This chapter covers phishing, vishing, and smishing—three of the most common social engineering attacks tested on the SY0-701 exam. Understanding how these attacks work, how they differ, and how to defend against them is critical for Objective 2.2 (Threats, Vulnerabilities, and Mitigations). These attacks exploit human psychology rather than technical vulnerabilities, making them a favorite topic for scenario-based questions. By the end of this chapter, you will be able to identify each attack type, explain its mechanism, and apply appropriate countermeasures.
Jump to a section
Imagine a secure office building where every employee has a unique, tamper-resistant key card that grants access only to their authorized areas. A social engineer, posing as an IT support technician, stands outside the building and offers to 'upgrade' employees' key cards by simply scanning them with a handheld device. In reality, the device captures the card's cryptographic signature, creating a perfect clone. The attacker then uses this cloned card to enter the building, accessing restricted areas and stealing sensitive documents. This mirrors phishing: the attacker crafts a convincing lure (the fake upgrade offer), tricks the victim into providing credentials (the card scan), and then uses those credentials to authenticate as the victim. The key difference is that phishing exploits human trust and urgency rather than physical proximity. Just as the cloned key card bypasses physical security without needing to pick a lock, stolen credentials bypass authentication without needing to exploit software vulnerabilities. The victim remains unaware until the damage is done. Understanding this mechanism helps security professionals recognize that phishing is not just about malicious links—it's about social engineering that targets human psychology to obtain authentication tokens, which are then replayed against the legitimate system.
What Are Phishing, Vishing, and Smishing?
Phishing, vishing, and smishing are social engineering attacks that use deception to trick victims into revealing sensitive information, such as usernames, passwords, credit card numbers, or other personal data. The term 'phishing' originated in the mid-1990s when attackers used email to 'fish' for credentials, often impersonating AOL staff. Vishing (voice phishing) uses phone calls or voicemail, while smishing (SMS phishing) uses text messages. All three rely on impersonation, urgency, and fear to bypass rational thinking.
How Phishing Works Mechanically
A typical phishing attack follows these steps: 1. Reconnaissance: The attacker gathers information about the target—often using OSINT (Open Source Intelligence) from social media, company websites, or data breaches. 2. Lure Creation: The attacker crafts an email that appears to come from a trusted source (e.g., a bank, IT department, or popular service like PayPal). The email often includes a sense of urgency ('Your account will be suspended in 24 hours') and a call to action (click a link or open an attachment). 3. Delivery: The email is sent to the victim, often using spoofed sender addresses (SMTP from header) or lookalike domains (e.g., paypa1.com instead of paypal.com). 4. Victim Action: The victim clicks the link, which leads to a fake login page that mimics the legitimate site. The victim enters their credentials, which are captured by the attacker. 5. Exploitation: The attacker uses the stolen credentials to access the real service, often within minutes to avoid detection.
Key Components and Variants
Spear Phishing: Targeted attack against a specific individual or organization, often using personalized details (e.g., mentioning the victim's job title).
Whaling: Spear phishing targeting high-profile executives (the 'big fish').
Clone Phishing: Attacker creates a nearly identical copy of a legitimate email the victim previously received, but replaces links or attachments with malicious ones.
Pharming: Redirects users from a legitimate website to a fake one, often via DNS poisoning or host file manipulation. This is technically different from phishing because no email is required.
Evil Twin: A rogue Wi-Fi access point that mimics a legitimate one, capturing all traffic. This is a type of phishing at the network layer.
How Attackers Exploit These Methods
Attackers exploit human cognitive biases: - Authority: Impersonating a manager, IT support, or government agency. - Urgency: 'Your account has been compromised—click now to reset.' - Scarcity: 'Only the first 100 users get this offer.' - Social Proof: 'Thousands of your colleagues have already updated.'
Technical exploitation includes: - URL Obfuscation: Using URL shorteners (e.g., bit.ly), homograph attacks (using Cyrillic characters that look like Latin letters), or subdomains (e.g., paypal.com.evil.com). - Attachment Payloads: Malicious macros in Office documents, JavaScript files, or PDFs with embedded exploits. - Credential Harvesting: Fake login pages that capture input and often redirect to the real site after theft to avoid suspicion.
Defenders' Countermeasures
Email Filtering: SPF (Sender Policy Framework, RFC 7208), DKIM (DomainKeys Identified Mail, RFC 6376), and DMARC (Domain-based Message Authentication, Reporting & Conformance, RFC 7489) verify sender authenticity.
User Training: Simulated phishing campaigns teach users to identify red flags (e.g., mismatched URLs, poor grammar).
Multi-Factor Authentication (MFA): Even if credentials are stolen, an additional factor (e.g., a one-time code from an authenticator app) blocks access.
Web Filtering: Block known malicious URLs and use sandboxing for attachments.
Incident Response: Users should report suspicious emails to a security team, who can analyze and block the threat.
Real Command/Tool Examples
Check SPF record: nslookup -type=txt paypal.com returns something like v=spf1 include:spf1.paypal.com ~all.
Check DKIM signature: nslookup -type=txt default._domainkey.paypal.com returns the public key used to verify signed emails.
DMARC policy: nslookup -type=txt _dmarc.paypal.com returns v=DMARC1; p=reject; rua=mailto:d@rua.paypal.com.
Phishing simulation tool: Gophish (open-source) can send fake phishing emails and track clicks.
URL analysis: curl -I https://bit.ly/xyz shows the final destination URL.
Reconnaissance and Target Selection
The attacker identifies a target organization or individual. For spear phishing, they scrape LinkedIn, company websites, and data breach databases (e.g., Have I Been Pwned) to gather email addresses, job roles, and personal interests. For vishing, they may obtain phone numbers from corporate directories or social media. For smishing, they often use purchased phone number lists from the dark web. The goal is to craft a believable pretext. For example, an attacker targeting an HR employee might use the name of the company's CEO in the email body. Tools like theHarvester can automate email harvesting. Logs would show unusual external OSINT queries or social media scraping activity, but this step is often undetected.
Lure Creation and Pretexting
The attacker creates a convincing message. For email phishing, they register a lookalike domain (e.g., micros0ft.com) and set up an SMTP server with a spoofed 'From' header. For vishing, they use VoIP services to spoof caller ID (e.g., displaying the company's main number). For smishing, they use SMS gateways or compromised mobile devices. The message includes a trigger—fear ('Your account has been compromised'), urgency ('Act within 24 hours'), or greed ('You won a gift card'). The attacker may also include a sense of authority ('IT Department requires immediate password update'). Technical red flags include mismatched reply-to addresses and poor grammar, but modern phishing kits produce near-perfect replicas.
Delivery of the Lure
The attacker sends the message. For phishing, they use bulk email tools (e.g., SendGrid accounts with stolen credentials) or compromised WordPress sites to send emails. For vishing, they use auto-dialers or robocall systems. For smishing, they use SMS APIs from services like Twilio (often with stolen accounts). Delivery may be timed to coincide with busy periods (e.g., Monday morning) to reduce scrutiny. Email security gateways may block some messages if SPF/DKIM fails, but attackers often use legitimate domains with weak security. For example, an attacker might compromise a small business's email server and use it to send phishing emails to larger targets. Logs show a sudden spike in outbound email from an unusual IP.
Victim Interaction and Credential Harvesting
The victim clicks the link or calls the number. For phishing, the link leads to a fake login page hosted on a compromised website or a free hosting service (e.g., 000webhost). The page often uses HTTPS (thanks to free Let's Encrypt certificates) to appear legitimate. When the victim enters credentials, the page sends them to the attacker via a PHP script or a Telegram bot. The victim is then redirected to the real site to avoid suspicion. For vishing, the victim dials a number that leads to an IVR system asking for credit card details or passwords. For smishing, the victim may be asked to reply with personal information or click a link to download a malicious app (e.g., a fake banking app that steals SMS OTPs). Tools like Social-Engineer Toolkit (SET) automate this step.
Exploitation and Lateral Movement
The attacker immediately uses the stolen credentials. For a single user, they may log into the victim's email to find more targets or reset passwords for other services. For a corporate target, they may use the credentials to access VPN or remote desktop, then move laterally using tools like Mimikatz to dump hashes and escalate privileges. MFA can block this step, but attackers may use real-time proxy attacks (e.g., EvilGinx) that capture session cookies. Alternatively, they may sell the credentials on dark web markets. Detection occurs when the real user notices suspicious activity (e.g., password reset emails they didn't request) or when an IDS/IPS alerts on anomalous logins from unusual geolocations. Incident response should immediately revoke the compromised credentials and initiate a password reset for all affected accounts.
Scenario 1: Spear Phishing at a Financial Institution
A SOC analyst at a bank notices an email sent to the CFO with the subject 'Urgent: Wire Transfer Approval.' The email appears to come from the CEO's personal Gmail account (not the corporate domain). The analyst checks the headers: SPF fails (the sending IP is not authorized for the CEO's domain), and DMARC policy is 'none' (so the email is delivered). The link in the email points to a fake Office 365 login page hosted on a compromised WordPress site. The analyst blocks the URL at the web proxy and sends an alert to the CFO. However, the CFO had already clicked the link and entered credentials. The analyst immediately forces a password reset and enables MFA for the CFO's account. A common mistake is to assume that because the email passed DKIM (if the attacker used a compromised domain with valid DKIM), it is safe. The correct response is to always verify the sender domain and check for unusual requests, regardless of email authentication status.
Scenario 2: Vishing Attack on a Help Desk
An attacker calls the IT help desk of a healthcare provider, claiming to be a doctor who forgot his password. The attacker spoofs the caller ID to show the hospital's main number. He provides the doctor's name (found on LinkedIn) and employee ID (from a data breach). The help desk agent, following procedure, resets the password and provides the temporary password over the phone. The attacker then logs in and accesses patient records. The SOC detects the anomaly when the doctor's account logs in from an IP outside the hospital's geographic region. The correct response would have been to call the doctor back on his official number or use a one-time password sent to his registered mobile device. A common mistake is to rely solely on caller ID, which is easily spoofed. The incident response includes reviewing access logs and notifying affected patients under HIPAA.
Scenario 3: Smishing Targeting Mobile Banking Users
A bank's customers receive SMS messages: 'Your account has been locked. Click here to unlock: http://bit.ly/2xYzAbc.' The link leads to a fake mobile banking login page. A customer reports the message to the bank's fraud department. The security team analyzes the URL using a sandbox and finds it redirects to a server in a foreign country. They submit the domain to Google Safe Browsing and block it at the carrier level. They also send an alert to all customers via the official mobile app. A common mistake is to ignore smishing because it's 'just a text message.' However, smishing often bypasses email filters and can be highly effective because SMS has a higher open rate (over 90%). The correct response includes user education and encouraging customers to report suspicious texts.
What SY0-701 Tests on This Objective
The exam focuses on distinguishing between phishing, vishing, and smishing, and on identifying appropriate countermeasures. You must know:
Definitions and delivery methods (email, voice, SMS).
Variants: spear phishing, whaling, clone phishing, pharming (note: pharming is not technically phishing but often grouped).
Social engineering principles: authority, urgency, scarcity, social proof.
Technical defenses: SPF, DKIM, DMARC, MFA, user training.
Reporting procedures: users should report suspicious messages to the security team.
Common Wrong Answers and Why
'Phishing only uses email' – The exam tests that phishing can occur via any medium; vishing and smishing are subsets.
'MFA prevents all phishing' – MFA prevents credential theft but not session hijacking (e.g., real-time phishing proxies like EvilGinx).
'SPF alone stops phishing' – SPF alone can be bypassed if the attacker uses an authorized server; DKIM and DMARC are needed together.
'Pharming is a type of phishing' – The exam distinguishes pharming as a different attack (DNS poisoning) even though the goal is similar.
Specific Terms and Values
SMTP: Port 25 (default), 587 (submission), 465 (SMTPS).
SPF: Uses TXT records; syntax includes v=spf1.
DKIM: Uses a selector like default._domainkey.
DMARC: Policy values: p=none, p=quarantine, p=reject.
RFC 7208: SPF standard.
RFC 6376: DKIM standard.
RFC 7489: DMARC standard.
Common Trick Questions
Scenario: 'An attacker sends an email with a link to a fake login page.' This is phishing, not vishing or smishing.
Scenario: 'An attacker calls pretending to be from IT.' This is vishing.
Scenario: 'An attacker sends a text message with a link.' This is smishing.
Trick: 'An attacker sets up a fake Wi-Fi access point.' This is an evil twin attack, not phishing, but often tested alongside.
Decision Rule for Scenario Questions
Identify the delivery method: email? = phishing; phone call? = vishing; SMS? = smishing.
Check if the attack is targeted: if it uses personal details, it's spear phishing; if the target is a high-level executive, it's whaling.
Determine the goal: credential theft? = phishing; malware delivery? = also phishing (via attachment).
Select the best countermeasure: for prevention, choose user training and email filtering; for mitigation, choose MFA.
Phishing uses email; vishing uses voice calls; smishing uses SMS. Know the difference for scenario questions.
Spear phishing is targeted; whaling targets executives. Both use personalized information.
SPF (RFC 7208) uses DNS TXT records to list authorized sending servers for a domain.
DKIM (RFC 6376) adds a digital signature to emails, verified via a public key in DNS.
DMARC (RFC 7489) tells receivers how to handle emails that fail SPF or DKIM (none, quarantine, reject).
MFA is a critical defense but can be bypassed by real-time phishing proxies that steal session cookies.
User training and simulated phishing campaigns are the most effective defense against all three attack types.
Always verify unexpected requests via a separate communication channel (e.g., call back on a known number).
These come up on the exam all the time. Here's how to tell them apart.
Phishing
Delivered via email.
Typically includes a malicious link or attachment.
Uses spoofed sender addresses and lookalike domains.
Commonly targets credentials or malware installation.
Defenses include SPF, DKIM, DMARC, and email filters.
Vishing
Delivered via phone call or voicemail.
Typically asks for information verbally or via IVR.
Uses caller ID spoofing.
Commonly targets credit card numbers, PINs, or passwords.
Defenses include call-back verification and user training.
Phishing
Delivered via email.
Often uses HTML formatting and logos.
Can be blocked by email security gateways.
May include malicious attachments.
User training focuses on email red flags.
Smishing
Delivered via SMS text message.
Plain text or simple links due to SMS limitations.
Bypasses email filters; relies on mobile carrier security.
Often leads to fake mobile websites or app downloads.
User training focuses on not clicking links in texts.
Spear Phishing
Targets specific individuals or groups.
Uses personal information to increase credibility.
Goal: credentials, financial data, or malware delivery.
Attackers research targets via social media.
Example: email to an HR employee about a fake job application.
Whaling
Targets high-level executives (CEO, CFO).
Often involves legal or financial pretexts.
Goal: wire transfers, sensitive corporate data.
Attackers may impersonate lawyers or regulators.
Example: email to CFO requesting urgent wire transfer.
Mistake
Phishing only happens via email.
Correct
Phishing can occur via email, phone (vishing), SMS (smishing), social media, or even instant messaging. The exam tests all these vectors.
Mistake
A phishing email always has poor grammar or spelling mistakes.
Correct
Modern phishing campaigns often use professional language and perfect grammar. Attackers may hire native speakers or use AI tools like ChatGPT to craft convincing messages.
Mistake
If a website uses HTTPS, it's safe.
Correct
HTTPS only encrypts data in transit; it does not verify the site's legitimacy. Attackers can easily obtain free SSL certificates from Let's Encrypt for fake login pages.
Mistake
MFA completely eliminates the risk of phishing.
Correct
MFA reduces risk but can be bypassed through real-time proxy attacks (e.g., EvilGinx) that capture session cookies after the user authenticates. Also, SMS-based MFA is vulnerable to SIM swapping.
Mistake
SPF, DKIM, and DMARC guarantee an email is legitimate.
Correct
These technologies verify the sender's domain, but they can be bypassed if the attacker compromises a legitimate domain or uses a lookalike domain that passes SPF/DKIM. DMARC policies must be set to 'reject' to block spoofed emails.
Phishing is conducted via email, while smishing is conducted via SMS (text messages). Both aim to trick victims into revealing sensitive information or clicking malicious links. The exam expects you to identify the delivery method: if it's a text message, it's smishing; if it's an email, it's phishing. Smishing often has higher success rates because SMS has a 90%+ open rate, and mobile devices may have weaker security than desktops.
SPF (Sender Policy Framework) allows domain owners to specify which mail servers are authorized to send email on their behalf. When a receiving mail server gets an email, it checks the SPF record of the sender's domain (via a DNS TXT query). If the sending IP is not listed, the email may be rejected or marked as spam. However, SPF alone can be bypassed if the attacker uses an authorized server (e.g., a compromised legitimate server). That's why DKIM and DMARC are also needed.
Yes, MFA can be bypassed by real-time phishing proxies like EvilGinx. In this attack, the victim clicks a link that leads to a proxy server. The proxy connects to the real service, the victim enters their credentials and the MFA code, and the proxy captures the session cookie. The attacker then uses that cookie to access the service without needing the password or MFA again. This is why hardware-based FIDO2 tokens are recommended, as they are resistant to such attacks.
The best defense is user training and verification procedures. Users should never provide sensitive information over the phone unless they initiated the call. If someone calls claiming to be from IT or a bank, hang up and call back using the official number from the company's website. Additionally, organizations should implement callback verification for password resets and use one-time passwords sent to registered devices.
No, pharming is a different attack, though it shares the goal of stealing credentials. Phishing relies on tricking the user into clicking a link, while pharming redirects users from a legitimate website to a fake one without their knowledge, often via DNS poisoning or host file manipulation. The SY0-701 exam treats them as separate threats, so be careful not to confuse them.
The user should not click any links or open attachments. They should report the email to their organization's security team (often via a 'Report Phishing' button in the email client). If the email is personal, they should forward it to the Anti-Phishing Working Group at reportphishing@apwg.org and then delete it. The exam emphasizes that reporting is the correct action, not deleting or ignoring.
A lookalike domain is a domain name that closely resembles a legitimate one, often by substituting characters (e.g., paypa1.com instead of paypal.com) or using different top-level domains (e.g., paypal-security.com). Attackers register these domains and host fake login pages. Users may not notice the difference, especially on mobile devices. The exam may ask you to identify a lookalike domain in a scenario.
You've just covered Phishing, Vishing, and Smishing — now see how well it sticks with free SY0-701 practice questions. Full explanations included, no account needed.
Done with this chapter?