Malware Handout (English)

We created a double-sided informative handout about malware, and protections against contracting malware on devices. Facilitators should expect to walk through these handouts with learners after first discussing less scary forms of phishing. For example, in our Phishing and Malware lesson plan, we suggest a warm-up activity of spam subject lines that learners have received.

We recommend distributing these handouts during a workshop on malware and phishing, to give learners exposure to big ideas, to contextualize what they are learning, and to have as a reference in the future.

We are iterating on this handout, based on testing with participants in workshops, feedback from beginner teachers, and advice from digital security practitioners.

How to Use This Handout

The facilitator should introduce big ideas, such as the main terms (malware, phishing, attacker, antivirus software), and can guide learners through specific types of malware such as adware, stalkerware, trojans, ransomware and APT attacks. To foster discussion, it can be helpful to ask participants to think of examples of malware they have seen/know about or tactics they have observed to get them to click on suspicious links, visit untrustworthy websites, or similar strategies.

Suggested activity: Phishing art critique!

“Think about the following: how would you phish yourself? Or a friend, a family member, colleague, or someone you know? You can make up something up, or base it on a real example if you’d like.”

You can distribute paper or post-its for some time to draw and write, and break the participants into groups. (Be mindful about accessibility, and around different ways to participate in this activity.)

You can provide multiple ways to participate. Learners can choose among the following:

Draw what a phishing website or phishing email that is hiding malware could look like. What techniques would they use? Would they drop in logos from the companies? Would they imitate the fonts and style? How would they obscure links? 

Perform an audio phishing attempt (also known as “vishing”). What would a phishing phone call be like? How might someone be convinced to click on a malicious link, or to give a code, through a phone call?

Act out an in-person phishing attempt (learners can become introduced to “social engineering”). What might an in-person attempt to put malware on someone’s device look like?

You can then pair them up and ask them to evaluate each other’s phishing art. What would work about this strategy? What would tip the person off that this wasn’t authentic? How would you explain it to someone else? What strategies would you use for avoiding this kind of message or website? 

You can expand this activity to include physical attacks on devices. For example, would they distract someone while plugging in a USB device into their computer? 

Finally, have them answer the remaining questions: How can you prevent against malware? Learners should mention regularly updating software, being careful before you click (list some strategies), physical security of devices (like strong passwords and encryption), and antivirus. Additionally, learners should be able to share new things that they learned, such as a common way malware is installed—like the example of not plugging in unfamiliar USBs to their devices (e.g. at airports or on airplanes)—or recognizing a type of malware (e.g. awareness around stalkerware).

In the remaining time, the facilitator can spend a few minutes asking learners to find out how to update their software for their individual devices. The facilitator might ask: How do you update your applications? How can you update the operating system for that device?