Unit 2.4 Grade 9 · Quarter 2 · Digital Literacy and Productivity

Online Safety and
Responsible AI Use

Protecting yourself — and using powerful tools with judgment and integrity

Phishing, scams, and social engineering Password security and two-factor authentication Evaluating sources and misinformation Data privacy and digital rights AI tools: capabilities and limits Using AI responsibly in school and business
6Core Topics
22Glossary Terms
3Games
1Security Audit

The Tools Are Powerful. The Judgment Is Yours.

Digital technology has never been more capable — or more dangerous to the unprepared. The same internet that gives a ninth-grade student in Birmingham-Bessemer access to global financial markets, world-class research, and professional AI tools is also the channel through which scammers steal savings, attackers harvest identities, and misinformation reshapes decisions. Power and risk travel together.

Unit 2.4 addresses both sides of that equation. The first three topics cover defense: understanding and recognizing the threats most likely to affect AOBF students and their families. The last three cover judgment: understanding what AI tools can and cannot do, and how to use them in ways that strengthen your work rather than undermine your integrity.

This is not a unit about being afraid of technology. It is a unit about using technology deliberately — with your eyes open to both its power and its limitations.

🏛️ Heritage as Capital

Scams and social engineering attacks disproportionately target communities with lower average household wealth — including elderly residents, recent immigrants, and families that are underbanked or unfamiliar with digital financial systems. In Birmingham-Bessemer, financial fraud is not an abstract internet problem — it is a community wealth problem. An AOBF student who understands phishing, identity theft, and financial scams does not just protect themselves — they become a resource for the people around them. That knowledge compounds in a community the same way capital does.

Phishing, Scams, and Social Engineering

Most digital security breaches are not caused by sophisticated technical exploits. They are caused by people being deceived into giving attackers what they need. Phishing, scams, and social engineering are all variations of the same strategy: convince the target to take an action — click a link, provide a password, transfer money, reveal personal information — that serves the attacker.

Understanding these attacks is the first and most effective layer of defense.

Phishing
A deceptive message — usually email — designed to look like it is from a trusted source (a bank, a school, a government agency) to trick the recipient into revealing credentials, clicking a malicious link, or downloading harmful software.
Smishing
Phishing delivered via SMS text message. "Your package is delayed — click here to reschedule delivery." Smishing exploits the informality of texting: people are less guarded about links in texts than in emails.
Vishing
Phishing via voice call. A caller impersonates a bank fraud department, the IRS, or a tech support agent to extract sensitive information. The urgency and personal nature of a phone call make vishing effective even on cautious people.
Social Engineering
Any attack that manipulates human psychology rather than technical vulnerabilities. Social engineers exploit trust, urgency, authority, fear, and reciprocity. Phishing, smishing, and vishing are all social engineering techniques.
Spear Phishing
A targeted phishing attack using personalized information — your name, your employer, a recent transaction — to appear more credible. More dangerous than generic phishing because the message feels specifically relevant to you.
Pretexting
Creating a fabricated scenario ("pretext") to obtain information or access — "I am calling from your bank's security team and need to verify your account." The pretext establishes false legitimacy before the request is made.

Anatomy of a phishing email — annotated:

From:security-alerts@regions-bank-secure.net⚠ Not regions.com
To:you@gmail.com
Subject:URGENT: Your account has been locked⚠ False urgency

Dear Valued Customer, (⚠ No name = mass-sent)

We have detected suspicious activity on your Regions Bank account. (⚠ Vague threat) Your account will be permanently suspended within 24 hours unless you (⚠ Artificial deadline) verify your identity immediately.

Click here to verify your account → (⚠ Link goes to fake site)

Regions Bank Security Team

🛡️

The universal rule: no legitimate financial institution, government agency, or technology company will ever ask for your password, PIN, or full Social Security Number via email, text, or phone. If you receive such a request — regardless of how official it looks — do not respond. Call the institution directly using a phone number from their official website, not from the message.

Password Security and Two-Factor Authentication

The password is the front door to every account. A weak password is an unlocked front door. Password reuse is the same key in every lock. Most account compromises are not hacking — they are walking through unlocked doors.

🔐 What Makes a Password Strong

Length: Minimum 12 characters. Length matters more than complexity — a 16-character passphrase is harder to crack than an 8-character "complex" password.
Unpredictability: No dictionary words, names, birthdays, or predictable substitutions (p@ssw0rd is not secure — attackers know this trick).
Uniqueness: A different password for every account. If one account is compromised, no other account is at risk.
Passphrase method: Four random words strung together — purple-lamp-banana-thunder — is both strong and memorable.
Password manager: Software that generates and stores strong unique passwords for every account. You remember one master password; the manager handles the rest. Professional standard for anyone with more than a few accounts.

Two-Factor Authentication (2FA)
A security layer that requires two forms of verification to access an account: something you know (password) and something you have (phone, authenticator app, hardware key). Even if an attacker steals your password, they cannot access the account without the second factor.
Authenticator App
An app (Google Authenticator, Authy, Microsoft Authenticator) that generates a time-sensitive 6-digit code used as a second factor. More secure than SMS 2FA because the code cannot be intercepted through SIM swapping attacks.
Password Manager
Software that generates, stores, and autofills strong unique passwords for every account. Examples: Bitwarden (free, open source), 1Password, LastPass. Eliminates the need to remember dozens of passwords — you remember one strong master password.
Credential Stuffing
An automated attack that tries username/password combinations leaked from one breach on many other sites. If you reuse passwords across accounts, a single breach can unlock all of them. The defense: unique passwords for every account.
✓ Strong Password Practices
Use a unique password for every account
Enable 2FA on every account that offers it
Use an authenticator app over SMS codes
Use a password manager for all accounts
12+ character passwords minimum
Change passwords immediately after any breach
✗ Common Password Mistakes
Reusing passwords across multiple accounts
Using birthdays, names, or pet names
Storing passwords in a plain text document
Sharing passwords with friends "just this once"
Using p@ssw0rd or similar obvious substitutions
Skipping 2FA setup because it seems inconvenient

Evaluating Online Sources and Misinformation

The internet has made more information available to more people than at any point in human history. It has also made more misinformation available to more people than at any point in human history. The ability to tell the difference — quickly, reliably, and consistently — is one of the most valuable skills a professional can have in 2026 and beyond.

Misinformation
False or inaccurate information shared without the intent to deceive — someone repeating something they believe is true but is not. Misinformation spreads naturally through social networks as people share content they trust from their own networks.
Disinformation
False information deliberately created and spread to deceive — propaganda, fabricated news stories, manipulated images. The distinction from misinformation: intent to deceive. Both are harmful; disinformation is also a form of fraud.
Primary Source
The original, firsthand source of information — the actual study, the official report, the direct statement, the raw data. Always preferable to secondary sources (articles about the study) because primary sources have not been filtered, summarized, or potentially misrepresented.
Lateral Reading
A fact-checking technique: instead of reading deeply within a suspicious source, open new tabs and search for what other credible sources say about that source or claim. Professional fact-checkers use lateral reading because it is faster and more reliable than trying to evaluate a source from the inside.
✅ SIFT — A Four-Step Verification Framework

S — Stop. Before sharing, pause. Ask: do I actually know this is true?
I — Investigate the source. Who wrote this? What is their expertise and motivation? Search the author and publication.
F — Find better coverage. Is this claim reported by multiple credible, independent sources? A single source for a major claim is a red flag.
T — Trace claims back to originals. Find the actual study, document, or statement being referenced. Articles often misrepresent or oversimplify original sources.

SIFT takes 60–90 seconds. It is the professional standard for information verification.

🔍

Financial misinformation is particularly dangerous. Investment "tips," cryptocurrency "opportunities," and "guaranteed return" schemes circulate on social media and messaging apps constantly — and they target communities where people are building wealth for the first time. An AOBF student who can evaluate a financial claim using SIFT protects their own future and the people around them.

Data Privacy and Digital Rights

Every app you download, every website you visit, every search you run generates data about you. That data is stored, analyzed, sold, and used in ways most users never see. Understanding what data is collected, by whom, and for what purpose is not paranoia — it is basic digital literacy in an economy where personal data is a commodity.

Personal Data
Any information that identifies or can be used to identify a specific individual — name, address, phone number, email, device ID, location history, browsing behavior, purchase history, biometric data. Tech companies collect all of these categories; most users are unaware of the scope.
Terms of Service (ToS)
The legal agreement governing use of a platform — what you agree to when you click "I Agree." ToS documents typically include extensive data collection permissions that most users never read. "If the product is free, you are the product" refers to this data economy.
Data Breach
An incident in which unauthorized parties gain access to stored personal data — usually through hacking a company's databases. Data breaches expose names, emails, passwords, credit card numbers, and Social Security Numbers. Check if your email has been in a breach: HaveIBeenPwned.com.
Digital Rights
Legal and ethical entitlements relating to how personal data is collected, stored, used, and shared. In the US, rights vary by state; California (CCPA) and other states provide explicit data access and deletion rights. Federal legislation is evolving. Knowing your rights is the first step to exercising them.
💡 Heritage as Capital — Data as Community Resource

Technology companies collect behavioral, financial, and location data from communities across Birmingham-Bessemer — and profit from it. That data describes community patterns, needs, and vulnerabilities, but the community sees none of that economic value. Data literacy is a form of community power: understanding what is being collected, how it is being used, and what rights exist to limit or access that data is part of the broader economic advocacy work the AOBF Academy prepares students for. The same analytical skills that help a student protect their personal data help a community advocate challenge extractive data practices.

Introduction to AI Tools: Capabilities and Limits

Artificial intelligence tools — AI writing assistants, image generators, coding helpers, research tools — are now part of the standard professional toolkit. An AOBF student entering the workforce in 2028 or 2029 will be expected to use these tools competently. Understanding what they can do, what they cannot do, and where they fail silently is essential professional knowledge.

Large Language Model (LLM)
The technology behind AI writing tools like Claude, ChatGPT, and Gemini. LLMs are trained on massive amounts of text and generate responses by predicting statistically likely continuations. They produce fluent, coherent text — but fluency is not accuracy.
Hallucination
When an AI model produces confident, fluent, plausible-sounding output that is factually incorrect — fabricated statistics, made-up citations, invented events. Hallucinations are not random errors; they are structurally built into how LLMs work. The model cannot always distinguish what it knows from what it predicts.
Knowledge Cutoff
The date after which an AI model has no training data. Events, regulations, market conditions, and research after the cutoff are unknown to the model — it may answer confidently about them using outdated information without flagging this limitation.
Prompt
The input you give an AI tool — your question, instruction, or context. The quality of the output is directly shaped by the quality of the prompt. Vague prompts produce generic output. Specific, contextual prompts produce useful output. Learning to write effective prompts is a professional skill.
AI tools are strong atAI tools are weak at
Drafting, editing, and summarizing textVerifying facts — always verify independently
Explaining complex concepts in plain languageKnowing what happened after their training cutoff
Brainstorming and generating optionsCalculations involving very large or precise numbers
Writing and explaining codeKnowing your specific context without being told it
Translating and adapting writing for different audiencesProducing reliable citations — always verify sources
Organizing and structuring informationReplacing professional judgment in consequential decisions
🤖

The verification rule: any factual claim, statistic, citation, or data point produced by an AI tool must be independently verified before it is used in any professional or academic context. AI tools are research accelerators, not research replacements. Confidence of tone is not evidence of accuracy.

Using AI Responsibly in School and Business

AI tools raise new questions about integrity, authorship, and judgment that every student and professional must navigate. These are not simple questions — and they do not have identical answers across every context. A business professional who uses AI to draft a first version of a proposal is working efficiently. A student who submits AI-generated text as their own original work is misrepresenting their abilities. Context, disclosure, and judgment determine whether AI use is professional or problematic.

✓ Responsible AI Use
Use AI to brainstorm, outline, or draft — then revise and make it yours
Verify every fact, statistic, and citation the AI provides
Follow your school or employer's AI use policy explicitly
Disclose AI assistance when required or when in doubt
Treat AI output as a starting point, not a finished product
Develop your own skills — do not outsource thinking you need
✗ Irresponsible AI Use
Submitting AI-generated work as entirely your own when prohibited
Using AI facts, stats, or citations without verification
Relying on AI for decisions with real consequences (medical, legal, financial)
Assuming AI output is accurate because it sounds confident
Using AI to impersonate another person's voice or views
Skipping the thinking that builds the skills you need long-term
📋 The AOBF AI Use Standard

Acceptable: Using an AI tool to get a first draft, generate ideas, explain a concept, check grammar, or research background on a topic — as long as you read it critically, verify facts, revise for your own voice, and the assignment does not explicitly prohibit it.

Not acceptable: Submitting AI-generated text as your original work on any assignment that asks for your own analysis, argument, or expression — including essays, career reflections, business plans, and portfolio work.

When in doubt, ask. Asking your teacher whether AI assistance is appropriate for an assignment is not a violation. It is professional communication.

💡 Heritage as Capital — AI as Equalizer

AI tools give AOBF students access to a capabilities layer that was previously available only to people with expensive professional services — legal research, financial analysis, writing assistance, coding support. A student in Birmingham-Bessemer with strong AI literacy has access to tools that would have cost thousands of dollars per hour a decade ago. The competitive advantage is real. The obligation is to use these tools well — to build genuine skills alongside them, verify what they produce, and represent work honestly. AI fluency without integrity is fragile. AI fluency with integrity compounds.

Unit Summary

What You Should Know Cold

Phishing
Fake sender address. False urgency. No name. Generic greeting. Suspicious link. No legitimate institution asks for passwords via email, text, or phone — ever.
Password Security
Unique password for every account. 12+ characters. 2FA on everything that offers it. Authenticator app > SMS. Password manager for everything.
Misinformation
SIFT: Stop · Investigate the source · Find better coverage · Trace to originals. Misinformation = unintentional. Disinformation = deliberate. Lateral reading beats deep reading for verification.
Data Privacy
Free platforms collect and sell your behavioral data. ToS agreements give them permission. Data breaches expose what companies store. Check: HaveIBeenPwned.com.
AI Capabilities
Strong: drafting, explaining, brainstorming, coding. Weak: verifying facts, post-cutoff events, precise numbers, citations. Hallucination = confident wrong answer. Verify everything independently.
Responsible AI
Brainstorm and draft with AI — verify, revise, make it yours. Follow school and employer policy. Disclose when required. AI fluency + integrity = compounding professional advantage.

Key Terms & Definitions

A
Authenticator App
A mobile app (Google Authenticator, Authy, Microsoft Authenticator) that generates time-sensitive 6-digit verification codes used as a second authentication factor. More secure than SMS-based 2FA because the codes are generated locally on your device and cannot be intercepted through SIM swapping attacks.
C
Credential Stuffing
An automated cyberattack that uses username and password combinations leaked from one data breach to attempt logins on many other websites and services. Effective because most people reuse passwords. Defense: unique passwords for every account eliminates this risk entirely.
D
Data Breach
A security incident in which unauthorized parties access, steal, or expose stored personal data — typically by exploiting vulnerabilities in a company's systems. Breaches expose names, emails, passwords, payment information, and Social Security Numbers. Check breach exposure at HaveIBeenPwned.com.
Example: a major retailer's database is hacked, exposing 50 million customers' email addresses and hashed passwords.
Digital Rights
Legal and ethical entitlements regarding personal data — the right to know what data is collected, the right to access it, the right to request deletion, and the right to limit how it is shared. Rights vary by jurisdiction; the California Consumer Privacy Act (CCPA) is the strongest US example to date.
Disinformation
False information deliberately created and distributed to deceive — propaganda, fabricated news, manipulated images and videos created with the specific intent to mislead. Distinguished from misinformation by the intent to deceive. Disinformation campaigns are tools of political and economic manipulation.
H
Hallucination (AI)
When an AI language model produces output that is confidently stated but factually incorrect — fabricated statistics, invented citations, wrong dates, made-up quotes. Hallucinations occur because LLMs predict likely text rather than verify facts. The model cannot always distinguish what it accurately knows from what it plausibly predicts.
HTTPS
HyperText Transfer Protocol Secure — the encrypted version of HTTP. A site with HTTPS (indicated by a padlock icon) encrypts data transmitted between your browser and the server. Important clarification: HTTPS means the connection is encrypted, NOT that the website is legitimate or safe. Phishing sites use HTTPS too.
K
Knowledge Cutoff
The date after which an AI model has no training data. The model has no awareness of events, developments, laws, market conditions, or research published after this date — and may answer questions about them using outdated information without explicitly flagging this limitation.
L
Large Language Model (LLM)
The AI architecture behind text-generating tools like Claude, ChatGPT, and Gemini. LLMs are trained on massive text datasets and generate responses by predicting statistically likely continuations of a prompt. They produce fluent, coherent text — but fluency is not synonymous with accuracy or factual reliability.
Lateral Reading
A fact-checking method of opening new browser tabs and searching for what credible external sources say about a claim or source — rather than reading deeply within the source itself. Used by professional fact-checkers because it is faster and more reliable than evaluating a source from the inside.
M
Misinformation
False or inaccurate information shared without intent to deceive — someone repeating something they genuinely but incorrectly believe to be true. Misinformation spreads rapidly through social networks as trusted sources (friends, family, community members) share it with confidence.
Multi-Factor Authentication (MFA)
Authentication requiring two or more verification factors from different categories: something you know (password), something you have (phone, authenticator app), something you are (biometric). Two-factor authentication (2FA) is the most common form. MFA dramatically reduces the risk of unauthorized account access even when a password is compromised.
P
Password Manager
Software that generates, stores, and autofills strong unique passwords for every account, secured behind one master password. Free options include Bitwarden (open source, recommended). A password manager is the only practical way to have unique strong passwords for dozens of accounts without memorizing them all.
Personal Data
Any information that can identify or be linked to an individual — name, contact information, location data, device identifiers, browsing and purchase history, financial records, biometric data. Technology companies collect personal data at scale; understanding what is collected is the first step in managing it.
Phishing
A deceptive digital communication — typically email — designed to impersonate a trusted entity and trick the recipient into revealing credentials, clicking malicious links, or downloading harmful software. Recognizable by fake sender domains, false urgency, generic greetings, and suspicious links.
Pretexting
A social engineering technique involving a fabricated scenario designed to establish false trust before requesting sensitive information or access. The "pretext" creates a plausible reason for the request: "I am calling from your bank's fraud prevention department."
Primary Source
The original, firsthand document — the actual study, official report, data table, direct statement, or court record. Primary sources are preferable to secondary sources (articles, summaries, commentary) because they have not been filtered, interpreted, or potentially misrepresented.
Prompt
The input provided to an AI tool — the question, instruction, or context that shapes the model's response. Prompt quality directly determines output quality: specific, contextual, well-structured prompts produce more useful results than vague ones. Writing effective prompts is a professional skill in the AI era.
S
SIFT
A four-step information verification framework: Stop (pause before sharing), Investigate the source (who wrote this and why?), Find better coverage (are multiple credible sources reporting this?), Trace claims back to originals (find the actual study or document). A practical tool for evaluating any online claim in under two minutes.
Smishing
Phishing delivered via SMS text message. Exploits the relative informality of texting, where people are often less guarded about links than in email. Common vectors: fake package delivery notifications, banking alerts, prize notifications.
Social Engineering
Any attack that exploits human psychology — trust, authority, urgency, fear, reciprocity — rather than technical vulnerabilities. The most effective and common category of cyberattack. Training people to recognize social engineering attempts is more effective than any technical defense alone.
Spear Phishing
A targeted phishing attack personalized with specific information about the recipient — their name, employer, recent activity, or professional context — to appear more credible than generic phishing. More dangerous because the message feels specifically relevant. Sources of personalization: LinkedIn, data breaches, social media.
T
Terms of Service (ToS)
The legal agreement users accept when signing up for or using a digital platform. ToS documents typically include extensive data collection and usage permissions. The phrase "if the product is free, you are the product" refers to the data collection business model that ToS agreements authorize.
Two-Factor Authentication (2FA)
A security configuration requiring two forms of verification: something you know (password) and something you have (phone, authenticator app, hardware key). Even if an attacker obtains your password, they cannot access the account without the second factor. Should be enabled on every account that offers it.
V
Vishing
Phishing conducted via voice call. An attacker impersonates a bank representative, government official, or technical support agent to extract sensitive information over the phone. The real-time, personal nature of voice communication creates urgency that makes vishing effective even on cautious individuals.

Test Your Knowledge

🎣
Threat Spotter
Match each attack description to its correct threat type. Six pairs.
🛡️
Safe or Risk?
Six digital scenarios — choose the safer, more responsible decision.
⚖️
True or False
Security and AI facts vs. myths. Ten statements.
0matched
6 remaining

Select a scenario on the left, then the matching threat type on the right.

What happened
Threat type

Personal Security Audit

Answer five questions about your current security practices. This tool calculates a security score across three categories — account protection, threat awareness, and information integrity — and identifies your highest-priority improvement.

Your Current Security Practices
Your Security Assessment

Answer the questions on the left to see your security assessment.