Social Engineering Attacks | CompTIA Security+ SY0-701

Phishing & Variants

Phishing

Broad, automated email attacks sent to many users. The goal is to trick them into clicking a malicious link or downloading an attachment.

Example: "Urgent: Update your password now!" email from 'supp0rt@g00gle.com'

Spear Phishing

Targeted attack against a specific individual or organization. Attackers research the victim to make the email seem legitimate.

Example: Email to HR referencing a specific job opening posted on LinkedIn.

Whaling

A form of spear phishing targeting high-profile executives (C-suite). The goal is often large financial transfers or sensitive trade secrets.

Example: Email posing as the CEO asking the CFO to wire $50k immediately.

Vishing & Smishing

Vishing: Voice phishing over the phone.
Smishing: SMS (text) phishing.

Example: "IRS" calling about unpaid taxes or a text saying "Your package delivery failed."

Physical & Other Techniques

Tailgating & Piggybacking

Tailgating: Following an authorized person through a secure door without their consent (sneaking in).
Piggybacking: Following an authorized person with their consent (e.g., "Can you hold the door? I forgot my badge.").

Mitigation: Access control vestibules (mantraps), security guards, employee training.

Dumpster Diving

Searching through trash to find sensitive information (bank statements, password notes, organizational charts).

Mitigation: Shredding policies, secure disposal bins.

Shoulder Surfing

Looking over someone's shoulder to see their screen or keyboard input (passwords, PINs).

Mitigation: Privacy screens, positioning monitors away from public view.

Principles of Influence

Social engineers use these psychological triggers to manipulate victims.

Authority

Impersonating a CEO or Police.

Urgency

"Act now or account locked!"

Scarcity

"Only 2 spots left!"

Trust

Building rapport first.

Consensus

"Everyone else is doing it."

Intimidation

Threatening negative consequences.

Previous: Threat Actors Next: Vulnerabilities