Phishing and Social Engineering: How Attackers Target Humans

Social engineering exploits human psychology rather than technical vulnerabilities. Phishing is the most common social engineering attack, but there are many variants you need to know for the Security+ exam.

What is Social Engineering?

Social engineering is the art of manipulating people into divulging confidential information or performing actions that compromise security. It exploits human tendencies like trust, fear, urgency, and helpfulness rather than technical vulnerabilities.

The social engineering attack cycle: (1) Information gathering — the attacker researches the target, (2) Relationship building — establishing trust with the victim, (3) Exploitation — manipulating the victim to reveal information or take action, (4) Execution — using the obtained information for malicious purposes.

  • Exploits human psychology, not technical flaws
  • Attackers use urgency, fear, authority, and trust to manipulate victims
  • Most common attack vector in modern organizations
  • Security awareness training is the primary defense

Phishing and Its Variants

Phishing is a social engineering attack where attackers send fraudulent communications (usually email) that appear to come from a trusted source. The goal is to steal sensitive data like login credentials, credit card numbers, or to install malware.

Important variants for the Security+ exam:

Spear Phishing — targeted phishing aimed at a specific individual or organization. The attacker gathers personal information about the victim to craft convincing messages.

Whaling — phishing targeting high-profile individuals like executives or CEOs. The messages often appear as legal or business-critical communications.

Vishing (Voice Phishing) — phishing conducted over phone calls. Attackers may spoof caller ID to appear as a bank or IT support.

Smishing (SMS Phishing) — phishing via text messages. Often contains links to malicious websites or prompts to call a number.

  • Phishing: mass emails pretending to be legitimate organizations
  • Spear Phishing: personalized attacks using victim-specific information
  • Whaling: targets executives with business-related lures
  • Vishing: voice calls spoofing trusted organizations
  • Smishing: SMS messages with malicious links or phone numbers

Other Social Engineering Techniques

Pretexting — the attacker creates a fabricated scenario (pretext) to obtain information. For example, pretending to be an IT auditor requesting network access credentials.

Tailgating (Piggybacking) — an unauthorized person follows an authorized person into a restricted area. Mitigated by mantraps and security awareness.

Shoulder Surfing — directly observing someone entering credentials or viewing sensitive information. Mitigated by privacy screens and awareness.

Dumpster Diving — searching through trash for documents, passwords, or information. Mitigated by shredding and secure disposal.

Watering Hole — compromising a website that the target group frequently visits. The attacker infects the site to compromise visitors.

Baiting — offering something enticing (like a free USB drive) that contains malware.

  • Pretexting: fabricating a scenario to extract information
  • Tailgating: following an authorized person into a restricted area
  • Shoulder Surfing: observing credentials over someone's shoulder
  • Dumpster Diving: extracting information from improperly disposed materials
  • Watering Hole: compromising sites that targets frequently visit
  • Baiting: using physical media or offers containing malware

Preventing Social Engineering Attacks

The primary defense against social engineering is user education and security awareness training. Users should be trained to recognize phishing indicators: poor grammar, urgent requests, unexpected attachments, mismatched URLs, and requests for sensitive information.

Technical controls include email filtering (spam and phishing detection), DMARC/DKIM/SPF (email authentication), web filters (blocking known malicious sites), multi-factor authentication (MFA renders stolen credentials useless), and USB device controls.

  • Security awareness training is the most critical defense
  • Email authentication (DMARC, DKIM, SPF) prevents domain spoofing
  • MFA protects against credential theft from phishing
  • Report phishing to security teams — don't delete or engage

Exam Tip

Social engineering questions are very common on Security+. Know the difference between phishing, spear phishing, and whaling by target scope. Remember vishing = voice, smishing = SMS. Be able to identify the technique from a scenario description.