Computing · Secondary 3

Active learning ideas

Phishing and Social Engineering

Students retain cybersecurity skills best when they practice in controlled, realistic settings. Phishing and social engineering tactics rely on human psychology, so active role-play and analysis help students recognize patterns and build habits before facing real threats. These activities make abstract concepts concrete by letting students see, test, and refine their strategies.

MOE Syllabus OutcomesMOE: Cybersecurity - S3
25–45 minPairs → Whole Class4 activities

Activity 01

Stations Rotation40 min · Small Groups

Stations Rotation: Phishing Analysis Stations

Prepare four stations with printed phishing emails, fake websites on laptops, smishing texts, and vishing scripts. Small groups spend 8 minutes per station identifying red flags, such as urgent language or bad links, and recording evidence on worksheets. Groups rotate and share findings in a debrief.

Analyze the psychological principles exploited by social engineering attacks.

Facilitation TipDuring Phishing Analysis Stations, circulate with a checklist to ensure each group records specific red flags and discusses why some messages appear legitimate.

What to look forPresent students with two sample emails, one legitimate and one phishing attempt. Ask them to identify three specific red flags in the phishing email and explain why each is a concern. They should also state one action they would take if they received the phishing email.

RememberUnderstandApplyAnalyzeSelf-ManagementRelationship Skills
Generate Complete Lesson

Activity 02

Role Play30 min · Pairs

Role-Play: Social Engineering Drills

Assign pairs one attacker and one victim using scenario cards based on real tactics like pretexting or baiting. The 'victim' responds while class observes tactics. Switch roles, then discuss defenses as a whole class.

Differentiate between legitimate communications and phishing attempts.

Facilitation TipIn Social Engineering Drills, set a strict time limit to create urgency, just like real attackers do, while keeping the environment safe.

What to look forPose the question: 'Why are people, rather than technology, often the weakest link in cybersecurity?' Facilitate a class discussion where students share examples of social engineering tactics and explain the psychological principles that make them effective.

ApplyAnalyzeEvaluateSocial AwarenessSelf-Awareness
Generate Complete Lesson

Activity 03

Role Play45 min · Small Groups

Design Challenge: Defense Posters

In small groups, students create infographics or posters outlining phishing red flags and protection steps, using tools like Canva. Incorporate psychological principles with visuals. Groups present to class for feedback.

Design strategies to protect oneself from social engineering tactics.

Facilitation TipFor Defense Posters, provide colored markers and sticky notes so students can prototype ideas quickly and revise based on peer feedback.

What to look forShow a short video clip depicting a vishing or smishing scenario. Ask students to write down on a sticky note the primary goal of the attacker and one question they would ask to verify the caller's identity or the legitimacy of the request.

ApplyAnalyzeEvaluateSocial AwarenessSelf-Awareness
Generate Complete Lesson

Activity 04

Role Play25 min · Whole Class

Quiz Game: Spot the Phish

Project sample messages or sites; teams buzz in to classify as legit or phishing and explain why. Award points for correct analysis of elements like sender and attachments. Review answers together.

Analyze the psychological principles exploited by social engineering attacks.

Facilitation TipDuring Spot the Phish, use a timing device to build speed and accuracy, then debrief with examples of near-misses to reinforce learning.

What to look forPresent students with two sample emails, one legitimate and one phishing attempt. Ask them to identify three specific red flags in the phishing email and explain why each is a concern. They should also state one action they would take if they received the phishing email.

ApplyAnalyzeEvaluateSocial AwarenessSelf-Awareness
Generate Complete Lesson

A few notes on teaching this unit

Teachers should start with basic phishing examples before advancing to sophisticated ones, because students need to master fundamentals before recognizing nuanced attacks. Avoid showing only extreme cases, as these create false confidence. Research shows that practicing with varied examples builds adaptable detection skills. Emphasize that social engineering targets everyone, not just careless users, so normalize mistakes and focus on recovery strategies.

Successful learning looks like students confidently identifying red flags in phishing attempts within seconds, explaining their reasoning, and choosing appropriate responses. They should also design clear, practical defenses and demonstrate empathy by recognizing how different social engineering tactics target varied personalities.

Watch Out for These Misconceptions

  • During Phishing Analysis Stations, students may assume all phishing emails contain spelling errors.

    During Phishing Analysis Stations, provide examples of high-quality phishing with perfect grammar but subtle mismatches in domains or sender details, and guide students to compare logos, tone, and URLs to spot inconsistencies.

  • During Social Engineering Drills, students may believe avoiding links is enough to stay safe.

    During Social Engineering Drills, set up scenarios where attackers request sensitive data without links, then debrief on full attack chains and complete avoidance strategies like verifying identities through official channels.

  • During Spot the Phish, students may think social engineering only affects careless people.

    During Spot the Phish, include personalized examples showing how attackers exploit universal biases like urgency or authority, then facilitate peer discussions to reveal individual vulnerabilities and build collaborative defenses.

Methods used in this brief

More in Cybersecurity and Defense

Introduction to Cybersecurity

Students will understand the importance of cybersecurity and common terms like threats, vulnerabilities, and risks.

2 methodologies

Malware: Viruses, Worms, and Trojans

Students will learn about different types of malicious software, their characteristics, and how they spread.

2 methodologies

Online Scams and Fraud

Students will learn about various online scams (e.g., fake giveaways, tech support scams) and strategies to protect themselves from financial and personal harm.

2 methodologies

Protecting Data with Encryption (Basic Concept)

Students will understand the basic idea of encryption as a way to scramble data to protect its privacy and security, without delving into specific methods.

2 methodologies

Verifying Online Identity and Trust

Students will learn how to identify secure websites (e.g., HTTPS, padlock icon) and understand why it's important to verify the identity of online sources.

2 methodologies

From the Blog

Restorative Justice in Schools: A Complete Guide to Implementation and Impact

Restorative justice in schools reduces suspensions and builds school climate. Learn to implement it, compare it to PBIS, and get classroom-ready scripts.