Social engineering questions on the Security+ exam give you a scenario and ask you to identify the attack type. The scenarios can be subtle, and the answer choices often look similar. The key is to know the precise definition of each attack type and the one detail that distinguishes it.
Phishing vs Spear Phishing vs Whaling
Phishing — A mass email attack sent to a large, untargeted group. The attacker casts a wide net hoping some recipients will click a malicious link or provide credentials. The emails often impersonate banks, delivery services, or HR departments.
Spear phishing — A targeted phishing attack directed at a specific individual or organisation. The attacker uses personalised information (the victim's name, role, recent activity) to make the email convincing. Spear phishing requires research and is much more effective than generic phishing.
Whaling — Spear phishing directed specifically at executives or high-value targets (C-level, finance directors, board members). The term references going after the biggest targets.
Exam trap: a question describes an email attack targeting the CFO of a company and asks which type it is. The answer is whaling, not spear phishing — both are targeted, but whaling is specifically directed at senior executives.
Vishing and Smishing
Vishing (voice phishing) — A phone call where the attacker impersonates a trusted entity (bank, IT department, government agency) to extract information or convince the victim to take an action.
Smishing (SMS phishing) — The same concept delivered via text message. "Your account has been compromised. Click here to verify."
The identifying detail in exam scenarios: if the attack uses a phone call, it is vishing. If it uses a text message, it is smishing.
Pretexting
Pretexting means creating a fabricated scenario (a pretext) to manipulate a victim into providing information or access. The attacker impersonates someone with a legitimate reason to request the information — an IT auditor, a new vendor, a bank's fraud team.
Key distinction: pretexting is about the fabricated story, not the delivery method. Vishing often involves pretexting, but pretexting can also occur in person or via email. If the scenario emphasises that the attacker invented a role or situation to gain trust, the answer is pretexting.
Shoulder Surfing, Tailgating, and Piggybacking
Shoulder surfing — Observing someone's screen or keyboard to steal credentials or sensitive information. Can be direct observation or using a camera.
Tailgating — Following an authorised person through a secured door without their knowledge or consent.
Piggybacking — The same as tailgating, but the authorised person knows and allows it (even though they should not). The distinction: tailgating is without consent, piggybacking is with consent.
Exam trap: both tailgating and piggybacking result in unauthorised physical access. If the question says the employee held the door open for someone they did not know, that is piggybacking. If the person slipped in behind without the employee noticing, that is tailgating.
Baiting and Quid Pro Quo
Baiting — Leaving a malware-infected USB drive in a public place (car park, lobby) hoping someone will plug it in. Named for the physical lure.
Quid pro quo — Offering something (free tech support, a gift) in exchange for information or access. "I will fix your computer problem if you give me your login credentials."
How to Identify the Attack Type on the Exam
Work through these questions in order:
- What is the delivery channel? Email = phishing family. Phone = vishing. Text = smishing. In person = physical social engineering.
- Is it targeted? Mass email = phishing. Targeted at one person = spear phishing. Targeted at an executive = whaling.
- Is there a fabricated story? Invented role or scenario = pretexting.
- Is there a physical lure? USB drop = baiting.
- Is there an exchange offered? Something for something = quid pro quo.
Common Wrong Answers
Candidates often confuse pretexting with phishing. Phishing is always email-based (or SMS/voice). Pretexting is about the fabricated narrative and can occur via any channel.
Candidates also confuse tailgating with piggybacking. If the question says the authorised employee was unaware, it is tailgating. If they let the person in, it is piggybacking.
Practice Security+ exam questions on social engineering topics to lock in these distinctions before exam day.
Anatomy of a Real Phishing Email
The exam will describe a phishing email and ask you to identify indicators of compromise. Here is what actually makes a phishing email a phishing email — not the obvious "you've won a prize" kind, but the convincing corporate impersonation type that actually fools people.
Mismatched sender domain. The display name says "Microsoft Support" but the actual sender address is something like support@microsft-helpdesk.com. The domain is different from microsoft.com. The exam describes this as a red flag. In real life, attackers register lookalike domains (typosquatting) specifically for this purpose. On the exam: if a question mentions the sender display name looks correct but the actual address domain doesn't match the organisation, that's phishing.
Urgency and threat language. "Your account will be suspended in 24 hours." "Immediate action required." "Final notice." Legitimate organisations do not rush you to click a link under threat. The Security+ exam specifically calls this out as a social engineering manipulation technique — creating a sense of urgency bypasses critical thinking.
Generic greeting. "Dear Valued Customer" instead of your actual name. Spear phishing uses your real name. Mass phishing uses generic greetings. If the exam question says the email addresses the recipient by name and includes internal details about their department, it's spear phishing. Generic greeting = mass phishing.
Suspicious link format. Hovering over a link reveals a URL that doesn't match the displayed text, or the URL uses an IP address instead of a domain (http://203.0.113.45/login), or it uses a URL shortener to hide the real destination. The exam tests this: "A user received an email with a link. When the user hovers over it, the URL shown does not match the text." That is a phishing indicator.
Attachment with unusual extension. invoice.pdf.exe is an executable, not a PDF. Attackers use double extensions because Windows hides known extensions by default, so the user sees invoice.pdf and double-clicks an executable. This is a delivery mechanism for trojans and ransomware.
Pretexting Scenarios on the Exam — How They're Worded
Pretexting is the fabricated backstory that makes the attack believable. The exam gives you the scenario and expects you to name it. Here are three specific wording patterns and why the answers are what they are.
Scenario 1: "An attacker calls the IT help desk claiming to be a new employee locked out of their account. The attacker provides a name and employee ID number obtained from LinkedIn and asks for a password reset." Answer: pretexting. The fabricated scenario (I'm a new employee) is the pretext. The attack channel is phone — which also makes it vishing. If the question asks for one term, pretexting is the more specific answer about the technique. If it asks about delivery method, vishing.
Scenario 2: "A person enters the company lobby and tells reception they are from the printer repair company. They are directed to the server room." Answer: pretexting (fabricated identity as a service technician) combined with physical access. The result may also be tailgating if they bypass a secured door, but the core technique described is pretexting. The exam will not give you both options — context determines which term they want.
Scenario 3: "A security researcher receives a call from someone claiming to be from the organisation's HR department conducting a compliance survey. The caller asks for the researcher's system login credentials." Answer: pretexting. The fabricated HR compliance role is the pretext. Asking for credentials over the phone makes it vishing. Either term works, but pretexting emphasises the fabricated scenario rather than the delivery channel.
The rule: pretexting is always about the invented story. Vishing is always about the phone. A single attack can be both. The exam question wording tells you which dimension they're testing.
Impersonation vs Spoofing — The Difference the Exam Tests
These two terms trip people up because they sound interchangeable. They are not.
Impersonation is when a person pretends to be someone else. A human actor claiming to be from IT support, calling your desk asking to verify your credentials — that is impersonation. The attack requires a person performing the deception in real time.
Spoofing is when a technical system or data is falsified. Email spoofing means the From: header of an email is forged to appear to come from a trusted address — no human is on the phone, the email itself is the deception. Caller ID spoofing means the displayed phone number is faked. IP spoofing means the source address in a packet is forged.
Why the exam tests this difference: A scenario describing "an attacker made the email look like it came from the CEO's address" is spoofing — specifically email header spoofing. A scenario describing "an attacker called the helpdesk pretending to be the CEO" is impersonation. Spoofing is technical forgery. Impersonation is human deception.
Controls differ too. Email spoofing is addressed by DMARC, DKIM, and SPF at the domain level. Impersonation over the phone is addressed by callback verification procedures — you hang up and call back the person's known number to verify.
Business Email Compromise — The High-Value Social Engineering Attack
BEC is explicitly on the SY0-701 objectives and appears in Security Operations scenarios. It costs organisations billions annually because it bypasses technical controls entirely — there is no malware, no phishing link, just a convincing email.
CEO fraud: An attacker spoofs or compromises the CEO's email account and sends a request to the CFO or accounts payable asking for an urgent wire transfer to a new vendor. The urgency and authority of the sender make the victim comply without verifying through other channels. By the time anyone realises, the money is gone.
Vendor impersonation: The attacker monitors email traffic (through a compromised account or by social engineering) and waits for a legitimate invoice process to be in progress. They then intercept or mimic the vendor's communications, changing the banking details on the invoice to an account they control.
What the exam expects you to know: BEC is a form of spear phishing and impersonation. The defining characteristics are: it targets financial processes, it impersonates trusted individuals (executives, vendors), and it relies on urgency and authority to bypass verification. The countermeasures are procedural — out-of-band verification (call the executive on a known number before wiring money), dual-approval processes for large transfers, and user awareness training.
On the Security+ exam, if a question describes an attack where an organisation was tricked into transferring money because of a convincing email from what appeared to be a senior executive, the answer is Business Email Compromise.
Defence Controls for Social Engineering
The exam tests controls as much as attack types. For social engineering specifically:
User awareness training. The single most important control. Users who know what phishing looks like, who understand the urgency manipulation tactic, and who know to verify unusual requests through a second channel are significantly harder to compromise. The Security+ exam recognises this as a primary administrative control against social engineering.
DMARC, DKIM, and SPF for email. These three records in DNS work together to authenticate email senders. SPF lists the IP addresses authorised to send email for a domain. DKIM signs outgoing emails with a private key so recipients can verify authenticity. DMARC tells receiving servers what to do with emails that fail SPF or DKIM checks (reject, quarantine, or allow). Together, they make email domain spoofing much harder.
Caller verification procedures. For any sensitive request received by phone, the correct procedure is to hang up and call the requester back using a number from an internal directory — not the number the caller provides. This defeats vishing attacks where the caller ID is spoofed.
Physical access controls. Mantraps (two-door access systems requiring authentication at each door) prevent tailgating. Visitor check-in procedures and escort requirements prevent unauthorised physical access. Badge-required doors with no tailgating policy address piggybacking.
Practice Question Sets
Work through these sessions on Security+ social engineering content. The quick check is enough before moving on. Use the full mock exam in the week before your test date.