CompTIA Security+social-engineering-attacks

Social Engineering Attacks

How attackers manipulate people, and the psychological principles that make it work.

Social engineering attacks bypass firewalls and encryption by targeting the one component you cannot patch: the human being. Instead of breaking the technology, the attacker convinces a person to hand over credentials, click a link, or grant access. For the Security+ (SY0-701) exam you must recognize each attack by its delivery channel and target, and name the psychological principle of influence being exploited.

Core Idea

  • Social engineering exploits people, not code — the goal is to manipulate a victim into an action (clicking, paying, disclosing, or granting physical access) rather than to break a system directly.
  • Attacks are classified by channel and target — email (phishing), voice (vishing), SMS (smishing), and physical presence (tailgating, dumpster diving) each have distinct names the exam expects you to distinguish.
  • Every attack rides a principle of influence — authority, urgency, scarcity, social proof, intimidation, familiarity/likability, and trust are the levers that make manipulation work.

Phishing and Its Variants

Phishing is a broad, untargeted email attack that lures victims to fake sites or malicious attachments. The variants differ by target and channel:

  • Spear phishing – targeted at a specific individual or group using personalized details.
  • Whaling – spear phishing aimed at a "big fish" such as a CEO or CFO.
  • Smishing – phishing delivered by SMS text message.
  • Vishing – phishing over voice/phone calls, often spoofing caller ID.
  • Business email compromise (BEC) – an attacker spoofs or hijacks a trusted executive or vendor email account to authorize fraudulent wire transfers or invoice payments. BEC is high-dollar and relies heavily on authority and urgency.

Redirection and Web-Based Lures

  • Pharming – redirects a victim from a legitimate URL to a fraudulent site by poisoning DNS or a hosts file; the user types the correct address but lands on the fake one.
  • Typosquatting (URL hijacking) – registering misspelled domains (e.g., gooogle.com) to catch users who mistype.
  • Watering hole – the attacker compromises a legitimate website the target group is known to visit, infecting them indirectly rather than attacking them head-on.
  • Pretexting – inventing a believable scenario or backstory (the "pretext") to justify a request, such as posing as IT support needing to "verify" a password.

Physical and In-Person Techniques

  • Impersonation – pretending to be someone with a legitimate reason for access (a repair technician, auditor, or new hire).
  • Tailgating – following an authorized person through a secure door without their knowledge or consent.
  • Piggybacking – the same physical entry, but the authorized person knowingly holds the door open (consent is the distinction from tailgating).
  • Dumpster diving – recovering sensitive documents or media from the trash; defended with shredding and clean-desk policies.
  • Shoulder surfing – observing a screen, keypad, or keyboard to steal credentials or PINs; countered with privacy screens and awareness.
  • Baiting – leaving malware-loaded media (like a USB drive) where a curious victim will find and use it.

Principles of Influence

Attackers weaponize predictable human triggers:

  • Authority – posing as a boss, police officer, or IT admin.
  • Urgency – "act now or the account closes" pressures fast, careless action.
  • Scarcity – "only 2 left" or "offer expires in 10 minutes."
  • Social proof – "everyone on your team already did this."
  • Intimidation – threats of penalties, fines, or job loss.
  • Familiarity/likability – building rapport so the victim wants to help.
  • Trust – impersonating a known brand or trusted colleague.

Misinformation and disinformation campaigns and brand impersonation extend these principles to influence opinion or lend false legitimacy. User awareness training is the primary defense across all of these — trained users spot the emotional pressure and verify before acting.

High-Yield Exam Patterns

  • Match the channel to the term: phone = vishing, text = smishing, email = phishing.
  • A CEO targeted specifically = whaling; a fraudulent wire-transfer email from a spoofed executive = BEC.
  • The tailgating vs. piggybacking distinction is consent: piggybacking means the authorized person knowingly lets you in.
  • Pharming redirects despite a correct URL (DNS-based); typosquatting relies on a mistyped URL.
  • Watering hole compromises a third-party site the target frequents, not the target directly.
  • When a stem describes emotional pressure ("immediately," "or else," "your boss demands"), name the principle of influence (usually urgency or authority).

Common Traps to Avoid

  • Confusing whaling (targeting executives) with spear phishing (any specific target) — whaling is a subset aimed at high-value individuals.
  • Assuming any physical entry is "tailgating" — check whether consent was given (that makes it piggybacking).
  • Mixing up pharming and phishing: pharming redirects a correctly typed address; phishing lures via a malicious link or message.
  • Calling every USB attack "phishing" — leaving infected media to be found is baiting.
  • Overlooking that user awareness training, not a technical control, is the best defense against social engineering.

Flashcards

Card 1 of 14

1/14

Keyboard: Space/Enter to flip • Arrow keys to navigate

Ready to Test Your Knowledge?

This quiz has 8 questions and each one has 4 options.

Quiz Details

8 Questions

Multiple choice with instant self-check

Final Review

See correct answers and explanations at the end

Build your own lesson in minutes.

Upload a source document and turn it into flashcards, quizzes, and a study-ready lesson bank.