A key skill needed by both children and adults online is cybersecurity: protecting your devices, online accounts and personal data from unauthorised access. It is important for you to know how to protect yourself as individual, and many of the steps you can take can also be taught to your child to encourage them to be cybersecure, even from a young age.
This deep dive will explore cybersecurity strategies that are useful for all family members, as well as some of the most common forms of cybercrime that you or your child may encounter online, specifically online scams such as phishing, and the use of malware.
Why is cybersecurity important?
Internet connected devices (such as smartphones, games consoles and computers) are a common part of modern life for many families. Depending on your family’s approach to using technology, there may be a range of devices that are used to access online services. Your child may also have their own devices and their own accounts, including social media, email and gaming accounts.
The personal data stored in online accounts and devices is valuable to criminals, particularly data related to accessing finances or possessions.
Getting into positive habits around privacy and security is important for everyone in your family to help avoid becoming the victims of cybercrime. It is also useful to learn how to spot common attempts online by criminals to steal personal data, possessions or money – the more aware you are, the easier it is to spot when a cybercriminal is trying to trick you or your family online.
What is cybercrime?
There are two main types of cybercrime:
- cyber-enabled crime – traditional crimes that can be enhanced by technology (for example, child sexual exploitation, blackmail, fraud, extortion and drug smuggling).
- cyber-dependent crime – crimes that can only occur through the use of the internet and technology (for example, hacking, cyberespionage, data theft, and malware).
This deep dive will mainly focus on the ways that you and your family can protect yourself from cyber-dependent crime, although many of these strategies can also help reduce the risk of other crimes such as fraud, identity theft or extortion.
What are the motives behind cybercrime?
Your personal data is valuable to online companies but also to cybercriminals. With enough personal data, a cybercriminal could:
- Access your online accounts that enable them to collect/steal more personal data.
- Sell personal data (such as credit card details, account passwords, etc.) to other criminals online.
- Impersonate you – either to commit fraud or to commit acts that might damage your reputation, well-being or safety.
- Hijack your accounts/devices to use in other crimes, such as using them as part of a coordinated attack alongside other hacked accounts/devices to take down a website. This is often referred to as a ‘botnet’.
What types of scams are there online?
Thanks to the wide variety of online services, online scams can take many different forms:
| Romance scams | Building a romantic relationship and trust in order to request large sums of money from you. |
|---|---|
| ‘Get rich quick’ schemes | Scams promising a quick return on a small investment but are designed purely to take your money. |
| Impersonation on social media | Setting up a fake account that impersonates you in order to add your friends and obtain their personal data. |
| Fake shopping sites/products | Selling fake products or services in order to take your money. You end up receiving no product in return or a product of much lesser value than advertised. |
| Phishing | Emails pretending to be from a genuine service (like Netflix or a bank) encouraging you to click a link to confirm your account details and enter personal data such as usernames and passwords. |
| Unexpected prizes/competition wins | Promises of a prize in return for a small payment or sharing of personal data. |
| Fake investment offers | Scams promising a large return on an investment or seeking to pass money through your bank account and pay you a percentage as a reward (also known as ‘money muling’, a form of money laundering). |
| Extortion | Threatening you with physical or reputational harm unless you comply with the scammer’s demands or pay them to go away. Sextortion scams involve scammers claiming they have intimate images of someone and will release them into the public domain unless paid not to. Many sextortion scams target young men and boys. |
| Tech support scams | Unexpected contact from a tech support line or company offering to take control of your device to fix a problem. Once they have control, they install malicious software (malware) or steal personal data. |
| Malware | Disguising a virus as a genuine file, software or app to encourage you to install or download it onto a device. Some software (like keyloggers) allows a criminal to record all actions on a device, including keys pressed on a keyboard when inputting details such as passwords. |
| Ransomware | Malware that encrypts (locks down) all files on a device and will only unlock those files when a ransom is paid. As the encryption is often very strong, victims are faced with the choice of paying the ransom or losing their data forever. |
Regardless of the type, the motive is always the same – to trick an online user into giving away personal data or other information in order for a scammer to defraud them or take advantage of another person, usually for financial gain.
Activity:
Consider the following scams and how likely they might be to affect your child.
| Type of scam | How likely is it to affect your child? |
|---|---|
| Romance scams | |
| Get rich quick schemes | |
| Impersonation | |
| Fake shopping | |
| Phishing | |
| Unexpected prizes | |
| Fake investments | |
| Extortion | |
| Tech support scams | |
| Malware | |
| Ransomware |
| Highly unlikely | Unlikely | Likely | Highly likely |
What is phishing?
Phishing is a common technique used by cybercriminals to trick users into revealing their personal data by pretending to be popular online products and services. The most common form of phishing is an email that appears to be from a trusted source such as your bank or an online service you use (such as Netflix) asking you to confirm or update your account details. These emails always include a link to a fake webpage - it looks like the genuine site but is designed to steal any personal data entered (like usernames and passwords). Criminals can then use your details to gain access to your real account. This can also occur through SMS messages on mobile devices – commonly referred to as ‘smishing’.
Young people can also be targeted by online scams; the Phishers’ Favorites report found that many of the top 20 impersonated brands online are ones popular with children and young people (such as Facebook, Microsoft, Google, WhatsApp, Netflix, Apple and Instagram).
Here are five things that can help you spot a phishing email:
- Sent from a public email domain – a message from a large genuine company (like Disney+ or TikTok) will never be sent from an email address such as @gmail.com or @outlook.com.
- Misspelt domain name – if the email domain is misspelt, or the website it links to contains a misspelt web address then these could also be clues that they are not genuine. Some scammers will buy up misspelt web address that closely mimic genuine ones e.g. www.göögle.com as this can easily fool people who might glance at the address rather than studying it in detail.
- Poor grammar or spelling – these can be indications that the email isn’t genuine. However, artificial intelligence tools are making it easier for cybercriminals to translate from their native language into other languages with a high degree of accuracy.
- Suspicious attachments or links – emails containing attachments (often shown by a paperclip symbol) or you to click on a link may be hiding a piece of malicious software (malware). Files can easily be renamed to something that might tempt you to open it e.g. ‘invoice.pdf’.
- A sense of urgency – emails that prompt you to take immediate action, such as an urgent email from your boss asking you to send information, or a message that appears to be from an online service threatening to suspend your account, could be phishing attempts. Rushing you into taking action gives you less opportunity to examine the email closely and spot any clues that might give it away as fake.
What is malware?
Malware is malicious software that is disguised as a file, software or app to trick a user into opening, downloading or installing it onto their device.
This article summarises the different types of malware that can be used to acquire personal data from others, but they typically include adwares, botnets, keyloggers, cryptocurrency miners, ransomwares, rootkits, spywares, trojans, viruses and worms.
One form of malware that presents risks to individuals but also to organisations (including schools) is ransomware, which infects a device, encrypts (locks) the files and sends a ransom message to the user.
Law enforcement advise that you should never pay the ransom to a cybercriminal – there is no guarantee they will return control of your files or never return in the future to extort more money.
Ransomware is a crime and should be reported to local law enforcement – The No More Ransom project site contains details of who to report to in your country, as well as details of free decryption tools that exist for certain malware types, so that users can attempt to unlock their files rather than lose them forever.
One of the most effective ways to protect your data is to ensure that you use strong and memorable passwords on every online account and use a different password for each one.
The best passwords are based on three or four random words. There are a number of ways you can do this – you could use a random word generator, use a strategy like Diceware, or even make your own password dice to generate unique passwords, using the ‘Making Strong Passphrases’ activity on the School of Social Networks – a great activity to do with your child!
This chart (originally developed by Hive Systems) demonstrates why longer passwords are stronger:
| Number of characters | Numbers only | Lowercase letters | Upper and lowercase letters | Numbers, upper and lowercase letters | Numbers, upper and lowercase letters, symbols |
|---|---|---|---|---|---|
| 4 | Instantly | Instantly | 3 secs | 6 secs | 9 secs |
| 5 | Instantly | 4 secs | 2 mins | 6 mins | 10 mins |
| 6 | Instantly | 2 mins | 2 hours | 6 hours | 12 hours |
| 7 | 4 secs | 50 mins | 4 days | 2 weeks | 1 month |
| 8 | 37 secs | 22 hours | 8 months | 3 years | 7 years |
| 9 | 6 mins | 3 weeks | 33 years | 161 years | 479 years |
| 10 | 1 hour | 2 years | 1k years | 9k years | 33k years |
| 11 | 10 hours | 44 years | 89k years | 618k years | 2m years |
| 12 | 4 days | 1k years | 4m years | 38m years | 164m years |
| 13 | 1 month | 29k years | 241m years | 2bn years | 11bn years |
| 14 | 1 year | 766k years | 12bn years | 147bn years | 805bn years |
| 15 | 12 years | 19m years | 652bn years | 9tn years | 56tn years |
| 16 | 119 years | 517m years | 33tn years | 566tn years | 3qd years |
| 17 | 1k years | 13bn years | 1qd years | 35qd years | 276qd years |
| 18 | 11k years | 350bn years | 91qd years | 2qn years | 19qn years |
However, trying to remember dozens of passwords is still tricky! So using a password manager app on your device to store all your log in details can make life easier. You can then secure the app with a strong memorable password – now you only have to remember one password in order to access all your passwords! (Be sure to keep this password secret!)
It is also recommended to use a strong password for your email accounts. If a cybercriminal can guess your email password, they can use your account to reset the passwords on all the services you have used it to sign up for.
What other cybersecurity strategies are important?
The following are strategies that all users (child or adult) can benefit from to strengthen their online security and reduce the chances of personal data or accounts being stolen or hacked:
| Use 2-Step Verification – This is also known as ‘two step authentication’, or ‘two-factor authentication’ or ‘multi-factor authentication’. It can be switched on in many online accounts for apps and games. This means that every time you log in (especially from a new device or location), the app/game will send you a code via text message or email. You must enter that code in order to finish logging in. This feature is very useful because it can let you know when someone has used your password to try to log in to your account. Without the special code, they can’t get into your account. If you receive one of these codes but haven’t tried to log in, then you know that someone else has, and that they know your password. If this happens, it’s extremely important to log in to the account as soon as possible and change your password. Where possible, it’s a good idea to turn this feature on for your accounts and encourage your child to do the same for theirs. |
| Keep software and devices up to date - Criminals are quick to exploit vulnerabilities in software and technology. Always ensure that you keep your family’s devices’ operating systems and your anti-virus and firewall software updated, as well as update software/apps whenever prompted by your devices. |
| Check for data breaches - You can enter your email address on the website ‘HaveIbeenpwned?’ to see if it has been involved in any data breaches. It will display a list of which sites/services were affected and when. Although there is little you can do about the personal data released publicly, you can go to your accounts on those affected sites and change your passwords so no one will be able to gain access to them. Encourage your learners to do the same. |
| Be wary – Look out for unexpected or suspicious messages, and never rush into providing personal data to a website. Always use a trusted method for logging in and accessing your accounts rather than clicking a link in an email or message. |
Further information and resources
Educational resources from across the Insafe network of Safer Internet Centres. You can search for ‘cyber security’ or ‘data privacy’, for resources in your language and for resources for different age groups.
Lots of accessible advice for the public on how to protect personal data online and avoid scams and other cybercrime.
Europol’s site has links to national reporting websites for European countries.
This guide provides useful advice on how to strengthen account security, including 2-Step Verification.
This resource for primary-aged children, teachers and parents/carers provides information and advice on a range of online issues, including privacy and security. There are accompanying activities that teachers can use in the classroom and parents can use at home.
Taking place each October, this campaign site contains a range of cybersecurity resources from different countries that can help promote positive cybersecure habits.
Explore related deep dive articles
A key skill needed by both children and adults online is cybersecurity: protecting your devices, online accounts and personal data from unauthorised access. It is important for you to know how to protect yourself as individual, and many of the steps you can take can also be taught to your child to encourage them to be cybersecure, even from a young age.
This deep dive will explore cybersecurity strategies that are useful for all family members, as well as some of the most common forms of cybercrime that you or your child may encounter online, specifically online scams such as phishing, and the use of malware.
Why is cybersecurity important?
Internet connected devices (such as smartphones, games consoles and computers) are a common part of modern life for many families. Depending on your family’s approach to using technology, there may be a range of devices that are used to access online services. Your child may also have their own devices and their own accounts, including social media, email and gaming accounts.
The personal data stored in online accounts and devices is valuable to criminals, particularly data related to accessing finances or possessions.
Getting into positive habits around privacy and security is important for everyone in your family to help avoid becoming the victims of cybercrime. It is also useful to learn how to spot common attempts online by criminals to steal personal data, possessions or money – the more aware you are, the easier it is to spot when a cybercriminal is trying to trick you or your family online.
What is cybercrime?
There are two main types of cybercrime:
- cyber-enabled crime – traditional crimes that can be enhanced by technology (for example, child sexual exploitation, blackmail, fraud, extortion and drug smuggling).
- cyber-dependent crime – crimes that can only occur through the use of the internet and technology (for example, hacking, cyberespionage, data theft, and malware).
This deep dive will mainly focus on the ways that you and your family can protect yourself from cyber-dependent crime, although many of these strategies can also help reduce the risk of other crimes such as fraud, identity theft or extortion.
What are the motives behind cybercrime?
Your personal data is valuable to online companies but also to cybercriminals. With enough personal data, a cybercriminal could:
- Access your online accounts that enable them to collect/steal more personal data.
- Sell personal data (such as credit card details, account passwords, etc.) to other criminals online.
- Impersonate you – either to commit fraud or to commit acts that might damage your reputation, well-being or safety.
- Hijack your accounts/devices to use in other crimes, such as using them as part of a coordinated attack alongside other hacked accounts/devices to take down a website. This is often referred to as a ‘botnet’.
What types of scams are there online?
Thanks to the wide variety of online services, online scams can take many different forms:
| Romance scams | Building a romantic relationship and trust in order to request large sums of money from you. |
|---|---|
| ‘Get rich quick’ schemes | Scams promising a quick return on a small investment but are designed purely to take your money. |
| Impersonation on social media | Setting up a fake account that impersonates you in order to add your friends and obtain their personal data. |
| Fake shopping sites/products | Selling fake products or services in order to take your money. You end up receiving no product in return or a product of much lesser value than advertised. |
| Phishing | Emails pretending to be from a genuine service (like Netflix or a bank) encouraging you to click a link to confirm your account details and enter personal data such as usernames and passwords. |
| Unexpected prizes/competition wins | Promises of a prize in return for a small payment or sharing of personal data. |
| Fake investment offers | Scams promising a large return on an investment or seeking to pass money through your bank account and pay you a percentage as a reward (also known as ‘money muling’, a form of money laundering). |
| Extortion | Threatening you with physical or reputational harm unless you comply with the scammer’s demands or pay them to go away. Sextortion scams involve scammers claiming they have intimate images of someone and will release them into the public domain unless paid not to. Many sextortion scams target young men and boys. |
| Tech support scams | Unexpected contact from a tech support line or company offering to take control of your device to fix a problem. Once they have control, they install malicious software (malware) or steal personal data. |
| Malware | Disguising a virus as a genuine file, software or app to encourage you to install or download it onto a device. Some software (like keyloggers) allows a criminal to record all actions on a device, including keys pressed on a keyboard when inputting details such as passwords. |
| Ransomware | Malware that encrypts (locks down) all files on a device and will only unlock those files when a ransom is paid. As the encryption is often very strong, victims are faced with the choice of paying the ransom or losing their data forever. |
Regardless of the type, the motive is always the same – to trick an online user into giving away personal data or other information in order for a scammer to defraud them or take advantage of another person, usually for financial gain.
Activity:
Consider the following scams and how likely they might be to affect your child.
| Type of scam | How likely is it to affect your child? |
|---|---|
| Romance scams | |
| Get rich quick schemes | |
| Impersonation | |
| Fake shopping | |
| Phishing | |
| Unexpected prizes | |
| Fake investments | |
| Extortion | |
| Tech support scams | |
| Malware | |
| Ransomware |
| Highly unlikely | Unlikely | Likely | Highly likely |
What is phishing?
Phishing is a common technique used by cybercriminals to trick users into revealing their personal data by pretending to be popular online products and services. The most common form of phishing is an email that appears to be from a trusted source such as your bank or an online service you use (such as Netflix) asking you to confirm or update your account details. These emails always include a link to a fake webpage - it looks like the genuine site but is designed to steal any personal data entered (like usernames and passwords). Criminals can then use your details to gain access to your real account. This can also occur through SMS messages on mobile devices – commonly referred to as ‘smishing’.
Young people can also be targeted by online scams; the Phishers’ Favorites report found that many of the top 20 impersonated brands online are ones popular with children and young people (such as Facebook, Microsoft, Google, WhatsApp, Netflix, Apple and Instagram).
Here are five things that can help you spot a phishing email:
- Sent from a public email domain – a message from a large genuine company (like Disney+ or TikTok) will never be sent from an email address such as @gmail.com or @outlook.com.
- Misspelt domain name – if the email domain is misspelt, or the website it links to contains a misspelt web address then these could also be clues that they are not genuine. Some scammers will buy up misspelt web address that closely mimic genuine ones e.g. www.göögle.com as this can easily fool people who might glance at the address rather than studying it in detail.
- Poor grammar or spelling – these can be indications that the email isn’t genuine. However, artificial intelligence tools are making it easier for cybercriminals to translate from their native language into other languages with a high degree of accuracy.
- Suspicious attachments or links – emails containing attachments (often shown by a paperclip symbol) or you to click on a link may be hiding a piece of malicious software (malware). Files can easily be renamed to something that might tempt you to open it e.g. ‘invoice.pdf’.
- A sense of urgency – emails that prompt you to take immediate action, such as an urgent email from your boss asking you to send information, or a message that appears to be from an online service threatening to suspend your account, could be phishing attempts. Rushing you into taking action gives you less opportunity to examine the email closely and spot any clues that might give it away as fake.
What is malware?
Malware is malicious software that is disguised as a file, software or app to trick a user into opening, downloading or installing it onto their device.
This article summarises the different types of malware that can be used to acquire personal data from others, but they typically include adwares, botnets, keyloggers, cryptocurrency miners, ransomwares, rootkits, spywares, trojans, viruses and worms.
One form of malware that presents risks to individuals but also to organisations (including schools) is ransomware, which infects a device, encrypts (locks) the files and sends a ransom message to the user.
Law enforcement advise that you should never pay the ransom to a cybercriminal – there is no guarantee they will return control of your files or never return in the future to extort more money.
Ransomware is a crime and should be reported to local law enforcement – The No More Ransom project site contains details of who to report to in your country, as well as details of free decryption tools that exist for certain malware types, so that users can attempt to unlock their files rather than lose them forever.
One of the most effective ways to protect your data is to ensure that you use strong and memorable passwords on every online account and use a different password for each one.
The best passwords are based on three or four random words. There are a number of ways you can do this – you could use a random word generator, use a strategy like Diceware, or even make your own password dice to generate unique passwords, using the ‘Making Strong Passphrases’ activity on the School of Social Networks – a great activity to do with your child!
This chart (originally developed by Hive Systems) demonstrates why longer passwords are stronger:
| Number of characters | Numbers only | Lowercase letters | Upper and lowercase letters | Numbers, upper and lowercase letters | Numbers, upper and lowercase letters, symbols |
|---|---|---|---|---|---|
| 4 | Instantly | Instantly | 3 secs | 6 secs | 9 secs |
| 5 | Instantly | 4 secs | 2 mins | 6 mins | 10 mins |
| 6 | Instantly | 2 mins | 2 hours | 6 hours | 12 hours |
| 7 | 4 secs | 50 mins | 4 days | 2 weeks | 1 month |
| 8 | 37 secs | 22 hours | 8 months | 3 years | 7 years |
| 9 | 6 mins | 3 weeks | 33 years | 161 years | 479 years |
| 10 | 1 hour | 2 years | 1k years | 9k years | 33k years |
| 11 | 10 hours | 44 years | 89k years | 618k years | 2m years |
| 12 | 4 days | 1k years | 4m years | 38m years | 164m years |
| 13 | 1 month | 29k years | 241m years | 2bn years | 11bn years |
| 14 | 1 year | 766k years | 12bn years | 147bn years | 805bn years |
| 15 | 12 years | 19m years | 652bn years | 9tn years | 56tn years |
| 16 | 119 years | 517m years | 33tn years | 566tn years | 3qd years |
| 17 | 1k years | 13bn years | 1qd years | 35qd years | 276qd years |
| 18 | 11k years | 350bn years | 91qd years | 2qn years | 19qn years |
However, trying to remember dozens of passwords is still tricky! So using a password manager app on your device to store all your log in details can make life easier. You can then secure the app with a strong memorable password – now you only have to remember one password in order to access all your passwords! (Be sure to keep this password secret!)
It is also recommended to use a strong password for your email accounts. If a cybercriminal can guess your email password, they can use your account to reset the passwords on all the services you have used it to sign up for.
What other cybersecurity strategies are important?
The following are strategies that all users (child or adult) can benefit from to strengthen their online security and reduce the chances of personal data or accounts being stolen or hacked:
| Use 2-Step Verification – This is also known as ‘two step authentication’, or ‘two-factor authentication’ or ‘multi-factor authentication’. It can be switched on in many online accounts for apps and games. This means that every time you log in (especially from a new device or location), the app/game will send you a code via text message or email. You must enter that code in order to finish logging in. This feature is very useful because it can let you know when someone has used your password to try to log in to your account. Without the special code, they can’t get into your account. If you receive one of these codes but haven’t tried to log in, then you know that someone else has, and that they know your password. If this happens, it’s extremely important to log in to the account as soon as possible and change your password. Where possible, it’s a good idea to turn this feature on for your accounts and encourage your child to do the same for theirs. |
| Keep software and devices up to date - Criminals are quick to exploit vulnerabilities in software and technology. Always ensure that you keep your family’s devices’ operating systems and your anti-virus and firewall software updated, as well as update software/apps whenever prompted by your devices. |
| Check for data breaches - You can enter your email address on the website ‘HaveIbeenpwned?’ to see if it has been involved in any data breaches. It will display a list of which sites/services were affected and when. Although there is little you can do about the personal data released publicly, you can go to your accounts on those affected sites and change your passwords so no one will be able to gain access to them. Encourage your learners to do the same. |
| Be wary – Look out for unexpected or suspicious messages, and never rush into providing personal data to a website. Always use a trusted method for logging in and accessing your accounts rather than clicking a link in an email or message. |
Further information and resources
Educational resources from across the Insafe network of Safer Internet Centres. You can search for ‘cyber security’ or ‘data privacy’, for resources in your language and for resources for different age groups.
Lots of accessible advice for the public on how to protect personal data online and avoid scams and other cybercrime.
Europol’s site has links to national reporting websites for European countries.
This guide provides useful advice on how to strengthen account security, including 2-Step Verification.
This resource for primary-aged children, teachers and parents/carers provides information and advice on a range of online issues, including privacy and security. There are accompanying activities that teachers can use in the classroom and parents can use at home.
Taking place each October, this campaign site contains a range of cybersecurity resources from different countries that can help promote positive cybersecure habits.
Explore related deep dive articles
