It started with a text message. My daughter, who was 12 at the time, got a message that looked like it came from her school portal asking her to log in and confirm her schedule. She clicked, typed in her credentials, and moved on. I only found out three days later when her account started sending spam to her classmates.
The problem was not her carelessness
She did exactly what most adults would do. The page looked real. The URL had the school name in it. There was a logo. Nothing screamed danger. The issue was that neither of us had ever talked about what phishing actually looks like in practice, not in theory, but in the kind of message a real kid receives on a Tuesday afternoon.
What we changed after the incident
We spent one evening going through her inbox together, looking at real emails and asking out loud: who sent this, does the link match the sender, why would they need this information right now. No lecture, just a conversation over her actual messages. She started catching suspicious patterns within 20 minutes.
We also enabled two-factor authentication on every account she uses, which meant that even with her password stolen, the attacker could not get in. The school was notified and reset her credentials.
What changed over the next few months
She now pauses before clicking anything that asks for a login. Not because she is afraid, but because she knows what to look for. That shift came from one real situation, not from a worksheet about internet safety.