Social Engineering Types and Clues
Key Takeaways
- Social engineering exploits human factors: authority, intimidation, consensus/social proof, scarcity, urgency, familiarity/likability, and trust.
- Phishing is broad, spear phishing is targeted, whaling targets executives, smishing uses SMS, and vishing uses voice; the delivery channel often picks the answer.
- Pretexting supplies a believable story, baiting offers something tempting, tailgating/piggybacking abuses physical entry, and watering-hole attacks compromise a site the target trusts.
- Business email compromise (BEC) manipulates a payment or payroll process, not just a login, and is best stopped with out-of-band verification.
- Strong answers combine verification procedures, user reporting, technical email controls, and process controls rather than a single fix.
Clue-Based Questions
Social-engineering items on SY0-701 are recognition exercises. The attacker frequently needs no malware at all if a person can be convinced to click, approve, reveal a code, pay an invoice, or hold a door. Your job is to attach the correct label, which usually hinges on the delivery channel (email, SMS, voice, physical) and the target (mass audience, a specific team, or a senior executive).
Technique Catalog
| Technique | Definition | Strongest clue |
|---|---|---|
| Phishing | Deceptive message sent broadly | Generic email to many recipients |
| Spear phishing | Phishing tailored to a person/team | Message references your role or project |
| Whaling | Spear phishing aimed at executives | Targets the CEO, CFO, or their assistant |
| Smishing | Lure delivered by SMS/text | Urgent text with a link |
| Vishing | Voice-based deception | Phone call impersonating IT or a bank |
| Pretexting | Fabricated backstory to build trust | Fake auditor, vendor, or help-desk story |
| Baiting | Tempting object or offer | Free gift card, a USB drive left in the lobby |
| Tailgating / piggybacking | Following someone through a secure door | Person slips in behind a badge-holder |
| Shoulder surfing | Observing secrets in person | Watching a PIN or password entry |
| Dumpster diving | Searching trash for information | Printed records discarded uncut |
| Watering hole | Compromising a site the target trusts | Industry portal serves malware to visitors |
| Pharming / typosquatting | Redirect or look-alike domain | DNS poisoning or misspelled URL |
| Impersonation / brand impersonation | Posing as a trusted person or brand | Logo and tone mimic a known company |
The Seven Persuasion Principles
SY0-701 calls out the human factors attackers weaponize. Recognize the language pattern.
| Principle | What it sounds like |
|---|---|
| Authority | "The CEO has approved this transfer." |
| Intimidation | "You will be reported if you delay." |
| Consensus / social proof | "Everyone on your team already did this." |
| Scarcity | "Only the first ten users keep access." |
| Urgency | "This must be done in the next 10 minutes." |
| Familiarity / likability | "I worked with your manager last week." |
| Trust | "I'm from IT, you can rely on me." |
Business Email Compromise
Business email compromise (BEC) targets a process, not just a credential. Watch for changed invoice details, wire-transfer requests, payroll direct-deposit changes, gift-card requests, or vendor banking updates. The single best mitigation is an out-of-band verification procedure (call a known number) backed by email authentication (DMARC) and easy user reporting.
| Scenario | Most specific label |
|---|---|
| CFO receives a tailored fake acquisition invoice | Whaling / BEC |
| Employee gets an SMS about a package delivery problem | Smishing |
| Caller pretends to be IT and asks for an MFA code | Vishing + pretexting |
| Attacker leaves branded USB drives in the lobby | Baiting |
| Person carrying boxes follows a badge-holder inside | Tailgating |
| A trade-association website silently serves malware | Watering hole |
Trap Callout: The Channel Picks the Answer
If the lure arrives by SMS, choose smishing. If by phone, choose vishing. If the target is an executive, whaling is more specific than plain phishing. If the defining feature is the invented story, pretexting is the best label. Many SY0-701 items list two correct-sounding options where only the most specific one earns the point.
Scenario Walkthrough
An employee receives a phone call from someone claiming to be the service desk. The caller says a security update failed and asks the employee to read back an MFA code. The channel is voice, so vishing applies; the fabricated service-desk story is pretexting. The correct response is to refuse to share the code, hang up, call the service desk through an approved number, and report the attempt. Reading back the code would defeat MFA entirely.
Quick Drill
| Clue | Answer |
|---|---|
| Generic email to thousands | Phishing |
| Customized email to a payroll clerk | Spear phishing |
| Customized email to the CFO | Whaling |
| Text message with a malicious link | Smishing |
| Phone call asking for credentials | Vishing |
| Fake story used to build trust | Pretexting |
| Malware planted on a trusted industry site | Watering hole |
Reading the Phishing Indicators
SY0-701 also tests the concrete indicators that let a user spot a phishing message before clicking. Mismatched or look-alike sender domains, a hyperlink whose displayed text differs from its true destination, unexpected attachments, generic greetings such as "Dear customer," subtle grammar and spelling errors, and a sense of manufactured urgency are the classic tells. Brand impersonation pairs a familiar logo and tone with one of these flaws, and typosquatting registers a domain one keystroke away from the real one so a hurried reader does not notice.
Teaching users to hover over links, verify the domain, and report rather than click is the behavioral control that backs up technical filtering.
Layered Defenses
No single control stops social engineering, so the strongest exam answers combine four layers. Technical controls include email authentication through Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication, Reporting and Conformance (DMARC), plus link rewriting, attachment sandboxing, and spam filtering. Process controls add out-of-band verification for any payment or account change, dual approval for wire transfers, and clear escalation paths. Awareness controls deliver recurring security training and simulated phishing campaigns that measure click rates over time.
Reporting controls give users a one-click report button so a single sharp-eyed employee can warn the whole organization.
A BEC Walkthrough
Consider an accounts-payable clerk who receives an email that appears to come from a known supplier requesting that future payments go to a new bank account. The message is polite, references a real invoice number, and is signed with the supplier's normal contact name. Nothing in the text is overtly malicious, which is exactly why business email compromise succeeds. The correct response is never to update the banking details from the email alone. Instead, the clerk calls the supplier using a phone number already on file, confirms the change verbally, and only then proceeds.
This out-of-band verification step is the control SY0-701 wants you to choose, because it breaks the attacker's reliance on a single compromised or spoofed channel.
A caller claims to be from IT and asks a user to read back an MFA code to complete a security update. Which technique is most directly tied to the communication channel used?
Employees in one industry are compromised after visiting a trusted trade-association website that was secretly modified to serve malware. Which technique is this?
Which are common persuasion principles used in social engineering? Choose three.
Select all that apply