Melissa Liao, Tyler Termehr, Shweta Nagdev, James Kuzyk

Course Information

Overview

Ever since the internet was first made there has been an arms race between cyber criminals and tech companies for your information. Over the years there are many techniques cyber criminals have used to obtain your personal information. One of the most long standing and effective techniques is phishing. Phishing is when: “attackers attempt to steal the user’s credentials using fake emails or websites or both.”1 The email looks very similar to a source the user trusts or that is credible. The aim is to have people click on a link that incorrectly takes them to the fraudster’s web page, or to open an attachment that infects their computers. 2 Once in this “fake site” people enter valuable passwords or access into their banking accounts or other important data. A phishing attack does not require sophisticated knowledge, so it is relatively easy for criminals to do it. Phishing exploits the fact that the human is the weakest link in well built systems. This is why it is so long standing and ever-present. It is very difficult for a tech company to prevent a human from being tricked. Even though phishing emails can be obvious, it is very different for a tech company to block every single email due to the sheer number of attacks. The best way to combat phishing is to be aware of it, and to know and understand the red flags so that as a user you are able to recognize it.

1.      Gupta, B.B., Arachchilage, N.A.G. & Psannis, K.E. (2018) “Defending against phishing attacks: taxonomy of methods, current issues and future directions”. Telecommun Syst 67, 247–267. https://doi.org/10.1007/s11235-017-0334-z

2.      Ferreira A, Teles S (2019) “Persuasion: How phishing emails can influence users and bypass security measures”. Int J Hum-Comput St 125: 19‒31.

Common Misconceptions

Misconception #1: “Scams are easily recognizable and only gullible people fall for phishing attempts.”

Why it’s wrong: 

Many people overestimate their ability to spot phishing attempts and believe that scams are obvious or poorly written. Additionally, they believe that only gullible people are susceptible to falling for these scams. However, this is simply not the case as modern phishing tactics are now highly sophisticated, often going as far as imitating legitimate organizations by replicating their logos, language style, and personalized language. 

Common Mistakes:

  • Clicking on malicious links in emails or text messages that appear to be from trusted sources (such as delivery services, banks, workplace)
  • Ignoring red flags like spelling errors in the messages or incorrect domain name

Misconception #2: “Phishing only happens through email.”

Why it’s wrong:

Phishing can happen in various ways and is not exclusive to emails. SMS phishing (smishing), voice phishing (vishing), and even social media scams are all on the rise. People who only look out for suspicious emails may be vulnerable to phishing attempts on other platforms. 

Common Mistakes:

  • Trusting all messages on platforms like Instagram, WhatsApp, or text messages that ask for personal information or urgently ask you to take immediate action
  • Believing that verification codes sent by text are always secure

Rationale

Phishing scams are a type of scam where a person is tricked into revealing private and sensitive information to an entity posing as a trustworthy source. Our rationale for choosing this topic is that online scamming is costing Canadians tens of millions of dollars each year (Source) and phishing attacks are becoming more common and complex. The aspect that we find most interesting in this topic is the new ways in which phishing attacks occur. For example, ‘quishing’ which is phishing using a QR code is a newer type of attack, which leads people who scan the code to a fraudulent website or to download malware. We are also interested in the role that AI will play in these scams, as social engineering is key to phishing, and with AI tools such as voice generation and deepfakes, as well as improved email wording and structure it only becomes easier for scammers to gain trust.

Course Learning Objectives and Outcomes

Big Ideas

Big Idea #1: Keeping yourself safe from online scams requires critical thinking and constant vigilance.

We must always stay cautious as online scams often exploit human behaviour as well, not just technical security flaws. Being secure online means staying alert, questioning messages, and recognizing the different manipulation tactics employed by scammers. 

Learning Outcomes:

  • Learners will be able to analyze the structure and intent behind phishing messages
  • Learners will be able to identify common psychological tactics used in scams, such as urgency, fear, or authority

Big idea #2: Digital literacy includes the ability to evaluate and verify information online.

Recognizing scams is a key part of digital literacy, and includes being able to evaluate the credibility, origin, and authenticity of information online.

Learning Outcomes: 

  • Learners will be able to evaluate the credibility of emails, messages, and websites using specific criteria (such as domain names/URL structure, sender details, grammar, tone)
  • Learners will be able to apply strategies to verify suspicious online content (like hovering over links, checking with official sources first, etc.)

Lesson Topics and Format

1. Anatomy of a Phishing Message

  • Structure of a typical phishing message: Subject line, Sender address, Body, Links
  • Key red flags to look for: Mismatched URLs, Urgent or threatening tone, Grammatical and spelling errors
  • Real vs. fake message examples
  • Include example videos (e.g. Youtube clips showing phishing analysis)

2. Psychological Manipulation in Scams

  • Common psychological tactics: Urgency, Fear, Authority, Scarcity, Greed
  • Examples of each tactic in real scam messages
  • Why these tactics work on the human brain
  • Real-life scam scenarios or victim testimonials

3. Evaluating Credibility of Online Information

  • Domain names and URL structure: Differences between legitimate and scam websites (e.g .gov vs .xyz)
  • Sender or author details: Look at full email address, not just display name
  • Website and news credibility: Is the organization/publisher well-known and reputable?
  • Grammar, spelling, and tone: Professional vs. sloppy writing
  • Design and visual cues: Consistency, branding, and polish vs. poor formatting and broken elements

4. Verification Strategies:

  • Techniques to actively investigate suspicious content: Hovering over links to view actual URLs, Searching online to cross-check claims or sender identity, Reverse image search (e.g., Google Lens or TinEye), Checking with official sources or contact numbers

5)  Consequences of Falling for a Scam

  • Possible outcomes: Identity theft, Financial loss, Emotional stress and loss of trust

Recovery steps:
– Reporting to authorities (e.g., cybercrime unit, bank, email provider)
– Freezing accounts or replacing cards
– Emotional and support resources

Learning Resources

https://link.springer.com/article/10.1007/s11235-017-0334-z?fromPaywallRec=true – Very broad study explaining what phishing is and how to stop it as the end user and for companies

https://ieeexplore.ieee.org/abstract/document/9380285 – Study on risk taking for scams

https://www.whois.com/whois/ – Tells you about the domain

https://security.berkeley.edu/education-awareness/phishing/phishing-examples-archive Example phishing emails

https://getgophish.com/ Phishing campaign thing

https://www.youtube.com/watch?v=o0btqyGWIQw – Very basic video explaining key things to watch out for in scams ~2mins
https://www.youtube.com/watch?v=3gpOM9c6mmA – Example of how to tell fake emails and some real emails ~10mins

Activities and Assessment

Learning activities that allow learners to explore, experiment and actively engage with the concepts and prepare to be assessed.

Activity 1: Phish or Legit? (Drag and Drop Activity)

Learners are presented with a series of real and simulated emails and messages. For each, they must drag and drop the message into either “Phish” or “Legit” categories. Learners have to decide within 15–30 seconds to simulate real inbox skimming.

Follow-up Prompts- 

  1. What red flags tipped you off about this message?
  2. Did anything make you second-guess your decision?

Objective: allows pattern recognition, self-reflection. The learner has to analyze message intent and structure.

Activity 2: Tactic Decoder

In small groups, learners will receive flashcards with scam messages and psychological tactics (urgency, fear). 

In their groups, they have to match each scam message to the primary psychological tactic it uses. They need to justify their reasoning and also define how these psychological tactics impact the human brain. 

Extension activity- Groups vote on the most manipulative message and explain why.


Activity 3: Credibility Detective

In pairs, learners are given 2 website links and 2 suspicious online visuals (e.g. viral social media posts, doctored images, or clickbait headlines).

Use an advanced credibility checklist to evaluate each source across multiple dimensions:

  • URL/domain structure and origin
  • Author/sender transparency
  • Language style, bias, and emotional tone
  • Visual and design cues, including image manipulation
  • Presence or absence of verifiable contact or source information

Task: For each item, assign a credibility rating from 1 (highly suspicious) to 5 (highly credible) but you must defend your score using at least three pieces of evidence from the content itself.

Activity 4: Fact or Fraud?

A relay-style challenge where teams of 4 race to verify whether certain content is real or fake. Prompts could include:

  • A viral message about a security breach
  • A suspicious-looking promotional deal
  • A shocking news headlines

Tools allowed: Google, official websites, “hover over” techniques, fact-checking sites.
Scoring: Fastest accurate team wins; bonus points for citing official sources.

Assessment Plan

Phishing and Online Scam Assessment Plan:

Format: 12 MCQ, T/F, matching, scenario-based questions on phishing and online scam scenarios (Google form)

Time allotted: 30 mins

Purpose: To assess learners’ understanding of various phishing techniques, psychological manipulation tactics, credibility evaluation, and verification strategies.

Learning Outcomes Assessed: 

  1. Analyze the structure and techniques used in phishing messages
  2. Identify psychological manipulation tactics (such as fear, urgency, etc.)
  3. Evaluate the credibility of online content using specific criteria
  4. Apply verification strategies to investigate suspicious content

Section I: Recognizing Phishing Messages (3 questions) 

  • Consists of 1 mcq,1 t/f, and 1 scenario-based question to test proficiency in learning outcome 1

Section II: Psychological Tactics in Phishing (3 questions)

  • Consists of 1 mcq,1 t/f, and 1 matching question to test proficiency in learning outcome 2

Section III: Evaluating Credibility (3 questions)

  • Consists of 1 mcq,1 t/f, and 1 scenario-based question to test proficiency in learning outcome 3

Section IV: Verification Techniques (3 questions)

  • Consists of 1 mcq,1 t/f, and 1 scenario-based question to test proficiency in learning outcome 4

Scoring and Feedback: 

For each question answered correctly, learners will be awarded 1 point, for a maximum of 14 possible points awarded. Learners will be assessed for proficiency based on the following thresholds: 

  • 12-14: Strong digital literacy
  • 9-11: Satisfactory with room for improvement, needs attention
  • <9: Recommend revisiting learning activities and revising key concepts

Project Plan