What's Covered Here
Complete reference for every interactive element in Unit 2.4
Unit 2.4 — Online Safety and Responsible AI Use — closes Quarter 2 with the most immediately personal content in the suite. Unlike spreadsheet functions or document formatting, the threats and tools covered here affect students' lives right now: their accounts are either secured or they are not; the AI tools they use are either employed with integrity or they are not. The interactive tools are designed to convert awareness into concrete action.
This unit has more facilitator discussion anchors than any other Quarter 2 unit because the content invites it — phishing targeting in vulnerable communities, data as a community resource, and AI as an economic equalizer are all topics that connect directly to the Heritage-as-Capital framework running through the curriculum.
| Tool | Location | Focus |
|---|---|---|
| 🎣 Threat Spotter | Study Guide → Games tab | Match attack scenarios to their threat type (phishing, vishing, smishing, spear phishing, pretexting, misinformation) |
| 🛡️ Safe or Risk? | Study Guide → Games tab | Six applied digital safety and AI integrity scenarios — choose the safer, more responsible decision |
| ⚖️ True or False | Study Guide → Games tab | Security and AI facts vs. common misconceptions — 10 statements |
| 🔒 Security Audit | Study Guide → Security Audit tab | Five-question self-assessment producing scores across account protection, threat awareness, and information integrity |
| ✏️ Unit Quiz | g9-2-4-quiz.html | Comprehensive mastery — 20 questions from 23-question bank |
🎣 Threat Spotter
Six attack scenarios matched to their threat type
Six realistic attack scenarios matched to their threat category. Covers the six attack types introduced in Topic 1 and Topic 3. The misinformation risk pair bridges the phishing/scam content to the information literacy content in Topic 3.
The Six Pairs — Answer Key
| Scenario | Threat Type | Key Indicator |
|---|---|---|
| Email from regions-bank-secure.net saying account is locked — click immediately | Phishing | Fake domain + false urgency + embedded link |
| Caller claims to be from the IRS — your SSN will be suspended unless you pay now | Vishing | Voice call + government impersonation + payment demand |
| Text says Amazon package delayed — click tracking link | Smishing | SMS delivery + embedded link + package pretext |
| Email claiming to be from the CEO — urgently wire funds to a new vendor | Spear Phishing | Business email compromise — personalized with org context |
| Caller pretends to be IT support — needs your password to fix a detected virus | Pretexting | Fabricated scenario (IT support) to obtain credentials |
| Shocking financial claim — no author, no date, unknown site | Misinformation risk | No provenance markers — authorless, sourceless, alarming claim |
After completing, ask students which attack type they believe is most likely to succeed against someone they know — and why. The CEO fraud spear phishing pair (business email compromise) and the IRS vishing pair target the authority/urgency combination that is most effective against people who have not encountered these attacks before. This discussion personalizes the threat from abstract to real.
🛡️ Safe or Risk?
Six digital scenarios — choose the safer, more responsible action
Six scenarios featuring AOBF students navigating real digital decisions: a phishing email, credential reuse after a breach, financial misinformation, AI hallucination in an essay, SMS 2FA vs. authenticator app, and AI academic integrity without a written policy. Each has one clearly defensible correct answer with a detailed explanation.
Scenario Guide
| # | Student / Situation | Correct Action | Core Concept |
|---|---|---|---|
| 1 | Marcus — bank security email with suspicious domain | Call the bank directly using official number — do not click the link | Phishing response (Topic 1) |
| 2 | Destiny — same password on all accounts; Instagram gets hacked | Other accounts are at immediate risk — credential stuffing is the attack vector | Password reuse + credential stuffing (Topic 2) |
| 3 | Jerome — viral financial panic article, no author, unknown site | Apply SIFT before sharing — verify through credible sources | SIFT framework + financial misinformation (Topic 3) |
| 4 | Aaliyah — AI generates statistics for her essay | Verify each statistic independently before including it | AI hallucination + verification standard (Topic 5) |
| 5 | DeShawn — sets up SMS 2FA; is there a stronger option? | Authenticator app — codes generated locally, immune to SIM swapping | 2FA quality: SMS vs. authenticator app (Topic 2) |
| 6 | Brianna — submits AI-generated essay, school has no written AI policy | Still an integrity issue — policy absence does not resolve authorship | AI academic integrity (Topic 6) |
Scenario 6 — Most discussion-worthy
Scenario 6 (Brianna, no written AI policy) is the most nuanced in the set. Students often argue that absence of a policy means absence of a rule. The teaching point: academic integrity is about the purpose of the assignment, not only about written prohibitions. An essay exists to develop and demonstrate analytical capability — submitting AI output misrepresents that capability regardless of policy. This scenario generates productive classroom discussion about integrity vs. compliance.
After Scenario 4 (Aaliyah, AI statistics), ask: "Has anyone already submitted AI-generated statistics in a school assignment without verifying them?" Give space for honest answers without judgment. Then ask: "What would have happened if those statistics were wrong?" This connects the abstract concept of AI hallucination to a concrete consequence students can visualize.
⚖️ True or False
Security and AI facts vs. myths — 10 statements
Ten statements targeting the most persistent misconceptions in this unit: HTTPS safety (false), 2FA effectiveness (true), password reuse (false), social engineering vector (false), AI hallucination (true), misinformation vs. disinformation (false), phishing design quality (false), password managers (true), SIFT (true), and AI integrity without policy (false).
Answer Key — All 10 Statements
| # | Statement (summarized) | Answer |
|---|---|---|
| 1 | HTTPS means the website is always safe to enter personal information on | FALSE — HTTPS = encrypted connection, not verified legitimacy |
| 2 | 2FA makes an account significantly harder to compromise even if password is stolen | TRUE |
| 3 | Reusing a strong password across multiple accounts is acceptable | FALSE — credential stuffing bypasses password strength entirely |
| 4 | Social engineering primarily exploits software vulnerabilities | FALSE — exploits human psychology, not software |
| 5 | AI language models can produce confident, fluent, factually incorrect output (hallucination) | TRUE |
| 6 | Misinformation and disinformation are the same — both deliberately false | FALSE — misinformation = unintentional; disinformation = deliberate |
| 7 | Phishing emails can be identified reliably by checking for professional design and logos | FALSE — design can be copied perfectly; check the actual domain |
| 8 | A password manager stores strong unique passwords for every account behind one master password | TRUE |
| 9 | SIFT (Stop, Investigate, Find coverage, Trace) is for verifying online information before sharing | TRUE |
| 10 | Submitting AI-generated work as your own is only an integrity issue if there is a written policy prohibiting it | FALSE — integrity is about purpose, not only policy |
Statements 1 (HTTPS) and 7 (phishing design) are the most commonly missed — both correct popular misconceptions that feel like common sense. Statement 10 (AI integrity without policy) is the highest-discussion item. Below 7/10 on this exit ticket: revisit Topics 1, 2, and 5 before the quiz.
🔒 Personal Security Audit
Five questions, three score categories, one highest-priority action
Five yes/partial/no questions covering unique passwords, 2FA, phishing recognition, information verification, and AI fact-checking. Produces scores across Account Protection, Threat Awareness, and Information Integrity, plus one highest-priority action specific to the student's answers.
Scoring Logic
| Question | Category | Yes = 2 | Partial = 1 | No = 0 |
|---|---|---|---|---|
| Unique passwords for important accounts | Account Protection | 2 | 1 | 0 |
| 2FA enabled on important accounts | Account Protection | 2 | 1 | 0 |
| Can identify 3+ phishing warning signs | Threat Awareness | 2 | 1 | 0 |
| Verify information before sharing online | Threat Awareness | 2 | 1 | 0 |
| Always verify AI-generated facts | Information Integrity | 2 | 1 | 0 |
Score interpretation
Total maximum: 10. Score 80%+ (8–10): Strong. Score 55–79% (6–7): Moderate. Below 55% (0–5): Needs Work. The priority action hierarchy: missing professional email → no self-Google → high post volume → many platforms → always LinkedIn. The audit is self-reported and unverified — its value is in prompting honest reflection, not producing a certified score.
Run the audit as an anonymous class aggregate: have students raise hands for each "No" answer. Show what percentage of the class has 2FA enabled, uses unique passwords, and verifies AI facts. The aggregate data makes the discussion concrete without requiring anyone to disclose their personal security posture. Then ask: "If you got a 4 out of 10 today, what would it take to get to an 8 by next week?"
✏️ Unit Quiz Engine
20 questions from a 23-question bank — phishing, passwords, SIFT, privacy, AI
Same engine as prior units. Unit 2.4 has the highest proportion of applied judgment questions in Quarter 2 — students must choose the correct action in a realistic scenario, not just recall a definition. The quiz intentionally includes the most common misconceptions as wrong-answer options.
Question Bank Coverage
| Type | Count | Topics Covered |
|---|---|---|
| Multiple Choice | 15 | Phishing definition, domain-as-indicator, smishing vs. vishing, authenticator app vs. SMS, smishing response protocol, credential stuffing, HTTPS misconception, SIFT framework, misinformation vs. disinformation, data as commodity, AI hallucination, responsible AI use, password manager, financial misinformation, social engineering definition |
| True / False | 8 | HTTPS safety (false), 2FA effectiveness (true), password reuse (false), AI as research tool requiring verification (true), misinformation vs. disinformation intent (false), data privacy settings limit (false), spear phishing danger (true), AI integrity without policy (false) |
Grading Scale
Highest error-rate questions
The HTTPS misconception question (false: HTTPS does not mean a site is safe) and the phishing visual design question (false: professional design is not a reliability indicator) are the most missed. Both correct commonly held but wrong beliefs. Students who score below 70% should return to Topics 1 and 5 and re-read the annotated phishing email in the Study Guide.
🎓 Facilitator Notes
Sequencing, NAF/AOBF alignment, and Heritage-as-Capital discussion anchors
Recommended Learning Sequence
- 1Study Guide Topics 1–2 (~25 min). Phishing anatomy (annotated email), smishing/vishing, password security, 2FA. Students should be able to identify five phishing red flags before moving on.
- 2Threat Spotter (5–8 min). After completing: run the discussion — which attack type is most likely to succeed on someone in their community and why.
- 3Study Guide Topics 3–4 (~20 min). SIFT framework, misinformation vs. disinformation, data privacy. Apply SIFT to a live example as a class — choose a current financial or health claim in the news.
- 4Study Guide Topics 5–6 (~20 min). AI capabilities/hallucination, responsible AI use. Demonstrate a live AI hallucination using an available AI tool: ask it for a financial statistic with a source, then attempt to verify the source independently. The demonstration is more effective than any description.
- 5Safe or Risk? (10–15 min). Pause at Scenario 4 (AI statistics) for the honest-reflection question. Pause at Scenario 6 (AI integrity) for the integrity vs. compliance discussion.
- 6Security Audit (8–10 min). Run as anonymous aggregate first. Then have students complete it individually and identify their one priority action to take this week.
- 7True or False (8–10 min). Exit ticket. Below 7/10: re-read Topics 1, 2, and 5 before the quiz.
- 8Unit Quiz independently. 70% minimum passing score.
Heritage-as-Capital Discussion Anchors
- 📋Introduction — Scam Targeting as a Community Wealth Problem"Financial fraud is not an abstract internet problem — it is a community wealth problem." Ask: do you know someone who has been targeted by a phone or email scam? What made them vulnerable? What would have helped them recognize the attack?
- 💡Topic 4 — Data as Community Resource"Tech companies collect data from communities across Birmingham-Bessemer and profit from it — but the community sees none of that value." Ask: what would it mean for a community to collectively understand and assert its data rights? What decisions could be made differently?
- 🏛️Topic 6 — AI as Equalizer"A student in Birmingham-Bessemer with strong AI literacy has access to tools that cost thousands of dollars per hour a decade ago." Ask: what professional task could you accomplish better or faster with AI literacy that you could not do easily without it? What does it mean to use that capability with integrity?
NAF / AOBF Alignment
| Unit 2.4 Topic | NAF Academy of Finance Standard |
|---|---|
| Phishing, scams, social engineering | Cybersecurity Awareness — identifying and responding to digital threats |
| Password security and 2FA | Information Security — protecting accounts and sensitive data |
| Evaluating sources and misinformation | Information Literacy — critical evaluation of financial and professional information |
| Data privacy and digital rights | Consumer Finance — understanding data rights and financial privacy |
| AI capabilities and limits | Technology in Finance — emerging tools and their appropriate professional use |
| Responsible AI use | Professional Ethics — integrity in the use of technology tools |