing. A website's look and feel are encoded in HTML (hypertext mark-up language), and the underlying code is sent to web browsers so that they can render the site properly. This code is not secret! The phisher can also copy and re-use images. If there are slight differences, the victim is likely to assume that the legitimate site has done a minor redesign. It's easy to be taken in.
8. Most phishers cast a wide net, sending their emails to millions of randomly chosen potential victims. Most of these emails have no chance of success, since most recipients have no business with the company the phisher is spoofing. But some phishers take a more targeted approach. Which of these phrases refers to phishing attacks that are tailored to a particular person or group of people?

Answer: Spear phishing

Just like a fisherman might target an individual fish with his spear, a spear phisher targets an individual recipient or a small group of recipients. To make this work, the spear phishers need to have some outside source of data. For example, they may know that you do your business with a specific bank, or that you recently bought a high-definition television, and that you might be vulnerable to e-mail that claims to come from the bank or from the TV manufacturer. They might take information from your employer's website, or the Facebook or MySpace pages of you and your friends, to help them make it appear as though the e-mail is from someone you know.

Spear phishing attacks can be very clever and easy to fall for. Remember, if you receive an unexpected e-mail that asks you to do something you're uncomfortable with -- like sending back a password or your financial information or open a strange-looking attachment -- it's better to be safe than sorry. Contact the person who supposedly sent the email and check whether they really did!
9. Banking sites may be the most appealing targets for a phisher, but other sites -- like online stores, forums, and e-mail providers -- can also provide an attacker with a useful prize. What sort of information is a phisher LEAST likely to gain from a successful phishing attack on, say, an account at an online retailer?

Answer: The user's signature

It's tempting to think that an account at, say, TheGenericStore.com doesn't need much security. After all, it's a place for browsing and buying, not for doing your banking; it seems either more anonymous or less important than MyBankAccount.com. However, an attacker can still get quite a lot by phishing account holders at the Generic Store. For each success, our anti-hero has someone's name and password, which -- let's be honest -- he or she probably uses for at least one other website, too. (And maybe that website is a bank...) The phisher has the user's e-mail address, and very likely a real name and real address, too, which can be used for identity theft: posing as someone else in order to open accounts and get credit.

Finally, if the Generic Store saves credit card information or PayPal details, a successful phisher may be able to exploit the data to make unauthorized purchases. In short, it's a good idea to exercise caution everywhere on the Internet -- not just on banking sites.
10. Let's say that I sit down at my computer to find an urgent e-mail. It says it's from my bank, and that there's been suspicious activity on my debit card, so my account has been temporarily de-activated. For security, I need to click on the provided link and verify my account information. Which of the following should I NOT do in this situation?

Answer: Click on the provided link

Phishers often try to create a sense of urgency: if action is required NOW, you're more likely to follow their directions without taking time to think about it. Likewise, making you feel that you might have done something wrong (like "suspicious activity") gives them a psychological edge. But the bank shouldn't prompt you for sensitive information over e-mail, just like the gas company shouldn't send someone to your door without proper identification. (The same goes for telephone calls: if they called you and you don't already know the number, they may not be who they say they are.)

If there's really an issue with my account, then I should be able to handle it by contacting the bank in a way I know will be secure: in person or at their phone number (which is not necessarily the one listed in the e-mail I've received!). Alternatively, I could use a search engine (like Bing or Google) like a phone book, to find the genuine web address. If I've already bookmarked a trusted web address, I could go directly there. At the same time, I can alert the bank to the possible phishing e-mail I've received, and they can take appropriate action.
Source: Author CellarDoor

This quiz was reviewed by FunTrivia editor gtho4 before going online.
Any errors found in FunTrivia content are routinely corrected through our feedback system.
11/21/2024, Copyright 2024 FunTrivia, Inc. - Report an Error / Contact Us