Social Engineering Techniques

What the Exam Is Really Testing

What is the difference between phishing, spear phishing, and whaling? Most candidates can give a textbook answer. But when the exam drops you into a scenario where a CFO receives a personalized email about a board meeting, you need to pick the right label fast — and explain what psychological trigger the attacker is pulling.

Given a scenario describing a social engineering attack, identify the specific technique being used, the psychological principle driving it, and the appropriate countermeasure.

Social engineering questions are less about definitions and more about pattern matching. The exam presents overlapping techniques in a single scenario — vishing combined with pretexting, urgency layered on top of authority — and expects you to untangle them.

Phishing Variants

Phishing is the broadest category of social engineering, and the exam tests several specific variants. Knowing the differences between them is essential.

Phishing

General phishing sends fraudulent messages to a large audience, hoping some percentage will click a malicious link or provide credentials. It is untargeted and relies on volume. The messages impersonate trusted brands, services, or institutions.

Spear Phishing

Spear phishing targets a specific individual or small group. The attacker researches the target and crafts a personalized message referencing their role, projects, or relationships. It is significantly more effective than general phishing because the message appears legitimate and relevant.

On the exam, if a scenario describes a personalized email mentioning the target by name or referencing specific internal projects, it is spear phishing — not general phishing.

Whaling

Whaling targets senior executives or high-value individuals. The stakes are higher, the research is deeper, and the messaging often references board decisions, legal matters, or financial transactions that only executives would handle.

Smishing

Smishing delivers phishing through SMS text messages. The messages typically create urgency — "Your account has been locked" or "Verify your identity immediately" — and include a link to a credential harvesting site.

Vishing

Vishing uses voice calls to extract information. Attackers impersonate IT support, banks, government agencies, or executives. Vishing exploits the real-time pressure of a phone conversation, making it harder for targets to pause and verify.

Advanced Social Engineering Techniques

Pretexting

Pretexting creates a fabricated scenario to establish trust and extract information. The attacker assumes an identity — IT technician, auditor, vendor representative — and builds a believable narrative that justifies their request for access or data.

Pretexting is the foundation of many social engineering attacks. A vishing call often uses pretexting as its framework. The exam tests whether you recognize pretexting as the technique of creating a false context, distinct from the delivery method.

Typosquatting

Typosquatting registers domain names that closely resemble legitimate domains but contain common misspellings: gooogle.com, microsofft.com, or amazom.com. Users who mistype the URL land on a malicious site that mimics the real one.

The exam may present this as part of a credential harvesting attack where users type a URL incorrectly and enter their credentials on a convincing fake page.

Watering Hole Attacks

Instead of targeting the victim directly, watering hole attacks compromise a website the victim frequently visits. The attacker identifies websites popular with the target group, injects malicious code into those sites, and waits for victims to visit.

This technique is effective against security-conscious targets who would recognize direct phishing attempts. It bypasses email filters entirely because the attack originates from a legitimate, trusted website.

Brand Impersonation

Brand impersonation creates fake communications that appear to come from well-known brands. Fake login pages, counterfeit emails, and fraudulent support messages replicate the visual identity of trusted companies to harvest credentials or install malware.

On the exam, brand impersonation differs from phishing in that it specifically focuses on replicating a brand's visual identity and communication style rather than just sending deceptive messages.

Business Email Compromise (BEC)

BEC attacks compromise or spoof a legitimate business email account to authorize fraudulent transactions. Common scenarios include a CFO requesting an urgent wire transfer, a vendor sending updated payment information, or an executive authorizing a purchase.

BEC is one of the most financially damaging attack types. The exam tests whether you recognize BEC as distinct from general phishing — it targets specific financial processes and relies on authority rather than malicious links.

Motivation Techniques

Social engineering works because it exploits psychological principles. The exam tests six specific motivation techniques that attackers use to manipulate targets.

Authority

People comply with requests from perceived authority figures. An attacker impersonating a CEO, law enforcement officer, or IT director leverages authority to bypass normal verification procedures.

Exam indicator: the scenario mentions someone claiming to be in a position of power and demanding immediate action.

Urgency

Creating time pressure forces targets to act before thinking critically. "Your account will be suspended in 30 minutes" or "This must be processed by end of day" are urgency triggers.

Urgency works because it short-circuits the verification process. When people feel rushed, they skip the steps that would reveal the attack.

Consensus (Social Proof)

People follow the behavior of others. An attacker might say "Everyone in your department has already completed this verification" or display fake reviews and testimonials to establish legitimacy.

Scarcity

Limited availability creates pressure to act. "Only 3 spots remaining" or "This offer expires today" triggers fear of missing out and reduces critical evaluation.

Familiarity

People trust what they recognize. Attackers use familiar names, logos, processes, and communication styles to make their messages feel normal. A well-crafted phishing email from a "colleague" feels safer than one from an unknown sender.

Trust

Building rapport and establishing credibility over time makes targets more compliant. An attacker might engage in several normal interactions before making a malicious request, or exploit existing trust relationships within the organization.

Pattern Recognition

When a social engineering question appears, use this framework:

1. What is the delivery method? (email, phone, SMS, website, in-person)
2. Is the attack targeted or broad?
3. What psychological principle is being exploited?
4. What is the attacker trying to obtain? (credentials, money, access, information)

Pattern shortcuts:

• Personalized email + internal project references = spear phishing
• Executive target + financial request = whaling or BEC
• Fake identity + fabricated scenario = pretexting
• Compromised popular website = watering hole
• Misspelled domain + credential harvesting = typosquatting
• "Act now or lose access" = urgency motivation

Trap Patterns

Common exam traps for social engineering questions:

• Confusing spear phishing with whaling. Both are targeted. Whaling specifically targets senior executives. If the target is a regular employee, it is spear phishing.
• Mixing up pretexting with phishing. Pretexting is the creation of a false scenario. Phishing is the delivery of fraudulent messages. Many phishing attacks use pretexting, but they are separate concepts.
• Overlooking BEC as distinct from phishing. BEC focuses on financial transactions using compromised or spoofed business email. It does not require malicious links or attachments.
• Treating social engineering as purely technical. The correct countermeasure for social engineering is almost always security awareness training, verification procedures, and process controls — not technical filtering alone.

Scenario Practice

Question 1

An employee receives a phone call from someone claiming to be from the IT department. The caller says there is a critical security update that must be installed immediately and asks the employee to provide their network credentials so IT can push the update remotely.

Which social engineering techniques are being used?

Question 2

A security analyst discovers that the website of an industry trade association has been compromised with malicious JavaScript. Several employees in the organization's research department visited the site in the past week and their workstations are now infected with malware.

Which social engineering technique does this describe?

Question 3

The CFO receives an email that appears to come from the CEO's email account. The email requests an urgent wire transfer of $250,000 to a vendor for a confidential acquisition. The email instructs the CFO not to discuss the matter with anyone else until the deal closes.

Which attack type is this, and which motivation techniques are being used?

Key Takeaway

Social engineering attacks target human psychology, not technology. That means the best defenses combine awareness training with verification procedures — not just email filters and firewalls.

For exam success, make sure you can distinguish between the phishing variants (general, spear, whaling, smishing, vishing) and name the psychological motivation technique at work in any scenario. Most exam questions layer multiple techniques together, so practice untangling them. When the question asks for the best countermeasure, look for the answer that addresses the human element first.