Computer Science · Grade 9

Active learning ideas

Social Engineering Tactics

Active learning works for this topic because social engineering relies on human behavior, not just facts. When students practice tactics like pretexting in role-plays or analyze phishing emails, they experience firsthand how psychology drives these attacks. This engagement makes abstract concepts like cognitive biases real and memorable.

Ontario Curriculum ExpectationsCS.HS.CY.4CS.HS.S.11
35–50 minPairs → Whole Class4 activities

Activity 01

Role Play45 min · Small Groups

Role-Play: Attack Scenarios

Divide class into small groups. Each group draws a tactic like pretexting or baiting, assigns roles for attacker and victims, performs a 3-minute skit, then switches. Follow with a 10-minute debrief on what worked and why.

Explain how social engineering exploits human psychology to bypass security measures.

Facilitation TipFor the Role-Play activity, assign specific roles to students to ensure they embody the attacker’s tactics clearly and the victim’s reactions authentically.

What to look forPresent students with a short, fictional scenario describing a suspicious email or phone call. Ask: 'What social engineering tactic might be at play here? What specific details in the message make it suspicious? What is the safest way to respond, or not respond, to this communication?'

ApplyAnalyzeEvaluateSocial AwarenessSelf-Awareness
Generate Complete Lesson

Activity 02

Role Play35 min · Pairs

Phishing Email Analysis: Spot the Tricks

Provide sample emails with social engineering elements. In pairs, students highlight manipulative language, predict victim responses, and rewrite safe versions. Share findings in a whole-class gallery walk.

Analyze common social engineering tactics (e.g., pretexting, baiting, quid pro quo).

Facilitation TipDuring the Phishing Email Analysis, require students to highlight specific text in the email that triggered their suspicion and justify their reasoning in writing.

What to look forProvide students with a list of common social engineering tactics (e.g., phishing, baiting, pretexting). Present brief descriptions of actions and ask students to match each action to the correct tactic. For example, 'An attacker leaves a USB drive labeled 'Payroll Info' on a company parking lot' matches 'Baiting'.

ApplyAnalyzeEvaluateSocial AwarenessSelf-Awareness
Generate Complete Lesson

Activity 03

Role Play50 min · Pairs

Defense Strategy Workshop: Build Your Plan

Individuals brainstorm personal protections against three tactics. Pairs combine ideas into posters with steps like 'verify identity' or 'avoid unsolicited USBs.' Present to class for feedback.

Design strategies to protect oneself from social engineering attacks.

Facilitation TipIn the Defense Strategy Workshop, provide sentence stems for students who struggle, such as 'One way to verify a request is to _____.' to guide their planning.

What to look forAsk students to write down two specific actions they can take to protect themselves from social engineering attacks. Then, have them briefly explain why one of these actions is effective, referencing a psychological principle or tactic discussed in class.

ApplyAnalyzeEvaluateSocial AwarenessSelf-Awareness
Generate Complete Lesson

Activity 04

Role Play40 min · Small Groups

Case Study Debate: Real-World Attacks

Assign famous cases like Kevin Mitnick's tactics to small groups. Groups research briefly, debate effectiveness, and propose countermeasures. Vote on best defenses as a class.

Explain how social engineering exploits human psychology to bypass security measures.

Facilitation TipFor the Case Study Debate, assign students to argue both sides of an attack to deepen their understanding of attacker motivations and victim vulnerabilities.

What to look forPresent students with a short, fictional scenario describing a suspicious email or phone call. Ask: 'What social engineering tactic might be at play here? What specific details in the message make it suspicious? What is the safest way to respond, or not respond, to this communication?'

ApplyAnalyzeEvaluateSocial AwarenessSelf-Awareness
Generate Complete Lesson

A few notes on teaching this unit

Teaching this topic works best when you balance technical explanations with relatable, scenario-based activities. Avoid lecturing about tactics; instead, let students discover vulnerabilities through guided exploration. Research shows that when students experience the emotions of being tricked—like embarrassment or surprise—they retain the lesson more deeply. Normalize mistakes as part of the learning process to reduce stigma around falling for attacks.

Successful learning looks like students confidently identifying social engineering tactics in unfamiliar contexts and designing defense strategies. They should explain their reasoning using specific details from scenarios, not just memorized definitions. Participation in discussions and workshops demonstrates their ability to apply concepts beyond the classroom.

Watch Out for These Misconceptions

  • During the Role-Play activity, watch for students who assume only 'suspicious' strangers use social engineering.

    Use the role-play scripts to demonstrate how attackers might pose as classmates, teachers, or IT staff to exploit trust. After the activity, debrief by asking students to share moments when they trusted an unfamiliar role within the scenario.

  • During the Phishing Email Analysis activity, watch for students who believe intelligence alone prevents social engineering attacks.

    Have students analyze phishing emails that mimic familiar organizations (e.g., their school or bank). Ask them to identify which psychological biases—like urgency or authority—are used to bypass their judgment. Highlight how even careful people fall for these tricks.

  • During the Defense Strategy Workshop, watch for students who think technical tools alone will stop social engineering.

    Use the workshop to guide students in creating multi-layered plans that include verifying requests, asking clarifying questions, and reporting suspicious interactions. Ask them to explain why human vigilance is essential, even with firewalls or antivirus software.

Methods used in this brief

More in Networks and the Global Web

Introduction to Cloud Computing

Students will explore the concepts of cloud services, deployment models, and their advantages/disadvantages.

2 methodologies

Fundamentals of Cybersecurity

Students will define cybersecurity and identify its core principles (confidentiality, integrity, availability).

2 methodologies

Introduction to Cryptography

Students will explore basic cryptographic concepts, including symmetric and asymmetric encryption.

2 methodologies

Common Cyber Threats

Students will identify and describe various cyber threats such as malware, phishing, and denial-of-service attacks.

2 methodologies

Digital Footprint and Online Privacy

Students will explore the concept of a digital footprint and strategies for managing online privacy.

2 methodologies