Social Engineering Attacks Explained for Security+

Phishing is a mass email campaign impersonating a trusted entity, like a bank, cloud provider, or IT department, to trick recipients into clicking malicious links or entering credentials on fake websites. The key word is mass: phishing is untargeted and sent to thousands of people at once hoping that some percentage will take the bait.

Spear phishing targets a specific individual or organization. The attacker researches the target using OSINT and personalizes the message with the target's name, job role, manager's name, current projects, or recent events. The specificity makes it far more convincing than generic phishing. Most successful business email compromise starts with spear phishing.

Whaling is spear phishing aimed at senior executives. The targets are high-value because they have authority to approve wire transfers, access to strategic systems, or the ability to authorize actions that lower-level employees cannot. A successful whaling attack on a CFO can result in millions of dollars transferred in a single transaction.

Vishing (voice phishing) uses phone calls. The attacker impersonates IT support, a bank representative, or a government agency. The target's voice and real-time conversation create pressure and authority that written phishing cannot replicate. Smishing uses text messages instead of email.

Pretexting is the fabrication of a scenario that establishes trust and a plausible reason for the attacker to need sensitive information. An attacker calling IT support and claiming to be a new employee who cannot access their account is pretexting. The scenario is the pretext. Pretexting underlies most vishing attacks and many in-person social engineering scenarios.

Baiting exploits curiosity. An attacker leaves infected USB drives in a company parking lot or lobby, labeled with tempting names. When someone picks one up and plugs it in, the malware executes. This requires no technical skill from the attacker and relies entirely on human curiosity overriding caution.

Tailgating means physically following an authorized person through a secured door without authenticating. The attacker walks close behind someone who badges in and slips through before the door closes. Piggybacking is similar but the authorized person knowingly holds the door open, perhaps because they think the person looks legitimate or just to be polite. Both bypass physical access controls.

Shoulder surfing is observing someone enter credentials, PINs, or sensitive data by watching over their shoulder in a public or shared space. Privacy screens on laptops and positioning your body between your keyboard and observers are the countermeasures.

Email, mass, untargeted = phishing. Email, targeted specific individual = spear phishing. Email, targeting C-suite executive = whaling. Phone call = vishing. Text message = smishing.

Fabricated story to establish trust = pretexting. Infected media left for victim to find = baiting. Physically following through door = tailgating (unknowing) or piggybacking (knowing).

Social engineering always exploits human psychology. If the question describes manipulation of a person rather than a technical vulnerability, it is social engineering regardless of the channel.

Defenses: security awareness training is the primary defense. MFA prevents credential-based attacks from succeeding even when credentials are stolen. Verification procedures for sensitive requests (callback verification to a known number) stop pretexting attacks.