2.5 Compare and contrast social engineering attacks, threats, and vulnerabilities
📘CompTIA A+ Core 2 (220-1202)
Social engineering is a method attackers use to trick people into giving up confidential information or performing actions that compromise security. Instead of directly attacking systems, attackers exploit human behavior. In IT, this is one of the most common ways security is breached.
Social engineering attacks can come in emails, calls, texts, physical access attempts, or even trash. Let’s break them down.
1. Phishing
Phishing is when an attacker tries to trick users into giving sensitive information (like usernames, passwords, or credit card numbers) by pretending to be someone trustworthy.
Types of phishing include:
- Vishing (Voice Phishing)
- The attacker uses phone calls to trick someone into revealing information.
- Example in IT: A caller pretends to be from IT support and asks for a network password.
- Smishing (SMS Phishing)
- The attacker uses text messages (SMS) to trick users.
- Example in IT: A text claims your company email account is blocked and asks for login credentials through a link.
- QR Code Phishing
- A QR code is presented that links to a malicious website.
- Example: Scanning a QR code in an email or on a document that looks official but actually leads to a fake login page.
- Spear Phishing
- A targeted phishing attack aimed at a specific person or organization.
- Example: An email looks like it comes from your IT manager asking for your account credentials.
- Whaling
- A phishing attack aimed at high-level executives or important personnel.
- Example: CFO receives an email that appears to be from the CEO requesting a wire transfer.
Key point for exam: Phishing is about tricking humans, not hacking software directly.
2. Shoulder Surfing
- This is when someone observes your screen, keyboard, or device to get confidential information.
- Example in IT: An attacker watches you type your password at a workstation or ATM.
Tip: Always shield your screen or use privacy filters on monitors.
3. Tailgating
- Tailgating occurs when someone follows an authorized person into a restricted area without permission.
- Example in IT: An attacker walks behind an employee entering a server room, bypassing badge access.
Tip for exam: This is a physical security threat, even though it’s social engineering.
4. Impersonation
- Impersonation is when an attacker pretends to be someone else to gain access or information.
- Example in IT: Pretending to be an IT technician to get a user’s login credentials.
Important: Impersonation can be in person, over the phone, or via email.
5. Dumpster Diving
- Dumpster diving is when an attacker searches through trash or discarded items to find sensitive information.
- Example in IT: Looking through thrown-away hard drives, printouts, or sticky notes that contain passwords or network diagrams.
Tip for exam: Always shred sensitive documents and properly dispose of media.
Exam Tips for Social Engineering
- Focus on how attackers trick people, not just technical hacking.
- Remember all types of phishing and their delivery methods.
- Know the difference between digital attacks (phishing, vishing, smishing, QR code phishing) and physical/social attacks (shoulder surfing, tailgating, impersonation, dumpster diving).
- Use the principle that attackers exploit human behavior, not just software vulnerabilities.
✅ Summary Table for Quick Review
| Attack Type | Description | Delivery/Method |
|---|---|---|
| Phishing | Tricking users to reveal info | |
| Vishing | Phone call phishing | Voice call |
| Smishing | SMS/text phishing | Text message |
| QR code phishing | Malicious QR code | QR scan |
| Spear phishing | Targeted phishing | Personalized email |
| Whaling | Executive-targeted phishing | Email to VIPs |
| Shoulder surfing | Observing someone | Physical/visual |
| Tailgating | Following into secure areas | Physical access |
| Impersonation | Pretending to be someone | Phone, email, or in person |
| Dumpster diving | Searching trash for info | Physical trash/documents |
