Skip to main content

Phishing and Malware

Last modified November 16, 2017
Duration: 1 hour

Learning Objectives

Learners will:

  • Be able to describe what phishing means.

  • Understand why they may be a target of phishing.

  • Be able to give some tactics to combat phishing.


Instructor: Learners
1:10 (One instructor to ten students)

Lesson Content


Get folks to talk about the terrible spam subject lines they’ve seen. People can check their spam inboxes (if they know where to find them), or you can just quote some that you’ve seen.

Some sources if you need suggestion include Busted: The Worst Email Subject Lines, Ever! and 19 Terrible Email Subject Lines

Follow up with additional questions, like:

  • “Do you just get this sort of message via email? Has anyone ever gotten spam phone calls or text messages?”
  • “What is spam trying to get you to do?” (Possible answers: Buy stuff, wire money, click on something, hand over credit card details, get involved in a scam)
  • “If someone was trying to get you to click a link, how would they do it?”

Alternatively, ask learners to try and craft an email they'd send to someone else in the group in order to persuade them to click on a link. (This is best with groups where everyone is familiar or comfortable with having information shared with each other. Otherwise, pick a celebrity or a hypothetical made-up person.)

After some questions, you can offer a quick explanation along the lines of: “Phishing is a type of spam, in that’s it’s trying to get you to do something. But it’s an attempt to get information out of you. Spear-phishing is when you or your organization are specifically targeted. Other types of dangerous spam will try to trick you to download and run a program that will spy on you, or make you pay to recover your files.”


Phishing is an area where it’s easy to overscare people, or prompt privacy nihilism. You want people to think about ways attackers could trick them—but not slip into believing that no one can be trusted, or that there is no way to guard against phishing emails. Remember: after scaring your audience with convincing emails, give them solutions. This can include ways to check headers, how to do out-of-band confirmation, opening documents in Google Docs, and turning on two-factor authentication.

We recommend moving from spam to phishing attacks because people often find spam attempts to trick them laughable. You can move the audience’s perception of spear-phishing attempts from “super scary hacker skill” to “may be inept” depending on how apprehensive your audience is.

In general, people do not differentiate between programs that run locally and those that run outside their computer, and may not be able to recognize different types of documents. They are familiar with reading messages, and being asked to act on a message. Concentrate on increasing their vigilance when reading messages and giving them protective steps they can realistically take rather than on what particular actions are dangerous and what are not. (For instance, instead of, “Don’t view PDF and Word documents,” say, “Think twice when an email asks you to click on something.”)

One of the key underlying points about phishing is authentication—how do you know who (or what) you’re talking to? How do you know the sender of the email is who they say they are? Is this strange email really from my colleague? Is this suspicious alert really from my bank? The solutions to this in spear-phishing are usually low-tech—calling a person or organization on a phone, spotting something that they wouldn’t normally say, navigating to a bank or organization’s website yourself instead of clicking any links, etc.

Once established, you can take this idea of the importance of “knowing who you’re talking to” and apply it to other, tougher, digital security concepts, like website certificates and signing.

Caution! People can react badly to the idea that they are being tricked, or push back against the idea that they might ever be tricked. Don’t try and play practical jokes on your audience, and don’t use intimate knowledge to construct phishing messages unless you’re very comfortable with the audience’s boundaries.

It can also help to share personal stories, if you have some, or generally highlight the idea that “This could happen to anyone!” This could sound something like, “Even though it’s not particularly high-tech, these phishing emails can be really sneaky. Believe it or not, I clicked on one from Bank of America several years ago—and then quickly realized what I’d done and called to cancel my card and get a new one!”

If people are embarrassed or ashamed, they will be less likely to get help or take action about a suspicious email. You can respond to this with something like, “Don’t be shy about getting a second pair of eyes on a weird email, or about calling a friend directly to make sure they sent it.”

If someone claims that they would never be fooled by an email, don’t challenge them. The chances are that everyone else in the room is accustomed to their attitude, and they won’t learn any better by being convinced that they will be fooled. Move the potential target from them, to those that they feel they must protect. (“You seem to have a very good shield against phishing! But supposing you knew someone who accidentally clicked on an attachment, and then all your personal details were exposed from their accounts. What would you want to teach them?)


Q: What is the best antivirus program to use?
A: We tend to recommend using the manufacturer’s own antivirus (AV) software (Windows Defender, Apple’s built-in systems). Discussions about how badly-written anti-virus software can make things worse can be dispiriting, and don’t provide solutions that participants can use.

Q: If you think you might be infected, what should you do?
A: You can go to the Digital Defenders’ First Aid Guide. It’s critical to make regular backups just in case your device gets infected. Wiping  (or “factory resetting”) your phone or laptop is also important. You can learn more here:

Q: We use attachments all the time! Are you telling me I can’t send or receive documents?
A: Suggest using a shared store for frequent documents, like Dropbox or Google Documents. We talk a little about EFF’s own practices here—we send documents, but we digitally sign our own messages, and encourage external groups to upload their files where we can examine them safely. You can also highlight that this is not an all-or-nothing proposal. You can certainly send and receive documents—and while you do, it’s good, common-sense practice to be on the lookout for strange things that could indicate phishing and malware.

Q: How can I report phishing?
A: Emphasize the difference between mass phishing (like spam), and spear-phishing. Spear-phishing of a vulnerable group is something that researchers tend to be working on and interested in helping identify and prevent. You can email EFF at, or call Access Now’s Digital Security Helpline ( for assistance. The U.S. Federal Trade Commission also collects examples of mass phishing, which can be forwarded to The FTC’s phishing page explains how to include useful information in that email.

Q: I am worried I am infected with malware. Can you check?
A: There are no consistent or obvious indicators of compromise. It’s very possible that an audience member may be infected with something from opening spam or generic phishing. It is relatively unlikely that it will be from a targeted attack by a government or other large group.

Printable Version (PDF)