JT
JT Exams
Log inStart Free Trial
SecurityNetwork+

Social Engineering for CompTIA Network+ N10-009

Social engineering exploits human psychology rather than technical vulnerabilities to gain unauthorized access or information. CompTIA Network+ N10-009 tests social engineering techniques in the Security domain because the human element is often the weakest link in security. Technical controls alone cannot stop an attacker who tricks a legitimate user into providing credentials or access.

7 min
2 sections · 7 exam key points
1 practice questions

Social Engineering Techniques

Phishing: mass-targeted deceptive emails impersonating legitimate organizations (banks, Microsoft, IT helpdesk) to steal credentials or install malware. Users click malicious links or attachments. Spear phishing: targeted phishing customized for a specific individual using personal information — much higher success rate. Whaling: spear phishing targeting senior executives. Vishing: voice phishing over telephone. Smishing: SMS text message phishing.

Pretexting: creating a fabricated scenario (pretext) to gain trust and extract information. 'I'm from IT and need your password to fix an urgent issue.' 'I'm the auditor and need access to the server room.' Attackers research targets to make the pretext convincing.

Baiting: leaving infected USB drives in public locations (parking lots, reception areas) hoping employees will plug them in out of curiosity. Infected drives auto-run malware when connected.

Tailgating / piggybacking: physically following an authorized person into a secured area. Quid pro quo: offering something in exchange for information — 'I'll fix your computer problem if you give me your login credentials.' Dumpster diving: searching through trash for sensitive information (documents, hardware, credentials written on paper).

Psychological Principles Used

Attackers exploit cognitive biases: Authority (impersonating executives or IT staff), Urgency (creating time pressure — 'your account will be closed in 1 hour'), Scarcity (limited offers), Social proof (everyone else is doing it), Likability (building rapport), Reciprocity (doing a small favor to get a large one back), Fear (threatening negative consequences).

Countermeasures: security awareness training (the most effective defense), verification procedures (always call back using a number from the official directory, not one provided by the caller), clear policies (IT will never ask for your password), multi-factor authentication (stolen password alone is not enough), incident reporting procedures.

Key exam facts — Network+

  • Phishing: deceptive email; Spear phishing: targeted phishing; Vishing: voice; Smishing: SMS
  • Pretexting: fabricated scenario to gain trust and extract information
  • Baiting: infected USB drives left in public to entice victims
  • Tailgating: following authorized person through secured door
  • Security awareness training: most effective countermeasure against social engineering
  • Attackers exploit: authority, urgency, fear, social proof, likability, reciprocity
  • IT will never ask for your password — this is a red flag for social engineering

Common exam traps

Technical security controls prevent social engineering

Social engineering bypasses technical controls by exploiting humans. MFA reduces damage from stolen credentials, but the primary defense against social engineering is security awareness training — teaching users to recognize and resist manipulation

Practice questions — Social Engineering

These questions are representative of what you will see on Network+ exams. The correct answer and explanation are shown immediately below each question.

Q1.An employee receives a call from someone claiming to be from the IT helpdesk who requests their password to fix an urgent security issue. The caller has the employee's name, department, and manager's name. What type of attack is this?

A.Phishing
B.Pretexting (vishing)
C.Baiting
D.Dumpster diving

Explanation: This is pretexting via vishing (voice phishing) — the attacker has created a fabricated scenario (IT helpdesk emergency) and uses personal information to appear credible. The personal details (name, department, manager) were likely gathered through OSINT or LinkedIn. Legitimate IT helpdesks never ask for passwords. The employee should verify by calling IT using a number from the official company directory.

Frequently asked questions — Social Engineering

How effective is security awareness training?

Security awareness training significantly reduces susceptibility to social engineering. Studies show phishing click rates drop from 25–30% to under 5% with regular training and simulated phishing exercises. Training should be ongoing (not annual one-time), include simulated phishing tests, cover specific techniques (pretexting, vishing), and provide immediate feedback when employees fall for simulated attacks. The human is the last line of defense — training makes that line stronger.

Practice this topic

Network+practice questions

Test yourself on Social Engineering

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice testStart 7-Day Free Trial

No credit card · Cancel anytime

Related certification topics

Physical Security

Network+

Security Concepts

Network+

Common Attacks

Network+

Incident Response

Network+