4.5 Social Engineering Types and Human Psychology
Key Takeaways
- Social engineering attacks the human, not the system, by exploiting authority, urgency, fear, scarcity, social proof, liking, and the desire to be helpful.
- Phishing variants differ by targeting and channel: phishing (broad email), spear phishing (targeted), whaling (executives), vishing (voice), smishing (SMS).
- Pretexting builds a fabricated but believable scenario; baiting uses an enticing lure; quid pro quo offers a fake benefit in exchange for access or data.
- Tailgating and piggybacking are physical techniques that bypass access control by following an authorized person; dumpster diving and shoulder surfing harvest data physically.
- Business Email Compromise (BEC) impersonates a trusted executive or vendor to trigger fraudulent payments and frequently uses no malware at all.
The Psychology Attackers Exploit
Social engineering is manipulating people into divulging information or performing actions that compromise security. It is the most common initial-access vector in real breaches because it bypasses technical controls by targeting the human. CEH wants you to recognize both the psychological levers and the specific technique a scenario describes.
The levers (closely tracking Cialdini's principles of influence) are:
- Authority — impersonating a boss, IT, police, or a vendor so the target complies without questioning.
- Urgency / scarcity — "act now or the account is locked / the deal expires," short-circuiting deliberate thought.
- Fear / intimidation — threats of fines, account suspension, or legal action.
- Trust / liking — building rapport so the target lowers their guard.
- Social proof — "everyone in your department already did this."
- Reciprocity — doing a small favor first so the target feels obligated to return it.
- Helpfulness — exploiting the natural desire to assist a stranger in apparent need.
The attack lifecycle CEH teaches: research the target (often via OSINT and footprinting from Module 2), develop a relationship/pretext, exploit the trust to extract data or access, and execute the objective. Social engineering can be human-based (direct interaction — impersonation, in person or by phone) or computer-based (email, pop-ups, fake sites) and mobile-based (malicious apps, smishing).
Phishing and Its Channel Variants
The phishing family is defined by who is targeted and which channel is used — a distinction CEH tests directly:
| Technique | Channel | Targeting |
|---|---|---|
| Phishing | Broad, mass, untargeted | |
| Spear phishing | Specific person/org, researched | |
| Whaling | Senior executives (C-suite) | |
| Vishing | Voice / phone | Often IT/help-desk or finance |
| Smishing | SMS text | Mobile users, rotating numbers |
| Pharming | DNS/host redirect | Many users to a fake site |
| Angler phishing | Social media | Users posting complaints |
Phishing sends bulk deceptive emails hoping a fraction click a malicious link or attachment. Spear phishing is targeted and personalized using researched details (name, project, vendor), giving far higher success rates. Whaling is spear phishing aimed at high-value executives, frequently to authorize wire transfers. , a fake "IT support" or "bank fraud" caller — and increasingly AI voice cloning. Smishing delivers the lure by SMS with a malicious link, rotating phone numbers to evade filters. Pharming redirects victims at the DNS/hosts level so even a correctly typed URL lands on a fake site.
The key exam skill: read the scenario, note channel and targeting, and name the exact variant — a personalized email to one finance manager is spear phishing; the same lure to the CFO is whaling; a text message is smishing.
Pretexting, Baiting, and Physical Techniques
Beyond phishing, CEH tests several distinct named techniques:
- Pretexting — inventing a believable fabricated scenario (a "pretext") to extract information, e.g., posing as an auditor or new IT hire who "just needs to verify your credentials." Pretexting is the engine behind most vishing and BEC.
- Baiting — leaving an enticing lure that exploits curiosity or greed: a malware-loaded USB drive labeled "Salaries 2026" dropped in a parking lot, or a fake "free download."
- Quid pro quo — offering a fake benefit/service in exchange for data or access, classically a caller posing as IT offering to "fix" a problem if the user surrenders their password.
- Tailgating — an unauthorized person slips through a secured door by closely following an authorized employee (often by carrying boxes so someone holds the door).
- Piggybacking — similar, but the authorized person knowingly grants access (e.g., out of politeness).
- Dumpster diving — recovering sensitive data from discarded documents, media, or hardware.
- Shoulder surfing — observing a victim entering a password or PIN.
- Watering hole — compromising a website the target group frequents so visitors get infected.
- Honeytrap / romance — using a fake romantic/social relationship to extract information.
Business Email Compromise (BEC) deserves emphasis: the attacker impersonates a trusted executive or vendor (via spoofed or compromised email) to trick finance staff into wiring money or changing payment details. BEC often involves no malware at all — it is pure social engineering and one of the costliest fraud categories. When a scenario describes a fake invoice or an "urgent CEO wire request," the answer is BEC.
Human Attack Vectors, Insider Risk, and Quick Identification
CEH groups the human attack vectors into three delivery surfaces, which helps you match a scenario to a technique:
- Human-based — direct interaction: impersonation (posing as a vendor, employee, or VIP), eavesdropping, shoulder surfing, dumpster diving, tailgating/piggybacking, and reverse social engineering (the attacker makes the victim seek them out for help).
- Computer-based — phishing, spear phishing, fake pop-ups/scareware, spam with malicious links, and fake websites/clone sites.
- Mobile-based — malicious apps, repackaged legitimate apps, smishing, and fake security/banking apps.
Social engineering is also the classic on-ramp for insider threats: a phished or bribed employee becomes a foothold. Attackers especially target help desk and IT (password resets), HR (employee data, vishing), and finance (BEC, fraudulent payments), because those roles are trained to be helpful and have valuable access.
A fast identification table for the exam:
| Scenario cue | Technique |
|---|---|
| Mass deceptive email | Phishing |
| Researched email to one person | Spear phishing |
| Email targeting the CEO/CFO | Whaling |
| Phone call lure | Vishing |
| SMS link lure | Smishing |
| Fabricated backstory to extract info | Pretexting |
| Enticing USB/free download | Baiting |
| "I'll fix it if you give me your password" | Quid pro quo |
| Following through a secure door | Tailgating |
| Fake CEO wire request | BEC |
| Infecting a site the target visits | Watering hole |
Generative AI now supercharges these attacks — flawless phishing copy, deepfake voice/video for vishing and whaling, and convincing fake personas — which is why CEH v13 weaves AI through the social-engineering module. The defense, covered next, remains people-centric: train, verify out-of-band, and layer technical controls.
An attacker leaves USB drives labeled "Executive Bonuses 2026" in the company parking lot, hoping employees plug them in. Which technique is this?
A finance clerk receives a personalized email appearing to come from the CFO marked URGENT, requesting an immediate wire transfer to a new vendor account. No malware is attached. This is best classified as:
An unauthorized person carries a large box and follows an employee through a badge-controlled door before it closes. Which physical social-engineering technique is this?
A caller claims to be from the bank's fraud department and pressures the victim to read back a one-time code to 'stop a fraudulent charge.' What channel-based technique is this?