✨ Just launched · Cyber Ved Little Sparks for ages 3–5 →
Cyber Ved KidsCyber Ved Kids
← All posts

How to Explain Phishing to a 6-Year-Old (in Words That Actually Stick)

·online safety · phishing · ages 5-7

By the time a child is six, they've almost certainly seen a phishing attempt — they just didn't have a word for it. A pop-up offering free Robux. A message that looks like it's from a friend asking for their password. A video saying "click here to claim your prize". Phishing is no longer a workplace problem. It's a primary-school problem.

The good news: six-year-olds are brilliant at spotting tricks if you explain it the right way. Here's how.

Don't use the word "phishing" first

It's a weird word. It sounds like fishing. It doesn't mean anything to a child. Start with the idea, then introduce the word later.

Try this opener: "Some people on the internet pretend to be someone they're not, so you'll give them something — like your password, or your mum's bank card number. That trick has a name. It's called phishing, because they're throwing out bait, like fishing, and hoping someone bites."

Now they have a picture. A person, a hook, bait. That image will stay with them.

The three questions every child should learn to ask

When a message, pop-up, or video asks them to do something, teach them to run through three questions:

  • Who is this really from? (Not who does it say it's from)
  • Why do they want me to do this now?
  • What would happen if I just… didn't?

Most phishing falls apart at question two. Real friends don't urgently demand your password. Real games don't lock your account in 60 seconds. Real prizes don't need you to type your mum's card number.

The four clues that something is phishy

Give your child a checklist. Keep it short — four is the maximum a six-year-old will remember:

  • It's in a rush ("act now", "last chance", "your account will close")
  • It promises something free (Robux, V-Bucks, skins, prizes)
  • It asks for a secret (password, code, parent's card)
  • It feels a bit weird (your friend wouldn't say it that way)

Any one of these = stop. Two or more = definitely phishing.

Practise with pretend examples

Children learn safety by rehearsing, not by being warned. Try this at the dinner table:

"Pretend you get a message that says: 'Hi! I'm from Roblox. You won 10,000 Robux! Type your password here to claim them before the timer runs out!' What clues do you see?"

Most children will spot the rush, the free prize, and the password request without prompting. That's the moment the lesson lands — they figured it out themselves.

The golden rule, in their words

Reduce the whole topic to one sentence they can remember forever:

If someone is rushing me, they're probably tricking me. I stop and tell a grown-up.

That one sentence will defend against 90% of the phishing a primary-aged child will ever encounter.

Make it a story, not a lecture

Our book The Phishy Prankster (ages 5–7) does exactly this — it turns phishing into a character a child can recognise. When a real phishing message lands in their inbox three months later, they don't think "oh no, a malicious actor". They think "oh, that's the Phishy Prankster". And they stop.

That's the goal: not knowledge, but recognition. A child who's met the trick in a story spots it instantly in real life.

Recent posts
25 May 2026

How to Teach Your Child About Online Safety (Without the Fear)

19 May 2026

What Is E-Safety in KS1? A Plain-English Guide for Parents and Teachers

28 April 2026

From Prodigy to 'Everything Is Fake': How We Got Here (and What the UK Online Safety Act Means for Families)