The Badge Archive

Role-Playing Hacker Attacks

Items Needed

  • Scenario cards outlining various hacker attack situations (e.g., phishing emails, malware downloads, password breaches, etc. – see examples below)
  • Pens, paper, or devices for scouts to brainstorm solutions.

Instructions

  1. Split scouts into groups of 3–5. Each team draws a scenario card.
  2. Each group acts out their assigned scenario, brainstorming ways to recognize and avoid the hacker attack. Examples include:
    • Spotting suspicious signs in an email (e.g., spelling errors, unverified sender, urgent tone).
    • Recognizing malware disguised as fake software updates or downloads.
    • Identifying phishing attempts requesting sensitive information.
    • Scouts decide their roles based on their own imagination of the scenario. Scouts playing hackers could give clues on how they attempt to trick employees, while IT specialists could have strategies to defend against attacks.
  3. Groups present their role-play scenarios and share the strategies they used to avoid the hacker attack. Facilitate a discussion with questions like:
    • What signs helped you identify the attack?
    • What actions helped prevent the attack?
    • How can these lessons be applied to real-life situations?
  4. Summarize the role-play outcomes and emphasize these cybersecurity practices:
    • Always verify the sender before clicking links in emails.
    • Keep software updated from trusted sources only.
    • Use strong, unique passwords for all accounts.
    • Report suspicious activity to IT immediately.
    • Educate others on recognizing cyber threats.

Sample Scenarios

  1. Phishing Email
    • Scenario: An employee receives an email claiming to be from their company’s IT department, asking them to click a link to update their password due to “suspicious activity.” The email contains subtle spelling errors and a mismatched sender address.
    • Focus: Recognizing phishing attempts and verifying email authenticity.
  2. Suspicious Pop-Up
    • Scenario: While browsing the internet, a pop-up appears, claiming, “Your computer is infected! Click here to download antivirus software.” The pop-up looks official but asks for sensitive information before allowing the download.
    • Focus: Avoiding malicious downloads and recognizing fake security alerts.
  3. Compromised USB Drive
    • Scenario: An employee finds an unmarked USB drive in the office parking lot labeled “Employee Payroll.” Out of curiosity, they plug it into their computer to see what’s on it.
    • Focus: Understanding the risks of plugging in unknown devices and practicing safe handling of found items.
  4. Fake Social Media Message
    • Scenario: An employee gets a direct message on social media from an account impersonating a coworker. The message asks for login credentials to access a “shared project file.”
    • Focus: Identifying social engineering tactics and verifying requests through official channels.
  5. Rogue Software Update
    • Scenario: A notification pops up on a company device, prompting the employee to update a critical piece of software immediately. The update link leads to an unverified website.
    • Focus: Recognizing suspicious update requests and confirming authenticity through official sources.
  6. Password Sharing Request
    • Scenario: A coworker approaches an employee in person, claiming they forgot their password and need urgent access to the system to complete a task. They ask to borrow the employee’s login credentials “just for today.”
    • Focus: Understanding the importance of never sharing passwords and using secure recovery options instead.
  7. Unsecured Public Wi-Fi
    • Scenario: An employee connects their work laptop to a free public Wi-Fi network at a coffee shop to complete a report. Shortly after, they notice strange activity on their accounts.
      Focus: Understanding risks of using unsecured Wi-Fi and recognizing the importance of VPNs for protecting sensitive data.
  8. Malicious QR Code
    • Scenario: During a conference, an employee scans a QR code on a flyer for “exclusive discounts,” but the link installs malware on their device.
      Focus: Learning to verify the authenticity of QR codes before scanning and recognizing hidden risks in seemingly harmless items.
  9. Bogus Tech Support Call
    • Scenario: An employee receives a phone call from someone claiming to be the company’s tech support team, asking for remote access to fix a “critical issue.” The caller provides convincing details about the employee’s device.
      Focus: Identifying social engineering attempts through phone calls and verifying requests through official channels.
  10. Suspicious File Attachment
    • Scenario: An employee receives an email from a trusted contact with a file attachment labeled “Urgent: Open Immediately.” Upon opening, their device begins behaving strangely.
      Focus: Recognizing the risks of downloading unknown attachments and confirming sender authenticity even for trusted contacts.
  11. Impersonated Website
    • Scenario: An employee accesses a website to make a company purchase but accidentally visits a fake site with a slightly altered URL. They enter their login information, only to realize they’ve been locked out of their account.
      Focus: Learning to check website URLs carefully and avoid entering sensitive information into unfamiliar or altered sites.
  12. Baiting with Free Perks
    • Scenario: An employee finds an online promotion offering free gift cards to the first 50 people who fill out a form with their name, email, and company login details. They receive a confirmation email but notice unauthorized activity in their account afterward.
      Focus: Recognizing baiting attempts using incentives and avoiding sharing sensitive information in return for “free offers.”
Tia Kennard