Better yet, email the .exe to the entire class.
Are you insane?!? Absolutely DO NOT DO THIS!!
The gap between my suggestion and what those researchers did is pretty wide. My idea:
o Doesn't involve bilking people out of their private credentials;
o Would be limited to a class studying malicious software (how's that for an appropriate context)
o Involves a known-harmless teaching payload;
o Would be fully understood and removed by students at the end of the class.
Actually, it's not as wide as you think. The researchers did not collect any of the personal data. They simply provided a message that this could have been a scam. So the "payload" there was also harmless. The outrage wasn't about any stolen data. The outrage was completely about the deception. Even after the administration placated fears that the students had about identity theft, the uproar continued. Also, the class isn't focused on malicious software. That's just the topic of this lesson. The class is a 101 introduction to computing. If this were a more advanced class...maybe...given the circumstances. But this is absolutely not the right audience for this kind of lesson.
As for the harmless payload, how does the student know that? All the student sees is that they clicked on something and the teacher infected their computer. Sure, during the lesson, you point out how to delete the file. But how does the student know that was the only file you installed? You could have embedded a keylogging rootkit within that virus for all they know. By falling for your trick, they lose a little bit of trust in you. As a result, some of them (especially those who are not doing well and think it's because you "have it out for them") will remain suspicious and think that you've planted something nefarious on their computer. Without that trust, you can't convince them otherwise.
As for the lesson being "fully understood [...] at the end of the class," that's just wishful thinking. After all these years, everyone now knows not to click on email attachments, right? Apparently not. I remember reading some commentary once (I think it was Adam Shostack) that pointed out that user education doesn't work. Many, many people who have undergone security training get phished, install viruses, etc. Why is phishing still a problem? Because it works. Social engineering is effective. All you have to do is surround that link with some text about getting rich fast, seeing celebrity X naked, losing 50 pounds in a week, etc., and you will get some hits. Even from people who have been trained to know better.
Most likely, some of these students will (in the short term) not click on anything they get via email, even if it's legitimate. After a while, though, the lesson will fade, they'll become complacent, start clicking on things...and we're back at square one. Many of the students will still click on attachments, thinking they're safe. After all, this attachment isn't called "CS101-Example.exe" so it must be safe, right? "What do you mean I got a virus? All I did was open this .doc file. It wasn't a .exe!"
Deception is inherently disrespectful, even if it is done with good intentions.
What may seem like a "harmless infection" to you demeans the students, because you're encouraging the instructor to abuse the trust that their students have placed in him. In short, what you are proposing causes harm to the teaching profession.
I have a hard time understanding why any real teacher in this fellow's position would abstain from imparting one of the most critical lessons a student can learn about security: that they themselves are the weakest link, no matter how smart and prepared they think they are, and no matter how much theory they can regurgitate at paper time.
The burned hand teaches best, and understanding how and why you were burned is priceless.
I don't know what your profession is, but I'm willing to bet it's not teaching. Or at least I hope not. Yes, the "burned hand" technique can be very effective, provided that the student "understand[s] how and why you were burned." But you're automatically assuming that every student will understand what happened. See above, regarding user education. You're also assuming that every student that clicked on that virus will actually attend the lecture where you teach them what happened.
The bigger problem with the "burned hand" is that it also undermines the relationship of trust between the instructor and students. Yes, most of the students will learn the lesson (temporarily anyways). The problem is that not all students will feel that way. It turns out that people don't like being made fools of, even if it is part of learning a lesson. And some students will react harshly. Very harshly. I'm not saying the teacher would get fired. But there will almost certainly be a student that will shut down as a result of this lesson. You've completely undermined their confidence because they feel stupid.
The benefit of this lesson is marginal at best, yet the cost is almost certainly that you would cause irreparable damage in the confidence and/or trust of some of the students. Any "real teacher" will tell you that the benefit in this case comes nowhere near outweighing the cost.
It's disrespectful, and even a little condescending, to 'protect' students from real lessons. Are we preparing them for the real world or not?
Did I say anything about protecting them from the real world? In the class room, you can talk all you want about how evil and vicious the world is. You can run through some illustrations. Have at it. But deception, even though it can be effective, is not a good teaching technique.
And are students so fragile that they would run to the Dean's office to complain to about the teacher after such a simple and well-explained exercise?
Thanks for the laugh. Yes, Millenials are notorious for self esteem issues, and many of them have very fragile egos. They may not necessarily run to the Dean's office, but, yes, something as simple as accidentally falling for installing a harmless "virus" will have a devastating effect on some. And you never know. Some of them may tell their parents who happen to be wealthy and influential donors of the university. I can't find the story now, but recently, a judge (I think? maybe an AG?) got reprimanded because he used official letterhead to threaten his son's professor because the professor said he had high standards for performance in the class.