France deliberately “scammed” 2.5 million students to teach cybersecurity

In March 2025, the French Ministry of Education launched a massive educational cyber campaign called “Operation Cactus,” sending fake phishing emails to 2.5 million students. More than 210,000 teenagers clicked on the link, but instead of viruses, they saw an educational video about online risks and digital responsibility.

The campaign was intended to show students how easy it is to fall into the trap of criminals. The email looked like a classic phishing scam — it allegedly offered pirated games and cheats that could be downloaded via a link. As a result, more than 200,000 teenagers “clicked” — and ended up on an educational page with a video.

• The campaign was initially tested in the Orléans-Tours and Versailles regions in 2024. It has now become national, covering 4,700 schools across the country. The campaign was supported by the CNIL, the national privacy commission, which emphasized that educating young people protects them not only from scammers, but also from their own wrongdoings.

In addition to the phishing email, teachers were provided with a methodological cyber case — a set of materials for discussing the topic in the classroom: how hackers work, why you should be careful online, and how to behave in the event of an incident.

“Operation Cactus” is an example of innovative digital education, where instead of a boring lecture, there is an experience that leaves an emotional mark. This is not just a campaign, but a signal for other countries: vulnerability prevention should start not with the malware, but with consciousness.