1. Students can give examples of potential consequences of disclosing information online if the entity they’re sharing it with isn’t who they say they are.
2. Students can give examples of “weak points” that might allow someone to steal their identity, and examples of what that person could do with the stolen identity to compromise their privacy.
3. Students can explain how “phishing” works, and describe how they should respond to messages they suspect of phishing.
4. Students can give examples of methods they could use to verify someone’s identity online, and can explain the shortcomings of those methods.
5. Students can give examples of methods they could use to verify the authenticity of apps, sites, and services that request their personal information, and can explain the shortcomings of those methods.
6. Students can describe some of the basic precautions they can take to keep their accounts secure from hackers and identity thieves.

AP Computer Science Principles Curriculum Framework

Elements substantially address the following Essential Knowledge under Big Idea 3, Data and Information:

• 3.3.1F. Security and privacy concerns arise with data containing personal information.

Elements substantially address the following Essential Knowledge under Big Idea 6, The Internet:

• 6.3.1F. Phishing, viruses, and other attacks have human and software components.

The following Essential Knowledge is also touched on:

• Under Big Idea 6: The Internet: 6.3.1A, 6.3.1C, 6.3.1D.
• Under Big Idea 7: Global Impact: 7.3.1D, 7.3.1G, 7.3.1H, 7.3.1J, 7.3.1L.

CSTA K–12 Computer Science Standards (Level 3 — High School)

The following learning objectives are touched on:

• Under Level 3, Course 3A: Computer Science in the Modern World: CI.1; CI.5; CI.8; CI.10.

ACM Computer Science Curricula 2013 (CS2013) Guidelines (Undergraduate)

Elements substantially address the following Learning Outcomes under Human-Computer Interaction:

• Human Factors and Security 1: Explain the concepts of phishing and spear phishing, and how to recognize them.

The following Learning Outcomes are also touched on:

• Under Human-Computer Interaction: Human Factors and Security 4.
• Under Networking and Communication: Social Networking 1.
• Under Social Issues and Professional Practice: Privacy and Civil Liberties 5, Security Policies, Laws and Computer Crimes 3, 6.

Estimated Time: 3-5 minutes.
What You’ll Need: Blackboard/whiteboard (optional).

Ignite Question

Is it easier to pretend to be someone else on the Internet than it is offline?

Fanning the Fires:

• Could the website of a real company be copied in order to trick people into visiting a different website?
• How hard would it be to impersonate someone else online by creating a social media account with their name and picture?

Quick Knowledge Check

If someone contacts you online, how do you know they are who they say they are?

Follow-Up Prompts (If Students Get Stuck):

• Could you try contacting them through other means (like by phone or SMS)?
• How could using a search engine help you?

The Quick Hook

Estimated Time: 3-5 minutes per story.
What You’ll Need: Computer and projector (optional).

These news items can be used to illustrate the real-life consequences of privacy breaches. If you have a computer and projector, you can show the stories on a screen as you talk about them. If not, you can simply summarize them verbally.

Manti Te’o, Lennay Kekua Hoax: Notre Dame Statement Claims LB Was Victim of ‘Cruel Deception’

• Summary: Star football player Manti Te’o of Notre Dame finds out that his months-long relationship with a woman he met online was a hoax.

Email Job Offer Scam Tries to Swindle Students

• Summary: Several students at Chico California State University received phishing emails regarding a fake job offer which were delivered directly to their student email addresses.

Girls Duped by Builder Stephen Grott Posing as Charming Blond on Facebook

• Summary: A forty-six-year-old man poses as a handsome college student in order to forge online relationships with young women.
• Content Advisory: The article mentions that the girls sent and received sexually explicit photos.

Hacked!

• Summary: A hacker takes over someone’s email account, deletes all her content, and requests emergency funds from her friends, saying she’s been mugged.

Ex-Birmingham Student Jailed For Stealing £436,000 in Identity Frauds

• Summary: Former student Emika Ogidi goes to jail after collecting hundreds of thousands of dollars in an elaborate network of phishing emails.

Optional Extension

Estimated Additional Time: 5 minutes per story.

For each news item, ask the students:

• How did each attacker assume a false identity?
• What was the goal of creating this false identity?
• What could the victims have done to verify the identity of the personas that contacted them?
• What were the consequences for the victims?
• How could they better protect themselves in the future?

Estimated Time: 10-12 minutes.
What You’ll Need: Blackboard/whiteboard (optional).

Ask students to come up with examples of information that hackers might want to steal. Examples can be written on the board.

Some Examples You Can Start Them Off With: Credit card numbers, social security number, email content, current location, passwords…

Pick a few interesting example and ask:

• How could a hacker get that information?
  

  Some Example Answers:

  • Phishing: posing as a legitimate person or business in order to steal information (e.g., passwords, credit card numbers, etc.);
  • Shoulder surfing: spying over someone’s shoulder (e.g., PINs at ATMs, passwords, identifying numbers or information)…

• What could a hacker do with that type of information?
  

  Some Example Answers: Steal money from victims’ bank accounts, use victims’ credit cards, read victims’ emails, send spam, impersonate victims on a website, hack other people’s/businesses’ accounts, get passwords to sites where other sensitive data is stored…

Estimated Time: 5-8 minutes.
What You’ll Need: Blackboard/whiteboard (optional).

Ask students to come up with some questions they could use to verify that someone who contacts them online is who they say they are. Examples can be written on the board.

Some examples you can start them off with: How do I know you? When/where did we first meet? What did we talk about/do last time we met?

Pick a few interesting examples and ask:

• Could someone figure the answer out from the social-media profile of the person they’re pretending to be?
• • Possible Follow-Up: How much time/digging would it take them?
  • Possible Follow-Up: What if they had already fooled some of your other friends — could they get the answer from them?
• If their answers are vague or lacking in details, or they quickly change the topic, what would you do? Do you think these are good ways to detect an imposter?
• If students give examples of questions that wouldn’t be hard to guess: Are there other ways an imposter could guess what the right answer is?
• • Possible Follow-Up: Are there very common answers to this question, that would be right for many people?
    

    Background: With questions like gender or any yes/no question, the imposter has about a 50/50 chance of getting it right — and if they get it wrong and you cut them off, they now have the right answer to use with the next person they try to contact.

  • Possible Follow-Up: What if they already have that information about you, and just used that as their answer?
    

    Background: Especially for pre-teens and teenagers, there’s a pretty high likelihood that one’s friends will go to the same school, be the same age, live in the same town, like the same music, etc.

Extended Version:

• How else might you verify a person’s identity?
  

  Example answers: Cross-check by other means like using the phone; verify that the online identity matches the real person based on how they behave, their language use, and things they should know from your shared experiences….

Estimated Time: 8 minutes.
What You’ll Need: Computer, speakers, and projector.

“Identity Isn’t Guaranteed” delves into why we have such a hard time knowing who to trust on the Internet, what can happen to our private information if we trust the wrong person (or bot), and how to protect ourselves against being fooled. Part of the TROPE video series, with humorous illustrations by Ketrina Yim that turn each point into a memorable story.

Includes human-generated closed captions.

Estimated Time: 5-10 minutes.
What You’ll Need: Computer and projector.

These slides can be used for an overview lecture on the basic concepts underlying the principle “Identity is not guaranteed on the Internet”. The slides are accompanied by Notes with details and examples to guide your lecture.

Access Slide Deck: “Identity Isn’t Guaranteed”

Coming soon! We will be adding a graphic organizer to guide students’ notetaking.

Estimated Time: 15 minutes.
What You’ll Need: Copies of worksheet; pens/pencils/highlighters.

In this activity, students evaluate email messages and determine whether they think each one is legitimate or a phishing message. Students can work together to come up with reasons for their answers.

Download Worksheet: “Something’s Phishy… Can You Detect It?”

Worksheet Answers:

• Phishing: The link leads to a site, “twitterblog”, that is inconsistent with the well-known URL for Twitter, so it is likely to be illegitimate. The informal word choices and capitalization are an attempt to seem friendly/familiar — but if you don’t know the person, that shouldn’t fool you. The content is something friends might stereotypically say to each other, but doesn’t actually indicate that the sender knows anything about the recipient.
• Legitimate: The email address ends with the well-known adobe.com domain, as does the URL you see when you mouse over the ‘Explore my account’ button. The language is relatively formal (for marketing) and the email has obviously been proofread, which is what you would expect from that sender. (Follow-up: But if you didn’t just register for Adobe Cloud, you might still want to be suspicious!)
• Phishing: TrustedBank is not a real bank, but even the email said it was from your own bank, it would be unsafe to follow a link requesting personal or banking information. Most banks do not send emails that ask you to follow a link to update anything. As indicated by the cursor, the hyperlink does not actually lead to the TrustedBank site.
• Phishing: Direct requests for credit-card information are suggestive of phishing. The hyperlink does not lead to the Comcast site, but instead to a website that doesn’t sound like it would be related to that company. (Follow-up: Even if this email were from Comcast, it would be best to go to the site directly to verify that they need the information update.)

 

Worksheet Image Sources:

1. Prashanth dotcompals. “twitter-phishing-email”. Digital Image (Screenshot), Flickr. <https://www.flickr.com/photos/dotcompals/3169189777/> Licensed under Creative Commons Attribution 2.0 Generic. (Modifications made.)
2. International Computer Science Institute/TROPE. “Adobe Welcome Email”. Digital Image (Screenshot). License: Creative Commons Attribution 4.0 International.
3. Andrew Levine. “PhishingTrustedBank”. Digital Image, Wikimedia Commons. <https://commons.wikimedia.org/wiki/File:PhishingTrustedBank.png> Public domain. (Modifications made.)
4. Elana Centor. “Comcast Phishing Email”. Digital Image (Screenshot), Flickr. <https://www.flickr.com/photos/funnybusiness/4248139290> Licensed under Creative Commons Attribution-ShareAlike 2.0 Generic. (Modifications made.)

Estimated Time: Depends on protocol chosen.
What You’ll Need: Blackboard/whiteboard (optional).

Use one or more of the following questions to help students digest the information presented in the lesson so far and personalize the content. The questions are compatible with many common classroom discussion protocols. We suggest Think-Pair-Share, Inside/Outside Circles, Chalk Talk, or Listening Dyads, but many others can be found on the NSRF’s protocol list.

• What does it mean for someone to “steal your identity”? Give some examples of what that would mean for you, and the potential consequences.
  

  Possible Answers: “Identity theft” usually refers to stealing someone’s sensitive information like bank account number or social security number, then using that to steal their money, obtain credit, etc. (not necessarily interacting directly with other humans). “Stealing someone’s identity” could also be used more broadly, for example, impersonating that person on social media, using information such as their photo, age, school, and/or friends’ names to create another account. More background here.

• What are some examples of “weak points” that might allow someone to steal your identity?
  

  Example Answers: Unencrypted personal data and online interactions, clicking on false links, insecure connections, revealing too much information over social media, telling passwords to people who call you on the phone…

• How does phishing work?
  

  Target Answer: Phishing is when someone pretends to be a trusted source (e.g., your bank, school, insurance company) over email or other electronic communication, to trick you into revealing sensitive personal information like account numbers, social security number, usernames, and passwords, often by getting you to click on a link that leads to a fake website. More background here.

  • Have you or someone close to you experienced this before? If so, what was the phishers’ strategy to get the information?
  • What can we learn from these stories to avoid getting “phished”? How would you now respond to messages you suspect might be phishing?
    

    Possible Answers: Do not respond to suspicious email messages (verify by phone instead, or start a new email chain with a contact you already know); don’t click on links (open a new tab and type in the URL you already know, or do a search for the company’s/agency’s website); if you have a bank account, read the statement each month to make sure all the transactions were actually made by you.

• How does catfishing work?
  

  Target Answer: Someone pretends creates a fake identity, usually using fake social media accounts, and uses it to interact with other people (often claiming romantic intentions). Additional Background: Images are often scraped from a stranger’s profile, then the catfisher can create an entire backstory, with fake online evidence, to make the fake identity seem real.

• Could your privacy be compromised by interacting with a false identity, even if they don’t steal your account names/numbers and passwords?
  

  Example Answers: They might use your information to create another false identity and use it on your friends; they might use facts they learn about you to answer “security questions” and reset your passwords; you might tell them things you don’t want to become public knowledge…

• What else will you do now, after this lesson, to keep your information secure from hackers and identity thieves?
  

  Example Answers: Use better passwords, use different passwords on different sites, install a firewall, only send important information through encrypted sites, make sure to always log out completely, don’t download files from URLs you don’t recognize, monitor your accounts…

Estimated Time: 10-15 minutes.
What You’ll Need: Copies of review sheet, pens/pencils.

This learning assessment can be used as an in-class quiz or as homework.

Download Assessment: “Identity Isn’t Guaranteed: Review Questions”

Teachers: Find out how to access the answer key for the Module 8 review questions.

Answer key coming soon!