Human/social engineering: phishing, vishing, smishing, misinformation, impersonation, BEC, pretexting, watering hole, brand impersonation, typosquatting

1.6 Threat vectors & attack surfaces

📘CompTIA Security+ SY0-701

Human / Social Engineering Threats Overview

Definition:
Human/social engineering attacks are techniques where attackers manipulate people rather than technology. Instead of hacking a system directly, attackers exploit human behavior—like trust, curiosity, fear, or urgency—to gain access to systems, networks, or sensitive data.

Key Point for Exam:

  • These attacks target people, not computers.
  • Attackers trick users into revealing sensitive information or performing unsafe actions.

1. Phishing

  • What it is: Fraudulent messages (usually emails) that pretend to be from a trusted source to steal information or deliver malware.
  • How it works in IT:
    • User receives an email that looks like it’s from IT support.
    • Email asks the user to reset a password via a fake login page.
    • The attacker captures the password.
  • Key Exam Tip: Look for the word “email-based fraud tricking users”.

2. Vishing

  • What it is: Voice phishing—attackers use phone calls to trick users.
  • Example in IT context:
    • Attacker calls pretending to be a system administrator.
    • Claims there’s an urgent problem with the user’s account.
    • Asks for login credentials or remote access.
  • Key Exam Tip: Voice + social manipulation = vishing.

3. Smishing

  • What it is: SMS phishing—using text messages instead of emails.
  • Example in IT context:
    • A text message appears from IT security asking to click a link to verify an account.
    • Link leads to a fake site to steal credentials or download malware.
  • Key Exam Tip: Think “SMS + phishing”.

4. Misinformation / Disinformation

  • What it is: Spreading false information to confuse or manipulate users.
  • IT example:
    • Fake alert about a system vulnerability causing employees to download a “patch” from a malicious site.
  • Key Exam Tip: Focus on false information to trick users.

5. Impersonation

  • What it is: Pretending to be someone the victim trusts.
  • IT example:
    • Attacker pretends to be a helpdesk admin or vendor.
    • Uses that trust to request passwords, security codes, or access to servers.
  • Key Exam Tip: “Acting as someone you trust.”

6. Business Email Compromise (BEC)

  • What it is: Targeted attack on businesses to trick employees into sending money or sensitive info.
  • IT example:
    • CEO’s email is spoofed.
    • Finance staff receives an urgent wire transfer request to a “vendor.”
  • Key Exam Tip: High-value targeted email attack on businesses.

7. Pretexting

  • What it is: Creating a fabricated scenario (pretext) to trick someone into giving info.
  • IT example:
    • Attacker calls pretending to be a new IT contractor needing admin credentials to fix “network issues.”
  • Key Exam Tip: Look for fake story to get information.

8. Watering Hole Attack

  • What it is: Attacker compromises a website that a target group frequently visits.
  • IT example:
    • Employees in a company often visit a specific vendor portal.
    • Attacker injects malware into the portal.
    • When employees visit, malware infects their computers.
  • Key Exam Tip: Targeted website compromise for specific users.

9. Brand Impersonation

  • What it is: Attacker pretends to be a legitimate company brand to trick users.
  • IT example:
    • Fake emails from a software company claiming updates are required.
    • Links lead to malicious downloads.
  • Key Exam Tip: Focus on fake brand communication.

10. Typosquatting

  • What it is: Creating fake websites with URLs that are very similar to real ones (typos).
  • IT example:
    • Legit site: companyportal.com
    • Fake site: cornpanyportal.com (note the typo)
    • User mistypes and ends up on a malicious site stealing credentials.
  • Key Exam Tip: Fake URLs exploiting typos.

Summary Table for Students

Attack TypeHow It WorksIT Example
PhishingEmail tricksFake IT password reset email
VishingPhone call tricksCalls asking for login info
SmishingText message tricksSMS with malicious link
MisinformationFalse info spreadFake system alert
ImpersonationPretend to be trustedPretend to be admin
BECTargeted email to steal funds/infoCEO spoof email
PretextingFake scenario“New IT contractor” story
Watering HoleCompromised websitePopular vendor portal malware
Brand ImpersonationFake brand messagesFake software update email
TyposquattingFake URL based on typoscornpanyportal.com

Key Exam Tips

  1. Always link the attack to human behavior—trust, urgency, curiosity.
  2. Recognize the difference between phishing (email), vishing (voice), and smishing (SMS).
  3. Know BEC targets businesses specifically.
  4. Remember attackers can use websites, URLs, and brands to trick users.
  5. Most of these attacks don’t require hacking skills, only social manipulation.

Leave a Reply

Your email address will not be published. Required fields are marked *

Buy Me a Coffee

Powered by
Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
None
Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
None
Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
None
Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
None
Powered by