Digital Risks

Teaching Guide: My Digital Risks

Last Update: March 13, 2023
Illustration of a girl using her phone under two giant phones with the digital risks category logo on the big screen.

Objective(s):

In this session, you will help participants learn to understand and prioritize their digital risks. You will also help them learn to understand risks in their online behavior and prevent malware from infecting their digital life.

Teaching points:

  • How social engineering works;
  • How malware gets onto your device and accounts;
  • How to verify websites.

Practical skills taught:

  • Identifying and prioritizing digital risks;
  • Spotting phishing attacks
  • Verifying websites.

Session length:

70 minutes

Skill level:

Basic

Required knowledge:

Basic computer and email/social media literacy

Resources needed:

Projector, slides, paper, laptop connected to the internet, handouts.

Decks:

My Digital Risks, Spot the Phish

Handouts:

Quiz: My Digital Risks, Activity Sheet: Writing a Phishing Email, Handout: Tips on Phishing and Malware, Quiz: Spot the Phish

A. Setting the scene (5 min)

  1. Start the session by describing what it is about, situating the session among the other points of the CyberSTAR, and outlining what the participants will learn by the end of the session.

  2. Set the scene by asking participants:

    • What are the biggest risks facing you and your organization? How can you mitigate these risks?

B. Activity: understanding digital risks (15 min)

  1. Tell participants that identifying and prioritizing digital risks begins with taking stock of their digital assets, understanding vulnerabilities that translate into threats, and being aware of adversaries that can exploit these vulnerabilities.

  2. Take ten minutes to help participants understand and learn to identify their digital assets, vulnerabilities, and adversaries.

    Ask the group to name their key digital assets. Any content owned by an individual or organization that is stored in digital form is a digital asset. As participants identify digital assets, write them down on a board or flip chart.

    Make sure the following assets are identified: passwords and other credentials, financial transactions, sensitive communications, personal details about beneficiaries, sensitive HR files, etc.

    Now ask participants to identify vulnerabilities and adversaries related to the assets they named. The various combinations of digital assets, vulnerabilities and adversaries constitute digital risks. In other words, digital risks are a result of different kinds of adversaries seeking to exploit different kinds of vulnerabilities in order to compromise or steal your digital assets.

    NOTE: For online delivery – A Risk Matrix “game” exists that can record participants’ perspectives for later discussion.

C. Digital promiscuity and deception (5 min)

  1. Discuss with participants how most of the risks facing their digital assets stem from what we call “digital promiscuity”. Digital promiscuity is the practice of sharing online everything you do, opening messages and attachments from unknown sources, and clicking on links without knowing where they lead. It is basically the opposite of digital hygiene and privacy.

  2. Explain that digital risks cannot be eliminated entirely. What individuals and organizations can do, however, is implement controls to reduce risk.

  3. Bring the participants’ attention back to digital risks discussed earlier. Most of these risks have to do with the fact that people can be deceived online. Explain that the rest of the session will look at some common types of online deception and identify behaviours that will help participants mitigate the risk of deception.

D. Social engineering (15 min)

  1. Share with participants that social engineering is the biggest online threat and the easiest way to attack them, compromising their communications, data and networks. At its core, social engineering is about tricking people into revealing sensitive information or breaking normal security procedures.

  2. Tell participants that there are different types of social engineering attacks, and malicious actors are constantly innovating and improving their tools and tricks. The most common types of social engineering attacks are the following:

    • Phishing attacks involve email, social media, SMS, or chat messages designed to trick the target into sharing information that might help a more significant crime or installing malware by clicking a link or opening an attachment.

    • Phishing attacks involve email, social media, SMS, or chat messages designed to trick the target into sharing information that might help a more significant crime or installing malware by clicking a link or opening an attachment.

    • Whaling attacks are spear phishing attacks that target the “big fish” (“whales”), such as heads of organizations and owners or chief editors of media organizations. Whaling attacks typically involve scam email messages that look like important email sent from government officials or partners from important organizations such as donor agencies.

  3. What is common to most social engineering and phishing attacks is that they attempt to exploit powerful human emotions. Some of these include:

    • Greed: attackers typically offer financial rewards or other incentives if you just click that link, open that attachment or complete that form;

    • Urgency: attackers create a sense of urgency with a tight deadline for action;

    • Curiosity: attackers lure a victim into clicking on a link by promising unique and interesting content;

    • Fear: attackers warn of negative consequences if you do not take action.

  4. Mention that in addition to fuelling greed, urgency, curiosity and fear in targets, phishing attacks often have other prominent features that can help participants spot such attacks:

    • Attackers use fake email addresses that look real to fool you;

    • Attackers often use embedded links to fake websites that, when you visit, will automatically download malware;

    • Attackers often include attachments that contain malware – once opened they will infect your computer.

    • Attackers often mimic the layout of real emails that you might receive from well-known service providers and vendors.

  5. Now explain that participants can avoid falling victim to social engineering attacks if they practice digital hygiene and exercise common sense. Share some basic tips that can help participants avoid being deceived online:

    • Remain skeptical: when something is too good to be true, it probably isn’t;

    • Don’t download attachments from sources you do not fully trust;

    • Don’t click on links without making sure they are not dangerous.

      If you hover your mouse over a link in an email or on a webpage, you will see the full website address. This can help you decide whether or not you want to click that link.

      Before clicking on a link that you find even a tiny bit suspicious, scan it with a link scanner such as Norton Safe Web (https://safeweb.norton.com/) that lets you enter the URL of a suspicious link and check it for safety;

    • Slow down: take time to think over all “urgent” requests for information or financial transfers and discuss such requests with other colleagues when possible;

    • Verify identity of those requesting information or financial transfers. For instance, if you are asked to wire money in an email that looks like it is coming from your boss, call your boss or get in touch via a secure messaging platform to double-check;

    • Keep your antivirus and firewall up-to-date and running.

E. Activity: Writing a phishing email (15 min)

  1. Distribute activity sheets and ask participants to write a compelling phishing email to a colleague. This is an individual activity. Give participants five minutes to complete this part of the exercise.

  2. Now ask participants to share the emails they have drafted with a partner. Give participants five minutes to review emails drafted by their colleagues and discuss hooks or other elements that should raise their suspicion about the email.

  3. Discuss the activity with the entire group. Which “hooks” were easy to spot? Which ones were more difficult to spot? How did the emails exploit emotions?

    Also, take this time to ask participants what they would do if they received such an email in real life. Would they mark it as spam? Would they alert their colleagues?

F. Malware (10 min)

  1. Explain to participants that many social engineering attacks aim to trick people into clicking links or opening attachments that install malicious software (often called malware) on their devices. Malware is a general term for all malicious software, including viruses, spyware, Trojans, ransomware, keyloggers, and other such threats.

    Some types of malware spread through email, SMS, social media messages, fake websites and other online means as part of social engineering attacks. Some malware spreads through infected devices used to exchange data, such as USB memory sticks.

  2. Mention that while some malware infects devices only after an unsuspecting target makes a mistake (for example, by opening an email attachment), other types of malware can silently infect vulnerable systems as a result of reckless user behavior that we earlier referred to as “digital promiscuity”.

  3. Malicious actors deploy malware for various purposes. Some of these include:

    • Some malware is deployed to affect as many users as possible, without a specific target in mind;
    • Other kinds of malware target specific civil society activists, journalists or dissidents to gain access to their sensitive data or communications;
    • Still other kinds of malware target large networks of people connected to activists, journalists or dissidents in the hope of infecting multiple individuals of current and potential interest.

  4. Tell participants that one widespread type of malware that can invisibly drain computer power and damage older devices is cryptocurrency mining malware. Once this malware infects a device, it runs silently in the background and anti-virus software is often unable to detect it. This malware hijacks your device’s computing power to mine for cryptocurrencies such as bitcoin and send funds to whoever controls the malware. Often the only sign of malware infection is that your device slows down.

  5. Now share some basic tips that can help participants prevent malware from infecting their devices (some of these tips have already been mentioned earlier when you discussed ways to prevent social engineering and phishing attacks):

    • Don’t download attachments from sources you do not fully trust;

    • Don’t click on links without making sure they are not dangerous.

      If you hover your mouse over a link in an email or on a webpage, you will see the full website address. This can help you decide whether or not you want to click that link.

      Before clicking on a link that you find even a tiny bit suspicious, scan it with a link scanner such as Norton Safe Web (https://safeweb.norton.com/) that lets you enter the URL of a suspicious link and check it for safety;

    • If possible, use the latest version of whatever operating system runs on your device and keep it up-to-date;

    • Keep your antivirus and firewall up-to-date and running;

    • Use separate users on a workstation when it is shared with others;

    • Keep your other software up-to-date as well and install updates as soon as they become available;

    • Think twice before inserting removable media like USB memory sticks, flash memory cards, DVDs and CDs into your computer;

    • Maintain backups to ensure that if prevention fails, you have options.

  6. Now go through the reality of what has to be done if you are infected. Anti-Virus software is notoriously bad at successfully removing malware once it gets in. Offline antivirus CDs can help, but to be safe, you’ll need to completely re-install the operating system and restore from backups. Also consider the fact that any data that was on your device may be in the hands of someone else now.

F. Wrap-up (5 min)

  1. Provide a brief summary of practical skills that the participants should have learnt during the session.

  2. Ask participants if they have any questions, answering the questions when possible or pointing them to online resources when the questions are not relevant to the rest of the group.

  3. Distribute handouts with step-by-step practical guides on the most common technical issues the participants are known to encounter.

Learn more about

Digital Risks Icon Digital Risks Passwords Icon Passwords Devices Icon Devices Data Icon Data Conversations Icon Conversations Digital Identity Icon Digital Identity General Icon General

This site is licensed as Creative Commons BY-NC-SA 4.0. Please read our attribution policy to learn about freely redistributing out work.