Social Engineering Types and Clues
Key Takeaways
- Social engineering exploits human trust, pressure, curiosity, fear, helpfulness, or authority.
- Phishing is broad, spear phishing is targeted, whaling targets senior leaders, smishing uses SMS, and vishing uses voice.
- Pretexting creates a believable story; baiting offers something tempting; tailgating abuses physical access.
- Business email compromise often manipulates payment, invoice, payroll, or gift card workflows.
- Best responses usually combine verification procedures, user reporting, technical controls, and process controls.
Social Engineering Types and Clues
Social engineering questions are clue-based. The attacker may not need malware if a person can be convinced to click, approve, reveal, pay, or open a door.
| Technique | Definition | Strong clue |
|---|---|---|
| Phishing | Deceptive message to many recipients | Broad email with link or attachment |
| Spear phishing | Targeted phishing | Message tailored to a team or person |
| Whaling | Targeting senior leaders | CEO, CFO, executive assistant |
| Smishing | SMS or messaging lure | Text message with urgent link |
| Vishing | Voice-based deception | Phone call impersonation |
| Pretexting | Fabricated story to gain trust | Fake auditor, fake IT support, fake vendor |
| Baiting | Entices with something desirable | Free gift card, found USB drive |
| Tailgating | Following someone into a secure area | Person slips in behind employee |
| Shoulder surfing | Observing secrets physically | Watching password or PIN entry |
| Dumpster diving | Searching trash for information | Printed records or notes discarded |
Persuasion Clues
| Pressure tactic | What it sounds like |
|---|---|
| Urgency | "This must be done in the next 10 minutes." |
| Authority | "The CEO approved this." |
| Fear | "Your account will be closed." |
| Scarcity | "Only the first users get access." |
| Familiarity | "I worked with your manager last week." |
| Helpfulness | "I just need you to bypass the process this once." |
Business Email Compromise Pattern
Business email compromise often targets a process, not just a login. Watch for invoice changes, wire transfer requests, payroll direct deposit changes, gift card requests, or vendor banking updates. The best mitigation is usually an out-of-band verification procedure plus email security controls and user reporting.
| Scenario | Most specific answer |
|---|---|
| CFO receives tailored fake acquisition invoice | Whaling or BEC |
| Employee gets SMS claiming package delivery problem | Smishing |
| Caller pretends to be IT and asks for MFA code | Vishing plus pretexting |
| Attacker leaves branded USB drives in lobby | Baiting |
| Person carrying boxes follows employee through door | Tailgating |
Trap Callout: The Channel Matters
If the lure arrives by SMS, choose smishing. If it is a phone call, choose vishing. If the target is an executive, whaling may be the more specific answer. If the story is the key feature, pretexting may be the best label.
Scenario Walkthrough
An employee receives a phone call from someone claiming to be from the service desk. The caller says a security update failed and asks the employee to read back an MFA code. The channel is voice, so vishing applies. The invented service desk story is pretexting. The right response is to refuse to share the code, hang up, contact the service desk through an approved channel, and report the attempt.
Quick Drill
| Clue | Answer |
|---|---|
| Generic email to thousands | Phishing |
| Customized email to payroll clerk | Spear phishing |
| Customized email to CFO | Whaling |
| Text message with malicious link | Smishing |
| Phone call asking for credentials | Vishing |
| Fake story to build trust | Pretexting |
A caller claims to be from IT and asks a user to read back an MFA code to complete a security update. Which social engineering type is most directly tied to the communication channel?
An attacker sends a tailored payment request to the CFO using details from a current vendor relationship. Which label is most specific?
Which are common clues of social engineering? Choose three.
Select all that apply