Table of contents
Note: this is an educational workshop, not legal/banking/IT advice. We practice safe behaviors and an incident response plan. In exercises we use anonymous/fictitious data; we do not log into real accounts.
1. Overall objective and workshop logic
Objective: participants recognize red flags of scams (SMS/email/messengers/marketplaces), apply secure login practices (strong passwords, password manager, 2FA/passkeys), know how to protect personal data (incl. in mObywatel/ePUAP), and can respond to and report an incident. Logic: “Phish or legit?” → threat map and red flags → login & payment practices → data and documents (mObywatel/ePUAP, data minimization) → 5‑15‑60 plan (response) → 72‑hour commitment.
Outputs: 1) CY1 — Red‑flag catalog (A3 + A4 poster), 2) CY2 — Audit of critical accounts (email/bank/social), 3) CY3 — Marketplace & payments (red flags – OLX/Vinted/courier/BLIK), 4) CY4 — Passwords, 2FA, passkeys (checklist), 5) CY5 — Personal data: minimization + safe use of mObywatel/ePUAP (checklist), 6) CY6 — 5‑15‑60 response (steps + contacts), 7) CY7 — 72‑hour plan (3 steps for the next days), 8) CY‑R — Exit assessment rubric.
2. Learning outcomes (knowledge • skills • attitudes)
Knowledge:
knows the most common attack vectors (phishing, smishing, vishing, fake payment gateways, impersonation on marketplaces, “BLIK” scam, “parcel fee” scam, “bank employee/official” scam);
understands the basics of secure login (passphrases, password manager, 2FA/TOTP, security keys/passkeys);
knows what mObywatel (mID, certificates) and login.gov.pl/ePUAP (logging in to public services) are and what they are used for. Skills:
identifies at least 8 red flags in messages/ads;
sets a plan to improve login security (change passwords for 3 critical accounts + enable 2FA);
creates a 5‑15‑60 incident response procedure and can report a suspicious message;
applies data minimization and safe habits for digital documents. Attitudes: caution, “verify at the source,” the right to “STOP – I don’t click,” and the confidence to ask questions.
3. Logistics
Room: U‑shape + 4 tables; 2 flipcharts; projector; timer.
Handouts to print (A4/A3, 1 per person): CY1–CY7, CY‑R; set of sample messages (PH‑A…PH‑H), screen mockups (login, payment gateway, listing).
Devices: not required (optional: demos on slides).
Evaluation: Mentimeter PRE/POST (3 questions – section 4).
4. Mentimeter questions (PRE and POST)
“I can spot red flags in messages and on marketplaces.”
“I can secure 3 key accounts (password + 2FA).”
“I know how to respond to and report an incident (the 5‑15‑60 plan).”
5. Detailed agenda (180 minutes)
0–10’ Opening and ground rules (10’)
Objective: safety and workshop goals. Instructions: present the plan and outputs; rules: voluntary participation, no logging into real accounts, no sharing other people’s data.
10–25’ Icebreaker “Phish or legit?” (15’)
Objective: activate the “radar” and build a shared language. Materials: PH‑A…PH‑H (8 sample SMS/email/messenger), CY1. Instructions: at tables, review 8 examples and for each mark 1–2 red flags (e.g., typos, shortened link, time pressure, request for data/login, .zip/.exe attachment, sender shown as a regular phone number, “fee of PLN 1.23”). Debrief (4’): collect the TOP‑5 flags on the flipchart.
25–33’ Mentimeter PRE (8’)
33–65’ MODULE 1 — Threat map and red flags (32’)
Objective: name the most common scam patterns. Materials: CY1 (poster), screen mockups. Instructions: short mini‑input (10’) on types of scams (phishing/smishing/vishing, fake payments, impersonation on marketplaces, “BLIK”, “bank employee/official”, “parcel/energy/fine fee”). Exercise 1 (8’): match “attack pattern → red flags → what I do instead of clicking”. Exercise 2 (10’): tables create their own bait message (fictional) and swap for analysis (mark flags). Success criteria: the group lists at least 8 flags and 3 alternative actions (e.g., type the bank website manually, call the official hotline, report suspicious content).
65–95’ MODULE 2 — Secure login: passwords, 2FA, passkeys (30’)
Objective: implement account‑protection practices. Materials: CY4, CY2. Mini‑lesson (8’):
Passphrases (≥14 characters, three words + symbols);
Password manager (one master password + unique passwords everywhere);
2FA: preferably a TOTP app/security key (not SMS, if you can avoid it);
Passkeys/security keys (FIDO2/WebAuthn) – briefly what they are and when to use them. Exercise (20’): CY2 – Audit 3 critical accounts (primary email, banking/payment app, social media):
Tick whether you have a unique password, 2FA, and account recovery set up;
Write down 2 steps you will take within 72 hours (e.g., change password, enable 2FA, update recovery email). Success criteria: everyone has 3 concrete decisions.
95–105’ BREAK (10’)
105–135’ MODULE 3 — Marketplace and payments: BLIK, courier, OLX/Vinted (30’)
Objective: defuse the most common buying/selling scams. Materials: CY3, payment‑gateway and chat mockups. Instructions:
Attack model (6 steps): 1) Start contact (chat); 2) Link outside the platform; 3) Time pressure (“the transfer has already been sent!”); 4) Request for card details/passwords/BLIK; 5) Fake payment page; 6) Theft of funds.
Safe marketplace rules:
Payments only via the platform’s built‑in mechanism;
Never share a BLIK code or accept “return transfer” tricks;
Don’t click links from chat;
In‑person pickup / cash on delivery where it makes sense;
Keep evidence of the chat/listing – take screenshots. Exercise (15’): go through the CY3 checklist for two scenarios (selling/buying) and mark where you will stop the conversation. Success criteria: a participant can point to 3 STOP moments and 2 safe alternatives.
135–160’ MODULE 4 — Data and documents: mObywatel / ePUAP / minimization (25’)
Objective: safe use of digital identity and data. Materials: CY5 (checklist), slide with an app mockup. Scope:
Data minimization: share only what is necessary; don’t send scans of documents via chat/email unless needed; rule: “no document scans in listings.”
mObywatel (mID): what it is and where you can typically use it; certificates in the app—remember their validity; don’t take screenshots of documents to share with others.
login.gov.pl/ePUAP: gateway to public services; rule: always access via a URL typed manually or via the official website; never enter passwords after clicking a link in a message.
PESEL: if you worry about misuse, take care of your status (checking/restricting) and remember to lift a restriction only for the time needed to sign a contract. Exercise (10’): CY5 – checklist “what, to whom, and how”: 5 situations (renting, recruitment, parcel pickup, clinic visit, office) – mark what data is necessary and what you do not share.
160–172’ MODULE 5 — 5‑15‑60 response + reporting (12’)
Objective: concrete steps after a “click” / suspected scam. Materials: CY6 (response card). 5‑15‑60 procedure:
Within 5 minutes: disconnect the internet (airplane mode / turn off Wi‑Fi), don’t provide any more data, take a screenshot;
Within 15 minutes: change the account password, enable/change 2FA, check recent logins; call the bank hotline and block payments/card, if relevant;
Within 60 minutes: report the incident via official form/numbers; if money/data was lost—file a report (bank/police) and secure evidence. Exercise (5’): fill in CY6 with your own numbers and reporting points (bank/NGO/university).
172–178’ Mentimeter POST + 72‑hour plan (6’)
Instructions: the same 3 questions; on CY7 write 3 steps for the next 72 hours (e.g., “I’ll change my email password,” “I’ll enable 2FA,” “I’ll delete old document scans from my phone”).
178–180’ Closing (2’)
What should happen: photos of flipcharts and posters (no personal data), reminder: we don’t log in via links, we report suspicious messages; thank you.
6. Facilitation best practices
Use plain language—short and concrete; show on mockups, not on real accounts.
Model the behaviors: “I type the bank website manually,” “I verify via the official hotline,” “I don’t send scans of documents.”
Normalize the STOP reaction: doubts → pause → verify via an official channel.
Empathy: no shame if someone clicked—what matters is quick response and reporting.
7. Adaptations, plan B, variants
Language barrier: pictograms in CY1–CY6, short PL/UA/EN phrases in brackets; mixed‑language pairs.
Less time (120’): shorten M1 (20’), M2 (20’), M3 (20’), M4 (15’), M5 (10’); leave CY7 as homework.
More time (+30’): add a mini‑module “Privacy on social media” (profile settings, visibility, two‑step login, limiting publishing location/family).
8. Evaluation and reporting indicators
Mentimeter PRE/POST — 3 questions.
Outputs: completed CY1–CY7 (photo/scan).
CY‑R rubric (0–2 points per criterion, max 10):
Red‑flag recognition (M1)
Account plan & 2FA (M2)
Marketplace – STOP decisions (M3)
Data minimization (M4)
5‑15‑60 response + contacts (M5) Interpretation: 0–3 beginner; 4–7 solid; 8–10 ready to implement.
Printable materials
Each card has a Print button — it prints only the selected item.
- Shortened link/unknown domain
- Time pressure (“immediately”)
- Language errors/typos
- Request to log in/provide data
- .zip/.exe attachment
- Sender shown as a regular phone number
- Moving the conversation off‑platform
- Payment “outside the system”
- Promise of profit/refund
- Request for a BLIK code.
Account | Unique password? (✓) | 2FA? (TOTP/key) | Recovery contact | What I will improve within 72 h (2 steps)
- Selling: link to “receive funds”, request for card/BLIK, request to log in; Buying: request for prepayment outside the platform, link to “carrier/courier”, “too cheap” offer.
- STOP checklist: (1) Payments only via the platform’s built‑in mechanism; (2) I don’t provide card details/BLIK; (3) I don’t click links from chat; (4) Screenshots of the conversation.
Passphrase ≥14 characters; unique for each service; password manager; 2FA app/key; backup codes; phone number not public in profile; passkeys for primary accounts.
Data minimization; no scans of documents in listings/messages; use mObywatel to confirm identity with authorized entities; keep certificates up to date; login.gov.pl/ePUAP only via manually typed URL; privacy of photos/children/location on social media.
- 5 min: disconnect the internet, don’t provide more data, take a screenshot.
- 15 min: change password, enable/change 2FA, call the bank / block the card.
- 60 min: report the incident (form), report to bank/police (if losses), secure evidence.
- My contacts: bank hotline: …; operator: …; NGO/university: …; other: …
- Step 1 (within 24 h): …
- Step 2 (within 48 h): …
- Step 3 (within 72 h): …
CY‑R rubric (0–2 points per criterion, max 10)
| Criterion | 0 pts | 1 pt | 2 pts | Score (0–2) |
|---|---|---|---|---|
| Red‑flag recognition (M1) | Identifies 0–2 | Identifies 3–5 | Identifies ≥6 | __ |
| Account plan + 2FA (M2) | No plan | Plan for 1–2 accounts | Plan for 3 accounts + 2FA | __ |
| Marketplace – STOP decisions (M3) | No STOP moments | 1 STOP moment | ≥2 STOP moments + alternatives | __ |
| Data minimization (M4) | Shares too much data | Partially limits | Clearly chooses “necessary only” | __ |
| 5‑15‑60 response + contacts (M5) | No steps | 1–2 steps | Full sequence + contacts | __ |
Interpretation: 0–3 beginner; 4–7 solid; 8–10 ready to implement.