⚡ What is Social Engineering?
Social engineering is the use of psychological manipulation to trick people into divulging confidential information or performing actions that compromise security. Rather than exploiting software vulnerabilities, social engineers exploit human vulnerabilities — trust, fear, urgency, authority, and helpfulness. It is the most common initial attack vector in data breaches and the most heavily tested topic on the Security+ exam.
Why Social Engineering Works — The Psychology
Social engineering succeeds because it exploits normal human behaviour rather than technical flaws. Understanding the psychological principles attackers use is tested directly on Security+:
| Principle | How Attackers Use It | Example |
|---|---|---|
| Authority | Impersonating someone with power — CEO, IT admin, auditor, law enforcement | "This is the IT help desk. Your account will be locked in 10 minutes unless you verify your password." |
| Urgency / Scarcity | Creating time pressure so the target doesn't stop to think critically | "Your account will be suspended in 30 minutes — click here immediately to prevent this." |
| Social Proof | Implying others have already complied to make refusal seem abnormal | "All other department heads have already submitted their credentials for the security audit." |
| Liking / Familiarity | Building rapport before making a request; impersonating a trusted contact | Attacker studies LinkedIn, then impersonates a known colleague in an email |
| Reciprocity | Doing something for the target first so they feel obligated to return the favour | Leaving a USB drive labelled "Employee Bonuses Q1" — curiosity and perceived gift drives insertion |
| Intimidation | Threatening negative consequences for non-compliance | "If you don't provide access immediately, I'll have to report this to your manager." |
| Consensus | Using peer pressure — implying the group has already agreed | "Your colleagues in Finance have already set this up — I just need your credentials to complete the rollout." |
Phishing Attack Family
Email-based attack
Phishing
Mass-distributed fraudulent emails impersonating a legitimate organisation (bank, Microsoft, IT department, shipping company) to steal credentials, deliver malware, or redirect to a fake login page. Cast wide — sent to thousands or millions of recipients at once.
Example: "Your Microsoft 365 account will expire. Click here to verify your credentials." The link goes to a cloned Microsoft login page that harvests the entered username and password.
Defences: Email filtering, anti-spoofing (SPF, DKIM, DMARC), user awareness training, MFA (credentials stolen alone aren't enough), URL inspection tools.
Targeted email attack
Spear Phishing
A targeted phishing attack against a specific individual or organisation. The attacker researches the target — their role, colleagues, projects, tools — and crafts a highly personalised email that appears completely legitimate. Much higher success rate than generic phishing.
Example: An attacker finds a CFO's name on LinkedIn, sees they use DocuSign for contracts, and sends: "Hi [CFO name], please review and sign the attached contract from [known vendor name]." The attachment contains a macro that installs a RAT.
Defences: Limit public information on LinkedIn/social media, out-of-band verification for financial or sensitive requests, email sandboxing, security awareness training for targeted roles.
Executive-targeted attack
Whaling
Spear phishing specifically targeting executives (CEO, CFO, CTO, board members). High-value targets because executives have broad system access, authority to approve wire transfers, and often bypass normal security procedures under the assumption that rules are for others.
Example: An email appearing to be from the company's law firm, addressed personally to the CEO, states that a regulatory filing requires an immediate wire transfer of $240,000 to a settlement account. The email is spoofed to show the law firm's address.
Defences: Wire transfer verification procedures (phone callback to known numbers), executive security training, finance policies requiring dual approval for large transfers, email impersonation protection.
SMS-based attack
Smishing (SMS Phishing)
Phishing delivered via text message (SMS). People tend to trust SMS more than email and are less likely to scrutinise links in texts. Attackers impersonate banks, delivery companies (FedEx, UPS), or government agencies.
Example: "USPS: Your package could not be delivered. Update your delivery address here: [short URL]" — the link leads to a fake USPS page that collects name, address, and credit card details.
Defences: Never click links in unsolicited texts; go directly to the official website instead. Mobile security awareness training. Report smishing texts to 7726 (SPAM).
Voice-based attack
Vishing (Voice Phishing)
Phishing conducted by phone call. Attackers impersonate IT support, bank fraud departments, government agencies (IRS, Social Security), or tech companies (Microsoft, Apple). Voice adds perceived legitimacy — it's harder to dismiss than email.
Example: "This is Microsoft Support. We've detected unusual activity on your computer. Please allow us remote access so we can secure your device." — the "tech" then installs ransomware or steals banking credentials.
Defences: Never allow unsolicited remote access. Legitimate organisations don't cold-call to request credentials. Hang up and call the organisation directly on their published number.
⚡ Phishing family exam tip
Phishing = mass, untargeted. Spear phishing = targeted at a specific person/org. Whaling = spear phishing specifically targeting executives. Smishing = SMS. Vishing = voice/phone. The exam will describe a scenario and ask you to identify the attack type — the key differentiators are: the delivery channel (email/SMS/voice) and whether it's targeted or mass.
A common exam trap: "A CFO receives a personalised email asking for a wire transfer." The answer is whaling, not just spear phishing — the executive target is the defining characteristic.
Deception and Impersonation Attacks
Fabricated scenario attack
Pretexting
The attacker creates a fabricated scenario (a "pretext") to justify their request. They build an entire false identity — IT auditor, new employee needing help, HR representative conducting a survey — to extract information or access that would otherwise be denied.
Example: Attacker calls the help desk claiming to be a new employee who just started and can't log in. They provide enough plausible detail (manager's name found on LinkedIn, start date from a job posting) that the help desk resets the password without proper verification.
Defences: Strict identity verification procedures before any password reset or account change. Out-of-band verification (call back the person's manager). Never accept verbal-only identity confirmation for sensitive actions.
Physical access attack
Tailgating / Piggybacking
Tailgating: Following an authorised person through a secure door without their knowledge — typically walking closely behind them as they badge in. Piggybacking: The authorised person is aware and holds the door open (out of politeness or social engineering). Both result in physical access without authentication.
Example: Attacker dressed as a delivery driver carries a large box to a secure door, then says "Could you hold that? My hands are full." The employee obliges and the attacker enters a restricted area.
Defences: Security vestibules (mantraps), employee training to challenge unknown individuals, visitor management systems, security guards at entry points, never hold doors open for unknown individuals regardless of how awkward it feels.
Physical eavesdropping
Shoulder Surfing
Observing someone's screen or keyboard to steal passwords, PINs, or sensitive information. Can be done in person (looking over someone's shoulder in a coffee shop) or at a distance using binoculars, cameras, or smartphone cameras.
Example: An attacker sits behind a target on a train and watches them enter their banking credentials. Or a hidden camera above an ATM records PIN entries.
Defences: Privacy screens on laptops and phones, screen position awareness in public spaces, cover keypads when entering PINs, use of password managers that autofill (reducing visible typing), enforce clean desk policies.
Discarded data attack
Dumpster Diving
Searching through physical trash for sensitive information — printed documents, old hard drives, post-it notes with passwords, organisational charts, system diagrams, invoices, or anything that reveals useful information about the target.
Example: An attacker recovers a discarded printed email thread from a company's recycling bin that reveals internal server names, IP addresses, and a project timeline that helps them plan an attack.
Defences: Cross-cut shredders for all printed documents, secure hard drive destruction policy (not just deletion), clean desk policy, secure bin disposal contracts for organisations.
Physical media attack
Baiting
Leaving a malware-infected physical device (USB drive, CD, even a charging cable) in a location where a target is likely to find it and use it. Exploits human curiosity — most people who find a USB drive will plug it in to see what's on it.
Example: An attacker leaves several USB drives labelled "Salary Information 2026" in a company's parking lot. Curious employees find them and plug them into work computers — the drives auto-run a keylogger.
Defences: USB port restrictions via Group Policy, endpoint DLP (Data Loss Prevention), security awareness training, AutoRun disabled, physical security controls.
Fake website attack
Pharming
Redirecting users from a legitimate website to a malicious one without their knowledge. Done either by poisoning the local hosts file, poisoning DNS cache (DNS spoofing), or compromising a DNS server to return malicious IP addresses for legitimate domain names.
Example: Attacker poisons a router's DNS cache so that requests for bank.com return the IP of a fake bank site. Users type the correct URL and get taken to the attacker's fake site instead.
Defences: DNSSEC (authenticates DNS responses), HTTPS verification and certificate pinning, security awareness (check for HTTPS and correct domain), secure DNS resolvers.
Influence and Elicitation Techniques
Security+ also tests elicitation — the art of extracting information through seemingly innocent conversation without the target realising they're being manipulated.
| Technique | How It Works |
|---|---|
| Elicitation | Extracting information through natural conversation — asking leading questions, making false statements to provoke corrections, or appealing to someone's pride in their work ("Your network must be incredibly complex to manage") |
| Impersonation | Assuming a false identity — vendor, auditor, new employee, contractor — to gain trust and access |
| Watering Hole | Compromising a website frequently visited by the target demographic — then waiting for targets to visit and infecting their browsers. Attack comes to the target rather than the attacker approaching the target. |
| Typosquatting | Registering domain names that are common typos of legitimate sites (gooogle.com, arnazon.com) to capture misdirected traffic |
| Hoax | Spreading false information (fake virus warnings, fake policy changes) to cause the target to take an action that harms security — like disabling antivirus "to fix" a fake problem |
Defences Against Social Engineering
Organisational Defences
Security awareness training: Regular training is the single most effective defence — users who can recognise social engineering attempts are far less vulnerable. Include simulated phishing exercises.
Verification procedures: Any request for credentials, access, or financial transactions must go through a verification process — no exceptions for urgency or authority claims.
MFA everywhere: Even if credentials are stolen via phishing, MFA prevents account takeover. Authenticator apps are more resistant to real-time phishing than SMS OTPs.
Zero Trust mindset: Never trust, always verify — treat every request as potentially malicious regardless of how legitimate it appears.
Physical security: Security vestibules, visitor management, clean desk policies, and shredding all reduce physical attack surface.
Email controls: SPF, DKIM, DMARC reduce email spoofing. Email gateways filter known-malicious domains and attachments.
Exam Scenarios
💬 "An attacker sends thousands of identical emails claiming to be from a bank, asking recipients to verify their account details. What type of attack is this?" → Phishing — mass, untargeted email attack impersonating a legitimate organisation.
💬 "An attacker researches a target company's CFO on LinkedIn, learns their assistant's name, and sends a personalised email asking for an urgent wire transfer. What type of attack is this?" → Whaling — targeted spear phishing attack against an executive.
💬 "An employee receives a text message saying their bank account has been locked and to click a link to restore access. What type of attack is this?" → Smishing — phishing delivered via SMS.
💬 "A caller impersonates the IT help desk and asks an employee for their password to fix a system problem. What two attack types does this combine?" → Vishing (voice phishing) and pretexting (fabricated IT support scenario).
💬 "USB drives labelled 'Confidential — Q4 Layoffs' are left in the company car park. Employees plug them in and their workstations are compromised. What type of attack is this?" → Baiting — uses physical media and human curiosity to deliver malware.
💬 "An attacker walks closely behind an employee as they badge through a secure door and enters the building without scanning their own badge. What is this called?" → Tailgating — physical access gained by following an authorised person without their awareness.
💬 "Which technical defence prevents email domain spoofing by allowing domain owners to specify authorised mail servers?" → SPF (Sender Policy Framework) — combined with DKIM and DMARC for comprehensive anti-spoofing.
💬 "An attacker compromises a website frequented by security researchers to deliver malware to visiting researchers. What type of attack is this?" → Watering hole attack — the attacker poisons a site the targets are expected to visit.
💬 "A user types the correct bank URL but is redirected to a fake site because an attacker has poisoned the DNS cache. What type of attack is this?" → Pharming / DNS poisoning — redirects users without changing the URL they type.
💬 "Which principle of social engineering is an attacker using when they say 'Your manager has already approved this — I just need your credentials to complete the process'?" → Authority combined with social proof — claiming both senior approval and that others have already complied.
Studying for Security+?
See the study guides and practice exams that cover the full SY0-701 exam.