Skip to main content
Security Education Companion
A free resource for digital security educators
Planner (0)

Phishing and Malware

Last modified February 6, 2020

The most common threats your learners are likely to face online are links and files pretending to be something they’re not — in other words, phishing and malware. Defending against these sneaky hacking strategies is less about downloading new tools or software, and more about building up learners’ awareness and understanding.

Recommended Reading

Gotchas and Problems You Might Hit

A word of caution: Malware is a scary topic for many learners, and can move participants from an open place of learning new concepts, to feeling frozen by a fear-based mindset. Our recommendation is for facilitators to focus on the more common forms of malware for the communities they are teaching. For example, in the U.S. in 2020, most learners might find information on common malware and phishing attempts, adware, ransomware and stalkerware to be more personally relevant. It’s better to avoid diving too deep into some of the more esoteric forms of malware you may have heard about that are relatively uncommon (e.g. state-level APT attacks such as what we cover in our malware handout), and to redirect those questions for 1:1 time after the main workshop has ended. Please be mindful of learners’ engagement, and whether learners are too scared or distracted to absorb new information. If someone believes they have malware on their device, encourage them to reach out to you after the workshop for individual help. In many cases, the cause of feeling watched may be tied to needing to configure location and privacy settings in apps or social media, and may not be a malicious application. The facilitator should provide concrete strategies for learners who believe they may have malware on their devices. 

Being mindful of resources: An additional challenge you may face is recommending software. In the course of talking about the importance of software updates, your participants may disclose or discover that they are using unlicensed or bootlegged software. Many people may have a barrier to acquiring licensed copies of software due to its cost, or not being aware of free software that receives regular updates. It’s important to not shame the learner and to adopt a harm reduction approach. If you have time, you can assist learners with finding software that receives updates. For learners who are part of a nonprofit or civil society organization, you can encourage them to reach out to groups like TechSoup which help with discounted licenses for popular software. In addition, the facilitator can point the learners to using free, open source software alternatives that might meet the same need. 

Being mindful of antivirus considerations:

Not all antivirus is created equal. Learners may ask the facilitator for advice in choosing antivirus. In general, the antivirus that comes with the device may be best for most learners in a typical workshop. However, if helping a learner who is concerned about a sophisticated adversary, such as an attacker with significant resources, the facilitator may want to provide additional guidance on looking at antivirus vendor websites with the learner. Things to look out for include: whether the antivirus software is regularly updated, whether it has good external reviews of its services, and whether the antivirus company website publishes threat research on a specific type of malware or type of adversary.

If someone reaches out to you about backups: Backing up data (or making “backups”) is a great practice for being prepared against data loss. If a learner’s device gets stolen, damaged, or infected by malware, having backups can be a significant relief to the learner, as the data can be restored to a device. As backups can take significant time, you may want to redirect specific questions about backups to after the workshop has ended. The facilitator can anticipate having to walk through the learner’s threat model (e.g. Are they backing up data to an external hard drive or to a third-party cloud service? Are the backups encrypted? Do they have a strong password in place? Is that password memorized, or stored in a safe place like a password manager?). 

If someone reaches out to you about wanting to wipe a device: A learner might ask for assistance with wiping their device. This may be best handled as additional follow up after a workshop has ended. Wiping a device is often a time-intensive ask and has additional threat modeling considerations. It requires walking through the learner’s device settings (e.g. What led to their decision for wiping the device? Was the device encrypted? What kind of data was stored on there? Do they have the means to obtain a different device, if the problem on the old device persists?), as well as the learner’s goals for wiping the device (is the intent to use the device uninfected? Or is it to sell the device after?), and who they might want to defend their data against. If appropriate, the facilitator may then want to share a few tutorials specific to the learner’s needs.

If someone reaches out to you about malware after the training: If a learner has a unique malware consideration (falling outside of adware, for example), the facilitator may want to get in touch with a specialist. The facilitator may have to walk through additional information: for example, if a learner has received a phishing email, the facilitator may have to show the participant how to forward email headers.

If the learner is facing challenges that include physical security implications (such as stalkerware and APT attacks), be mindful that there are many ways to share unhelpful advice that have potential to put the learner at more risk. If the learner is concerned their location is being tracked by someone they know (such as in stalkerware and domestic violence situations), the facilitator may need to recommend using a different device (such as at the library, or borrowing the device of a trusted friend) to access specialized information, such as from groups like Operation Safe Escape. If the learner is from a heavily surveilled community and believes they may be the target of an APT attack, encourage them to safely get in touch with groups like EFF’s Threat Lab, The Citizen Lab at the University of Toronto, or CiviCERT.

Anticipated Questions and Answers

Q: What is the best antivirus program to use?

A: We tend to recommend using the manufacturer’s own antivirus (AV) software (Windows Defender, Apple’s built-in systems). Discussions about how badly-written antivirus software can make things worse can be dispiriting and don’t provide solutions that participants can use.

Q: If you think you might be infected, what should you do?

A: You can go to the Digital Defenders’ First Aid Guide. It’s critical to make regular backups just in case your device gets infected. Wiping (or “factory resetting”) your phone or laptop is also important. You can learn more here:

Q: We use attachments all the time! Are you telling me I can’t send or receive documents?

A: Suggest using a shared store for frequent documents, like Dropbox or Google Drive. We talk a little about EFF’s own practices here—we send documents, but we digitally sign our own messages, and encourage external groups to upload their files where we can examine them safely. You can also highlight that this is not an all-or-nothing proposal. You can certainly send and receive documents—and while you do, it’s good, common-sense practice to be on the lookout for strange things that could indicate phishing and malware.

Q: How can I report phishing?

A: Emphasize the difference between mass phishing (like spam), and spear-phishing. Spear-phishing of a vulnerable group is something that researchers tend to be working on and interested in helping identify and prevent. You can email EFF at, or call Access Now’s Digital Security Helpline ( for assistance. The U.S. Federal Trade Commission also collects examples of mass phishing, which can be forwarded to The FTC’s phishing page explains how to include useful information in that email.

Q: I am worried I am infected with malware. Can you check?

A: There are no consistent or obvious indicators of compromise for malware; slow computers and/or batteries that drain quickly, for example, have many alternative causes. It’s very possible that an audience member may be infected with something from opening spam or generic phishing, and you can suggest installing antivirus software to check this possibility. For most communities, it is relatively unlikely that it will be from a targeted attack by a government or other large group. If you want to reassure your questioner, you can talk a little about the labor and research costs of sending targeted phishing emails.

Close tooltip