| Security Education Companion Skip to main content
Security Education Companion
A free resource for digital security educators
Planner (0)

Phishing and Malware

Last modified February 5, 2020
  • English
Duration: 1 hour(s)

Learning Objectives

Learners will:

  • Be able to describe what phishing means.
  • Understand why they may be a target of phishing.
  • Be able to give some tactics to combat phishing.


Instructor: Learners
1:10 (One instructor to ten students)

Suggested Materials

Lesson Content


Get folks to talk about the terrible spam subject lines they’ve seen. People can check their spam inboxes (if they know where to find them), or you can just quote some that you’ve seen.

Some sources if you need suggestion include Busted: The Worst Email Subject Lines, Ever! and 19 Terrible Email Subject Lines

Follow up with additional questions, like:

  • “Do you just get this sort of message via email? Has anyone ever gotten spam phone calls or text messages?”
  • “What is spam trying to get you to do?” (Possible answers: Buy stuff, wire money, click on something, hand over credit card details, get involved in a scam)
  • “If someone was trying to get you to click a link, how would they do it?”

Alternatively, ask learners to try and craft an email they'd send to someone else in the group in order to persuade them to click on a link. (This is best with groups where everyone is familiar or comfortable with having information shared with each other. Otherwise, pick a celebrity or a hypothetical made-up person.)

After some questions, you can offer a quick explanation along the lines of: “Phishing is a type of spam, in that’s it’s trying to get you to do something. But it’s an attempt to get information out of you. Spear-phishing is when you or your organization are specifically targeted. Other types of dangerous spam will try to trick you to download and run a program that will spy on you, or make you pay to recover your files.”

Knowledge Share

Phishing is an area where it’s easy to overscare people, or prompt privacy nihilism. You want people to think about ways attackers could trick them—but not slip into believing that no one can be trusted, or that there is no way to guard against phishing emails. Remember: after scaring your audience with convincing emails, give them solutions. This can include ways to check headers, how to do out-of-band confirmation, opening documents in Google Docs, and turning on two-factor authentication.

We recommend moving from spam to phishing attacks because people often find spam attempts to trick them laughable. You can move the audience’s perception of spear-phishing attempts from “super scary hacker skill” to “may be inept” depending on how apprehensive your audience is.

In general, people do not differentiate between programs that run locally and those that run outside their computer, and may not be able to recognize different types of documents. They are familiar with reading messages, and being asked to act on a message. Concentrate on increasing their vigilance when reading messages and giving them protective steps they can realistically take rather than on what particular actions are dangerous and what are not. (For instance, instead of, “Don’t view PDF and Word documents,” say, “Think twice when an email asks you to click on something.”)

One of the key underlying points about phishing is authentication—how do you know who (or what) you’re talking to? How do you know the sender of the email is who they say they are? Is this strange email really from my colleague? Is this suspicious alert really from my bank? The solutions to this in spear-phishing are usually low-tech—calling a person or organization on a phone, spotting something that they wouldn’t normally say, navigating to a bank or organization’s website yourself instead of clicking any links, etc.

Once established, you can take this idea of the importance of “knowing who you’re talking to” and apply it to other, tougher, digital security concepts, like website certificates and signing.

Caution! People can react badly to the idea that they are being tricked, or push back against the idea that they might ever be tricked. Don’t try and play practical jokes on your audience, and don’t use intimate knowledge to construct phishing messages unless you’re very comfortable with the audience’s boundaries.

It can also help to share personal stories, if you have some, or generally highlight the idea that “This could happen to anyone!” This could sound something like, “Even though it’s not particularly high-tech, these phishing emails can be really sneaky. Believe it or not, I clicked on one from Bank of America several years ago—and then quickly realized what I’d done and called to cancel my card and get a new one!”

If people are embarrassed or ashamed, they will be less likely to get help or take action about a suspicious email. You can respond to this with something like, “Don’t be shy about getting a second pair of eyes on a weird email, or about calling a friend directly to make sure they sent it.”

If someone claims that they would never be fooled by an email, don’t challenge them. The chances are that everyone else in the room is accustomed to their attitude, and they won’t learn any better by being convinced that they will be fooled. Move the potential target from them, to those that they feel they must protect. (“You seem to have a very good shield against phishing! But supposing you knew someone who accidentally clicked on an attachment, and then all your personal details were exposed from their accounts. What would you want to teach them?")