Phishing and Social Engineering: Defend Your Digital Life
Grade 7 · Cybersecurity & AI Education · NYS 7-8.CY.1 · 50 Minutes
NYS-Aligned Standard
7-8.CY.1 — Determine the types of personal information and digital resources that an individual may have access to that needs to be protected. NYS Computer Science and Digital Fluency Learning Standards (2020)
Learning Objectives — “I Can” Statements
- I can inventory the personal information and digital resources (accounts, files, devices) I have access to and need to protect.
- I can define phishing and social engineering and explain why they target people, not just computers.
- I can analyze a message for manipulation tactics and choose a safe response.
Essential Question
What do I actually need to protect online, and how do attackers try to trick people into giving it up?
Lesson Sequence
Hook / Warm-Up (8 min)
Quick-write: “List every online account or device you can access.” Surface that each one is a digital resource worth protecting (school login, email, games, cloud files, photos).
Direct Instruction (14 min)
- Asset inventory: personal information (name, birth date, address, student ID) and digital resources (accounts, files, devices, money/gift cards).
- Social engineering = manipulating a person into revealing information or access. Phishing is social engineering by fake message.
- Tactics: urgency, authority (“from your principal”), fear (“account locked”), reward (“you won”), familiarity (spoofed friend).
Guided Analysis (18 min)
In pairs, students analyze three original message cards using a Threat Decode organizer: What is the attacker after? Which tactic is used? What are the red flags? What is the safe action (don’t click, verify through a known channel, report)?
Closure (10 min)
Exit ticket: “Name one digital resource you must protect, one phishing tactic, and one specific step you’ll take to verify a suspicious message.”
SDI & Differentiation Block
Supports for MLLs/ELLs
Entering/Emerging (NYSESLAT Levels 1–2):
- Visual tactic icons (clock = urgency, badge = authority, gift = reward).
- Sentence frame: “This message wants my ___ . The trick is ___ .”
Transitioning/Expanding (NYSESLAT Levels 3–4):
- Pre-teach: asset, digital resource, social engineering, phishing, verify, spoof.
- Provide the Threat Decode organizer with the first row modeled.
Supports for Students with IEPs
SDI Adaptation Dimensions: methodology, delivery
- Methodology: Use two message cards; provide a tactic word bank to match.
- Delivery: Read messages aloud; allow verbal exit-ticket response.
Suggested Placement: ICT
Answer Key / Model Responses
Message A (account locked, click here): wants login credentials; tactic = fear/urgency; red flags = threat, link, generic greeting; safe action = don’t click, open the site by typing the known address, report. Message B (you won a gift card): wants money/personal info; tactic = reward; red flags = too good to be true, link, unknown sender. Message C (friend needs a gift-card code now): wants money/asset; tactic = familiarity + urgency; safe action = verify with the friend through a known number.
Exit ticket model: “I must protect my school email. A phishing tactic is urgency. I will verify by contacting the sender through a number or site I already know.”
Alignment Record
| Field | Value |
|---|---|
| Standard Code | 7-8.CY.1 |
| Standard Text | Determine the types of personal information and digital resources that an individual may have access to that needs to be protected. |
| Framework | NYS Computer Science and Digital Fluency Learning Standards (2020) |
| Source | nysed.gov — NYS CS & Digital Fluency Learning Standards (2020) |
| Confidence | High Confidence |
| Validation Notes | Code 7-8.CY.1 confirmed; CY = Cybersecurity, grade band 7–8. The asset-inventory step directly targets “determine the types of personal information and digital resources … that need to be protected.” All messages are original; no real data used. |