Digital Foundations Module

Lesson 5: Cybersecurity, Phishing, and Spam

Before you start the lesson, make sure to read through the lesson overview and the lesson preparation. The Facilitator Guide can also help you prepare.

Lesson Overview

Lesson Preparation

Begin Lesson

Begin Lesson

Online Risks


When you are using the internet, you may expose yourself to risks through the mere act of accessing a web page, communicating online, or downloading data. It is sometimes possible for websites you access, people on the same network, or even third parties to figure out your location or other information about you when you browse.

  • Who might take advantage of online security vulnerabilities to see your personal information?
    • Possible answers include malicious hackers, government surveillance, etc.

When you browse the web, it is possible for malicious hackers to collect data on you the same way internet providers do. In order to reduce this risk, you must use a secure connection between you and the website(s) you are trying to access. Regardless of your connection, many websites try to track your usage patterns across multiple platforms. They can watch your browser, location, and other usage patterns to try to figure out who you are.

  • Why might malicious hackers try to access your information online?
  • What information are people looking for?
  • Why would a website you are not logged into want to keep track of who you are?
  • Some examples are any personally identifiable information and any information that can be sold or used for monetary gain.
  • Does anyone know what malware is? What can it do?

Malware is harmful code that surreptitiously runs on your computer. Some malware can collect data from any part of your local computer, from your hard drive to your browser data. It can also allow hackers to take control of your computer and use it anyway they’d like. Most malware is simpler, though, such as websites that imitate secure portals like a bank or extensions that put advertisements in your browser to make money.

  • What can you do to protect yourself against malware, spying, or tracking?

Be careful when clicking links, ads, or social media posts.

  • Does the URL match what you expect?
  • Do you get to the same page when you type it again yourself or search for the website?

A good rule is that SSL/TLS should protect any login page for an important account (like Google, Facebook, Twitter, or bank accounts). SSL/TLS makes it very hard for a hacker on the same network to send you a fake website if you type in the correct URL, which could otherwise be very simple.

Some websites will be able to run code to access your personal information or online accounts if those platforms make a coding mistake. They can then use your accounts to spam others.

Only download or install software from trusted sources and be thoughtful about when you download executables (.exe, .pkg, .sh, .dll or .dmg extensions). Executables are anything that will execute an action. Sometimes, these can be bad actions. For example, someone can write an executable text to erase someone’s hard drive or install a fake browser. This is why you should only install content from trust sources.

You can use anti-virus software to prevent you from running malware. Some anti-virus software comes with your computer (e.g., Microsoft Security Essentials for Windows); some operating systems, like those on Apple computers, have security settings that block software from untrusted sources from being installed. Think carefully before overriding these settings.

You may also consider browser extensions that can, for instance, block plug-ins that make it harder for websites to figure out who you are or track you. The same plug-in, however, can block functionality of websites, such as the ability to watch videos. Whether or not you decide to install browser extensions comes down to your preferences and the trade-offs you are willing to make in terms of online security. You might consider questions such as: How inconvenient is it for me to be tracked? How much is my privacy worth? How much do I want to watch this piece of content (if, for instance, the browser extension blocks a plug-in that renders video)?

Security Tools

Teacher's Note
Part of the content of this activity has been covered in Lesson 4: Connectivity. We defer to your judgment in terms of whether or not you would like to go over this material again or skip it.
  • Do you know whether you are secure when you use the internet?

Without taking the proper precautions, it is difficult, if not impossible, to successfully protect yourself against these online risks (the ones described in the previous section).

New online risks also pop up all the time, so it’s important to stay vigilant.

  • What could someone do if they convinced you their website was actually an important website?
  • There are tools you can use to avoid or reduce these risks. Does anyone know of any?

HTTPS is a standard used by websites to encrypt data passed over the internet. Encryption can prevent a third party from easily viewing data from your connection. It provides an extra layer of security and can be used in any browser by adding “https://” in front of the URL you use (e.g., However, not all websites support HTTPS.

You should only enter sensitive information (e.g., passwords, ATM card information, mobile banking password) on web pages with the HTTPS:// prefix. You can use software tools to ensure you always use HTTPS whenever possible. Most major browsers have security indicators that look like locks near the address bar to indicate HTTPS connections. Unfortunately, HTTPS does not guarantee that you are safe as some malicious websites can also support HTTPS. HTTPS secures the connection but does not ensure the website is a good actor.

Secure Sockets Layer (SSL)/Transport Layer Security (TLS) are names for the technology that keeps HTTPS secure. SSL/TLS uses digital encryption keys, which work a lot like real keys. If you wrote a secret on a piece of paper for your friend, whoever found the paper could see your secret. Instead, imagine you gave them a copy of a key in person and then sent your secrets in matching locked boxes. If someone intercepted the box, they would have a hard time seeing your secret without the key. If someone tried to replace the box with a similar-looking one, you would notice that your key would not work. SSL/TLS works the same way, but with a website.

Browser security indicators will also communicate Extended Validation (EV) certificate information. EV certificates are given to websites that verify their identity to a certificate authority. In browsers, sometimes the EV indicator takes the form of the site’s name or the registering entity next to the address bar. If you’re suspicious of the content on a particular website, you can check to see if the URL in the certificate matches the URL in the browser by clicking on “View Certificate.

(It may be helpful, on the projection screen, to demonstrate how to find “View Certificate.” How you navigate to this varies by browser. For example, on Chrome, under “View,” click “Developer” and then “Developer Tools.” From “Developer Tools,” click the “Security” tab, then “View Certificate.”)


Aside from not running software from untrusted sources, anti-virus software can prevent you from visiting untrusted pages and downloading malware. The act of “phishing” primarily occurs over email from a scammer pretending to be a legitimate party. They then ask for your password, which they hope you will send over email or enter into a fake website. Spam filters can prevent some of these emails from showing up in your inbox. To make spam filters better, be sure to mark any suspicious emails that end up in your inbox as spam.

  • What actions could you take to prevent yourself from accidentally downloading files that are harmful to your computer?

Always double-check that you are accessing downloads from trustworthy websites. Be extremely careful about opening email attachments that you don’t recognize and clicking on pop-up windows and error messages. You might also consider installing reputable anti-malware programs on your computer.

Sharing Passwords

  • When do you think it is okay to share your password?
    • Possible answers include shared accounts (e.g., Netflix) or Wi-Fi at home.
  • What risks might be associated with sharing your password?
    • If a malicious person gets your password, then your account could be hacked. Sharing your password makes it more likely that someone will have access. If the same password is used on other websites, they could access those too.
Teacher's Note
This example is intended to show students common websites where people might think it is okay to share their passwords. The password examples can be further localized to reflect common passwords in the area you are teaching. For example:

  • Kenya: Showmax, Viusasa
  • Zambia: DSTV


It is standard practice that you shouldn’t share passwords with anyone besides the application that requires it for login. As described earlier, phishing is the act of tricking someone into sharing their password.

However, some people may explicitly ask for your password in order to access your accounts, claiming that your account may be in danger. While some of these people may have good intentions, like a friend who wants to help you look at something in your account that is puzzling you, it is unwise to share your password, especially if you use that password for multiple accounts. If you do plan to share a password, make sure it is not used anywhere else and use a password manager to share access.

Sometimes, the people asking you for your passwords may be adults whom you know and trust, like your parents, teachers, or employer. Even though you know and trust these adults, typically, it’s a positive experience for everyone (both you and them) to have a conversation about why they are making this request and how they will handle your passwords. Especially with adults outside of your family, it’s a good idea to ask them directly why they need you to give them your passwords.

Asking polite and clear questions is particularly important when a password request comes from an adult outside your family whom you don’t already know personally. If you are asked by a police officer or other government official for your social media passwords, stay calm and be respectful. Ask if anything is wrong and why they are making this request.

Depending on the circumstances of a request by a parent/guardian, teacher, employer, law enforcement officer, government official, or another adult, you may need to give them your passwords. The circumstances that would make you need to give your passwords include that there is a law or rule in place that requires you to do so or your judgment that the benefit you would get from their help outweighs the risks of password sharing.

If you get a request from an adult for your passwords and that request makes you uncomfortable in any way, seek out a parent/guardian or other trusted adult immediately, ideally before you need to respond to the request.

Teacher's Note
Based on the rules and laws in your area, consider adapting the example above to fit your local context.
  • Under what circumstances should you share your password online?
    • Some examples include only when you are prompted for your password on the website you are trying to access.
  • Never share your password anywhere else, including over email, which is usually not encrypted or secure.


Part 1


Divide students into groups of two or three. Distribute the “Spam” handout. Afterward, have students develop a flowchart to show others how they might identify spam and whether they should share specific information with certain individuals/groups of people.


Read each of the scenarios and discuss whether each message is spam and whether you should share information with the person or group of people in the scenario.


Give students 10 minutes to do this.

Afterward, ask groups to share their responses.

  • When should you share your password over email?

It is standard practice for websites and companies to never ask for your password over email. You should never transmit your password to anyone this way, even if it seems like the source is legitimate. Email is almost never secure.

Part 2

Teacher's Note
Have students return from their groups because the following exercise is for individual students. Give students 15 minutes to create their flowcharts.

Now, on a sheet of paper, develop a flowchart to show individuals how they might identify spam and whether they should share certain information online with others. It may be helpful to use a specific scenario to base your flowchart on either one of the scenarios presented on the handout (if you choose to do so, please write the number of the scenario above your flowchart) or an entirely new one! If you choose to design your own scenario, please describe it in a brief paragraph above your flowchart.

Give students 15 minutes to create their flowcharts.

End Lesson

You've finished the lesson

This content is hosted by Meta and currently includes learning resources drawn from Youth and Media at the Berkman Klein Center for Internet & Society at Harvard University under a Creative Commons Attribution-ShareAlike 4.0 International license. You can make use of them, including copying and preparing derivative works, whether commercial or non-commercial, so long as you attribute Youth and Media as the original source and follow the other terms of the license, sharing any further works under the same terms.

To help personalize content, tailor and measure ads and provide a safer experience, we use cookies. By clicking or navigating the site, you agree to allow our collection of information on and off Facebook through cookies. Learn more, including about available controls: Cookie Policy