Teaching online safety: Tackling the risks pupils actually face
Online safety as a topic in UK schools has aged unevenly. The PSHE lesson template that took shape in the mid-2010s, the stranger-danger video, the printed acronym poster, the warning about giving out your real name in a chatroom, was already drifting out of date by the time most current Year 10s started primary school.
The pupils in front of you in 2026 are not facing the 2014 internet. They are facing AI-generated images of themselves shared in group chats. They are being targeted by sextortion accounts working through Snapchat and Instagram with a script and a script writer. They are watching short-form video for several hours a day. They are getting nudged towards financial products and gambling-adjacent games that did not exist a few years ago.
This guide is an attempt at a curriculum that takes the current risk landscape seriously, leans on Keeping Children Safe in Education and the UK Council for Internet Safety's resources, and avoids the patronising tone pupils tune out within thirty seconds. It is aimed at PSHE leads, DSLs, form tutors, and subject teachers.
Why the old framing has stopped working
The standard online safety lesson of a decade ago tended to centre on two ideas. First, that the risk came from strangers. Second, that the solution was to limit what pupils shared. Both ideas are still partly true. Neither is sufficient.
The risk is not predominantly from anonymous strangers anymore. The Ofsted review of sexual abuse in schools and colleges (2021) made clear that for many forms of harm, the perpetrators are most often peers. Strangers are part of the picture, particularly in sextortion cases, but the broader landscape is more complicated than a stranger-danger model allows.
The "share less" frame is also incomplete. A more useful curriculum helps pupils think about what they share, where, with whom, and for what reason, rather than treating any sharing as inherently risky.
Children aged 3 to 17
79%
have their own profile on social media, messaging, video or livestreaming services, according to Ofcom's 2024 Children and Parents Media Use and Attitudes report. The same report shows that short-form video platforms now account for a substantial share of young people's media diet, which has implications for what online safety teaching needs to cover.
The risks pupils actually face in 2026
A credible curriculum starts from the risks as they actually look. The list below draws on NCA threat assessments, IWF reports, and the UKCIS framework.
Sextortion and image-based abuse
Pupils, particularly boys, are being targeted by organised accounts that build rapid online relationships, request an intimate image, then threaten to share it unless money is paid. The NCA has issued multiple alerts to schools on this since 2024. Pupils need to know the pattern, that perpetrators rely on shame to keep them silent, and that telling an adult is the right response even after an image has been sent.
Misinformation and algorithmic radicalisation
Short-form video and recommendation algorithms surface emotionally engaging content that may or may not be accurate. Pupils can find themselves deep in conspiratorial or extremist content within weeks. The teaching skill is not "do not trust the internet" but how to read sources, check claims, and notice when their own feed is being shaped.
AI-generated and deepfake content
Generative AI now makes it trivially easy to produce images, audio, and video of real people doing things they never did. Schools are increasingly seeing AI-generated images of pupils circulated in peer groups. Pupils need to know how to recognise the signals of AI-generated content, what the legal and pastoral consequences are of creating or sharing such content, and what to do if they are the target.
Financial scams targeted at teens
Money muling, fake job offers, scam crypto and trading schemes promoted by influencers, gambling-adjacent games, fraudulent ticket sales. The financial risks teenagers face online have multiplied. Cifas figures show a sharp rise in young people being recruited into money mule activity (around 65 per cent of money mules are under 30, with more than 22,000 money-muling cases logged to the National Fraud Database in 2025), sometimes without realising it is a crime.
Peer-on-peer harm
Image-sharing in group chats, coordinated bullying, exclusion, and reputational attacks. Most online harm pupils experience comes from people they know. The Ofsted 2021 review framed this as endemic. Teaching that ignores it will not feel real to pupils.
Mental health and the attention economy
Algorithmically driven platforms are designed to hold attention, with measurable effects on sleep, mood, and focus. The teaching is less about danger and more about agency: How to notice the effect a platform is having on you, and how to use these tools as tools rather than habits.
Naming risks precisely matters. Vague warnings about "the dangers of the internet" tend to slide off pupils, because the framing does not match their experience. Pupils can name sextortion, describe how feeds are curated, and have usually seen AI-generated content. Teaching that takes that knowledge as a starting point lands more credibly.
What KCSIE and UKCIS expect from schools
Two documents do most of the policy work in this space. Keeping Children Safe in Education (KCSIE), which is updated annually, is the statutory safeguarding guidance for schools and colleges in England. The UK Council for Internet Safety's Education for a Connected World framework gives the curriculum-side guidance.
KCSIE Part 2 sets out the four categories of online risk schools must address: Content, contact, conduct, and commerce. Content covers what pupils encounter, such as pornography, extremist material, or misinformation. Contact covers harmful interactions, such as grooming or peer abuse. Conduct covers pupils' own online behaviour, such as bullying or sharing intimate images. Commerce, added more recently, covers financial harms, including scams and gambling.
A school's online safety provision is expected to cover all four. In practice that usually means a combination of PSHE curriculum content, embedded references across other subjects, filtering and monitoring on the school network, and clear safeguarding routes when concerns are raised. KCSIE also expects every member of staff to understand the school's online safety policy, not just the designated safeguarding lead.
The Education for a Connected World framework breaks digital citizenship into strands such as self-image and identity, online relationships, online bullying, managing online information, health and wellbeing, and privacy and security. Building a PSHE curriculum that maps to those strands tends to satisfy both inspection and good-practice expectations.
Designing a credible online safety curriculum
A useful curriculum has three features. It names current risks precisely. It teaches transferable skills, not just rules. And it builds the conditions for pupils to disclose to a trusted adult when something goes wrong. The third may be the most important and is often the one that gets the least attention.
Name the risks. Use the actual terms. Sextortion, deepfake, money mule, recommendation algorithm. Pupils respect a curriculum that uses their language. They quietly disengage from one that does not.
Teach transferable skills. Pupils will encounter platforms and risks that did not exist when their PSHE scheme was written. The durable skills are critical reading of sources, awareness of how attention is being shaped, understanding of consent in digital contexts, and recognising the patterns of manipulation.
Build trust for disclosure. Most pupils who are targeted online do not report it, often because they are ashamed or worried about parental reaction. One of the most important messages is that the school will respond proportionately, will not blame the pupil, and will involve them in the decisions about what happens next. Pupils who believe their school will support them tell someone earlier.
If a pupil discloses image-based abuse or any indication of being targeted in a sextortion attempt, the immediate response is to follow the school's safeguarding procedure and to make sure the pupil knows they are not in trouble. The NCA's CEOP website and the Internet Watch Foundation's Report Remove service are the routes to escalate. Do not promise confidentiality you cannot keep, but do reassure the pupil that the response will be proportionate and supportive.
How the curriculum sits across PSHE, computing, and form time
Online safety is not a one-subject topic. Each part of the curriculum tends to carry a different element well.
PSHE is the natural home for content on relationships, consent, image-sharing, and emotional wellbeing. The DfE statutory RSE and Health Education guidance (2019) places online safety squarely within this. PSHE leads usually own the spiral curriculum that revisits these themes in each year group.
Computing carries the technical layer well. How algorithms work. What metadata is. How to spot a phishing email or a fake URL. Computing teachers are often best placed to teach the mechanics that make the risks make sense.
Form time is where the topical layer lives. When a sextortion case is in the local news, when a deepfake is circulating in the school, when a new platform suddenly appears in pupils' lives, form time is where the response happens. Building a regular short slot of ten to fifteen minutes a week tends to keep the curriculum responsive in a way a fixed scheme of work cannot.
A rough Key Stage 3 to 5 progression
The Education for a Connected World framework has detailed age-by-age outcomes, but a coarser progression can help when designing a school curriculum from scratch.
| Year group | Core themes | Example topics |
|---|---|---|
| Year 7 | Identity, basic digital hygiene, healthy habits | Privacy settings, passwords and two-factor authentication, time online, recognising peer pressure in group chats, who you talk to online and why. |
| Year 8 | Consent, image-sharing, online reputation | What consent means in a digital context, the law on intimate images, the permanence of online content, peer-on-peer harm in group chats. |
| Year 9 | Misinformation, algorithms, critical reading | How algorithms shape feeds, identifying misinformation and bias, recognising deepfakes and AI-generated content, the attention economy. |
| Year 10 | Sextortion, exploitation, mental health | Recognising sextortion patterns, online sexual harassment, links between social media and mental health, the role of consent in online relationships. |
| Year 11 | Financial safety, exam pressure, longer-term identity | Scams targeted at young adults, money muling and the law, gambling and gambling-adjacent games, managing online presence for future employment and university. |
| Sixth form | Adult digital citizenship, ethics, AI literacy | AI in academic and professional contexts, ethics of generative AI, deepfakes and the law, digital activism and online speech, financial literacy in adult life. |
Avoiding the tone that pupils tune out
One of the most important factors in whether an online safety lesson lands is the tone. Pupils have heard the cautionary lecture many times. Most tune out within a few minutes when the framing feels patronising or out of touch.
A few principles tend to help. Take pupils' expertise seriously. They use these platforms more than you do, and treating them as the expert on the experience of the platform, while you bring the safeguarding and legal framing, opens a more productive conversation. Be specific. "Be careful online" lands nowhere. "Here is the pattern a sextortion account uses, and here is exactly what to do if it happens" lands somewhere. Avoid moral panic. Each generation has its online panic, and the actual research is usually more nuanced than the headlines.
Where possible, build in pupil voice. A school council strand on online safety, a Year 9 group designing a Year 7 induction session. The teaching becomes more credible when pupils see themselves in the design of it.
A short planning checklist
If you are reviewing your school's online safety curriculum or building a new one, this checklist covers the main things worth getting right. It is not exhaustive; the KCSIE and UKCIS documents go into more detail.
Online safety curriculum checklist
Use this when reviewing or building the online safety provision across PSHE, computing, and form time.
- Map the curriculum to the four KCSIE risk categories: Content, contact, conduct, and commerce
- Cover current risks by name, including sextortion, deepfakes, money muling, and algorithmic radicalisation
- Coordinate with computing for technical literacy and PSHE for relationships and wellbeing
- Build in a regular form-time slot for responding to topical incidents and emerging risks
- Use UKCIS Education for a Connected World as the curriculum-mapping spine
- Make sure pupils know exactly how to report concerns, including external routes like CEOP and Report Remove
- Train all staff, not just safeguarding leads, on the school's online safety policy and disclosure routes
- Involve pupils in curriculum design through pupil voice, school council, and peer-led sessions
- Review the scheme of learning at least annually as platforms and risks change
- Audit lesson tone, removing patronising or moral-panic framing where it has crept in
