Objective 2.2High Priority11 min read

Social Engineering Techniques

Human-focused attack methods that manipulate people into revealing information or taking actions that benefit attackers. Includes phishing, vishing, smishing, pretexting, impersonation, and business email compromise.

Understanding Social Engineering Techniques

Social engineering attacks target the human element—the most vulnerable component in any security system. Rather than exploiting technical vulnerabilities, these attacks exploit human psychology: trust, fear, curiosity, helpfulness, and urgency.

Core social engineering principles:Authority — People comply with authority figures • Urgency — Time pressure bypasses careful thinking • Social proof — "Everyone else is doing it" • Familiarity/Liking — We trust people we like or know • Scarcity — Limited availability creates pressure • Reciprocity — Favors create obligation to return them

These psychological principles underpin all social engineering techniques.

Why This Matters for the Exam

Social engineering is the most common attack vector and heavily tested on SY0-701. Questions cover specific techniques (phishing variants), recognition of attacks, and appropriate defenses.

Technical controls can't fully prevent social engineering—humans will always be part of the security equation. Understanding these techniques helps design training programs and recognize attacks.

The exam tests terminology precisely: phishing vs. spear phishing vs. whaling, vishing vs. smishing. Knowing the distinctions is essential.

Deep Dive

Phishing

Fraudulent communications (typically email) impersonating trusted entities to steal information or deliver malware.

Phishing Types:

TypeTargetDescription
PhishingMass targetingGeneric emails to many recipients
Spear PhishingSpecific individualsResearched, personalized attacks
WhalingExecutives (C-suite)Targets high-value individuals
Clone PhishingPrevious recipientsCopies legitimate email with malicious changes

Phishing Indicators:

  • Sender address doesn't match claimed organization
  • Generic greetings ("Dear Customer")
  • Urgency or threats
  • Requests for sensitive information
  • Suspicious links or attachments
  • Grammar/spelling errors
  • Mismatched URLs (hover to check)

Spear Phishing Deep Dive:

  • Researched using social media, company info
  • References real projects, colleagues, events
  • Personalized to the target
  • Much higher success rate than generic phishing

Vishing (Voice Phishing)

Social engineering conducted via phone calls.

Common Vishing Scenarios:

  • "IT support" needing password to fix issue
  • "Bank security" about fraudulent activity
  • "IRS/Tax authority" threatening legal action
  • "Tech support" detecting malware on computer

Vishing Techniques:

  • Caller ID spoofing (appears legitimate)
  • Background sounds (fake call center)
  • Authority and urgency combined
  • Verification requests (confirm SSN, account)

Defense:

  • Never give sensitive info to incoming callers
  • Call back using official numbers
  • Verify caller identity through other channels

Smishing (SMS Phishing)

Phishing via text messages.

Common Smishing Tactics:

  • Package delivery notifications
  • Bank account alerts
  • Prize/lottery wins
  • Account verification requests
  • COVID-19 related scams

Why Smishing Works:

  • High SMS open rates (98%)
  • Mobile screens hide full URLs
  • Sense of urgency with notifications
  • Fewer security controls on mobile

Pretexting

Creating a fabricated scenario (pretext) to extract information or gain access.

How Pretexting Works:

  • 1.Attacker creates believable scenario
  • 2.Assumes a role that justifies requests
  • 3.Builds rapport and trust
  • 4.Extracts information or gains access
  • 5.May involve multiple interactions

Pretext Examples:

  • "I'm from IT doing a security audit"
  • "I'm a new employee and need help"
  • "I'm from the vendor fixing your account"
  • "I'm conducting a survey for management"

Pretexting vs. Phishing:

  • Phishing typically uses technical deception (fake sites)
  • Pretexting relies on story and relationship building
  • Often combined—pretext delivered via phishing email

Impersonation

Pretending to be someone else to gain trust or access.

Impersonation Targets:

Who They ImpersonateWhy It Works
IT supportPeople expect IT to need access
ExecutivesAuthority drives compliance
Vendors/contractorsExpected to be on-site
Delivery personnelBlend in, access buildings
New employeesExcuse for not knowing procedures

Physical Impersonation:

  • Fake uniforms or badges
  • Tailgating through secure doors
  • Claiming forgotten access card
  • Carrying items that suggest legitimacy

Digital Impersonation:

  • Email from fake/spoofed accounts
  • Social media fake profiles
  • Domain impersonation (similar names)
  • Compromised legitimate accounts

Business Email Compromise (BEC)

Sophisticated scam targeting organizations to fraudulently transfer funds or data.

BEC Attack Types:

CEO Fraud

  • Impersonate executive
  • Request urgent wire transfer
  • Target finance department

Invoice Fraud

  • Impersonate vendor
  • Request payment to new account
  • Intercept legitimate invoices

Account Compromise

  • Take over legitimate email account
  • Send requests from real account
  • Harder to detect

BEC Characteristics:

  • Often no malware involved
  • Relies purely on social engineering
  • Well-researched targets
  • Significant financial losses (billions annually)

BEC Red Flags:

  • Unusual request from executive
  • Urgency and secrecy demanded
  • Change in payment details
  • Request to bypass normal procedures
  • Email address slightly different

Defense Against Social Engineering

Technical Controls:

  • Email filtering and authentication (DMARC)
  • Multi-factor authentication
  • Call verification procedures
  • Approval workflows for financial requests

Administrative Controls:

  • Security awareness training
  • Phishing simulations
  • Clear policies for sensitive requests
  • Verification procedures for changes

Physical Controls:

  • Badge requirements
  • Visitor management
  • Challenge unknown persons
  • Tailgating prevention

How CompTIA Tests This

Example Analysis

Scenario: An accounts payable employee receives an email that appears to be from the CEO. The email urgently requests an immediate wire transfer of $50,000 to complete a confidential acquisition. The CEO is traveling and asks that this be handled quickly and quietly without involving others.

Analysis - Business Email Compromise (CEO Fraud):

Red Flags:Urgency — "Immediate," "quickly" • Secrecy — "Confidential," "don't involve others" • Authority — From CEO to pressure compliance • Unusual request — Wire transfer outside normal process • Unavailable for verification — CEO is "traveling"

What Should Happen: 1. Don't execute the transfer 2. Verify through separate channel (call CEO's known number) 3. Check email headers carefully 4. Follow established wire transfer procedures 5. Report to security team

Why BEC Works: • Employees want to help executives • Urgency bypasses normal scrutiny • Fear of disobeying authority • "Confidential" discourages verification

Key insight: Any request to bypass normal procedures should trigger extra verification, regardless of who appears to request it.

Key Terms to Know

social engineeringphishingvishingsmishingpretextingimpersonationBECspear phishingwhaling

Common Mistakes to Avoid

Thinking only untrained people fall for social engineering—sophisticated attacks fool experienced professionals. Continuous training is necessary.
Confusing phishing types—Phishing (mass), Spear phishing (targeted individual), Whaling (executive). Know the distinctions.
Believing technical controls alone can prevent social engineering—humans will always be vulnerable. Training and procedures are essential.
Assuming BEC requires technical sophistication—BEC often involves no malware, just social engineering and email impersonation.

Exam Tips

Phishing = Email. Vishing = Voice. Smishing = SMS. Know the "ishing" types.
Spear phishing = Targeted at specific person. Whaling = Targeted at executives.
BEC = Business Email Compromise. Often no malware, just social engineering for wire fraud.
Pretexting = Creating a fake scenario/story to manipulate victims.
Defense requires both technical controls AND user training.

Memory Trick

The "ISHING" Family

  • Phishing = Phake emails (like "phone" but email)
  • Vishing = Voice phishing (phone calls)
  • Smishing = SMS phishing (text messages)
  • Phishing Targeting Levels:
  • Phishing = Spray (everyone)
  • Spear phishing = Specific person
  • Whaling = Whales (big fish = executives)
  • BEC Red Flags: "SUCC"
  • Secrecy demanded
  • Urgency emphasized
  • Change in procedures
  • CEO/executive request unusual action
  • Social Engineering Principles: "AUFSRR"
  • Authority
  • Urgency
  • Familiarity
  • Scarcity
  • Reciprocity
  • Reason (social proof)

Test Your Knowledge

Q1.An attacker sends highly personalized emails to specific executives containing information gathered from their social media profiles. This type of attack is called:

Q2.An attacker calls an employee pretending to be from the IT help desk, claiming they need the employee's password to fix a system issue. This technique is:

Q3.What distinguishes Business Email Compromise (BEC) from typical phishing attacks?

Want more practice with instant AI feedback?

Practice with AI

Continue Learning

Message-Based VectorsAdvanced Social Engineering

Ready to test your knowledge?

Practice questions on social engineering techniques and other Objective 2.2 concepts.

Start Practice
Supply Chain VectorsAdvanced Social Engineering