Ask HN: How do you educate non-techie family to tell what domain they're on?

2 points by another-dave ↗ HN
Does anyone have any advice or resources for educating non-technical friends/relatives on how to spot simply what domain they are connected to?

I've seen family members almost scammed by fake UPS text messages over the Christmas break & it always seems a bit of a rabbit hole to explain to people who aren't very technically savvy — I'm resorting to "If you haven't instigated the contact, don't click on any links & validate through other channels. If you don't know, send me a screenshot", but want to provide better pointers to help people help themselves.

So far, the closest thing I've found is phishingquiz.withgoogle.com, but dislike the fact that:

* It doesn't actually explain _why_ something is a phishing attempt. E.g. the third question has a link to https://drive.google.com.download-photo.sytez.net/AONh1e0hVP. If you say that it looks legitimate, the explainer says "It looks like you missed the fishy look-alike URL. The real domain is 'sytez.net', but it is designed to look like Google Drive. Remember to be especially cautious if you aren't sure you know the sender." But completely skips over the fact of how you should recognise that it points to "sytez.net" to begin with.

* It has an example that uses AMP redirects — google.com/amp/tinyurl.com/y7u8ewlr — which completely muddies the waters, because Google have the terrible practice of allowing unrestricted redirects to any URL from their domain, they're telling users that these links are "insecure" even though they're coming from a website they trust.

Think I need something a few steps back from the above phishing example, to tell them how to spot what main domain they are connected to — i.e. to be able to tell apart that they're on sytez.net not google.com in the above.

Thinking of building a browser plug-in to do it, as trying to explain it feels very open to confusion — between things like TLDs and second-level (like ".co.uk") and URL schemes which may or may not be hidden by the browser.

2 comments

[ 5.3 ms ] story [ 16.3 ms ] thread
My rule of thumb is just "don't click on links that are sent to you". If you need to do something, type the URL in yourself, even (especially) if you get an email that looks legitimate. I think the one exception to this would be if it's a direct response to an action that you initiated, like a "Forgot Password" email that you specifically requested.
That's been my advice so far, but there are some things that become off limits to people with this approach as the legitimate sites often give you no way to complete some actions like this (e.g. "book a slot with our courier" but you can't browse to the page directly).

Plus, I'd like to be able to help people overcome their fear on the internet rather than just keeping them from getting scammed — e.g. the difference between teaching someone to read a map so that they can explore the countryside safely & telling them "you should just stick to the park, where it's safe".