CompTIA A+ Core 2: Explain Common Social-Engineering Attacks, Threats, and Vulnerabilities

CompTIA A+ Core 2: Explain Common Social-Engineering Attacks, Threats, and Vulnerabilities

1. Introduction

For CompTIA A+ Core 2 (220-1102), social engineering matters because you’re not just cramming attack names for a test — you’re learning how these scams actually show up in real support work. You need to be able to explain the common social-engineering attacks, the threats that often follow them, and the weak spots that make them possible in the first place. In day-to-day support work, attackers usually don’t kick things off with some fancy technical exploit. Honestly, they usually start by nudging someone into giving up information, approving access, opening a file, or holding a door open for the wrong person.

That’s why this topic pops up all over the place — help desk calls, password resets, fake invoices, rogue Wi-Fi, bogus MFA prompts, and those visitors who say they “just need quick access.” A+ wants you to spot the attack, figure out what the attacker’s probably after, and pick the best immediate response. In the workplace, the same skill protects credentials, endpoints, money, and physical spaces.

2. What Social Engineering Is and Why It Works

Social engineering is basically tricking people by leaning on trust, urgency, fear, curiosity, authority, or plain old helpfulness so they’ll reveal information or do something unsafe. Instead of going after the software alone, the attacker goes after the person using it — which, unfortunately, is often the easier path.

A simple attacker flow usually goes something like this: they gather a little info, build a believable story, deliver the message, wait for the user to act, and then follow up if they’re trying to push things further. For example, an attacker might look up a finance employee’s role, send a convincing invoice email, capture credentials on a fake sign-in page, and then use that mailbox to fire off payment fraud requests to everyone else. One social-engineering hit can touch all parts of the CIA triad, too: confidentiality when data gets stolen, integrity when fraudulent changes go through, and availability when accounts get locked or ransomware shuts things down.

These attacks work because people are busy, distracted, and trying to keep things moving — and attackers absolutely know that. The big psychological hooks are authority, urgency, fear, curiosity, reciprocity, and familiarity. A message that says “CEO needs this now,” “your account expires today,” or “IT needs your code to fix access” is trying to override process with emotion.

3. CompTIA A+ Social-Engineering Attack Matrix

Attack Channel Main clue Typical goal Best first response
Phishing Email/message blast Broad message to many users Credentials, malware, clicks Do not click; report and verify
Spear phishing Targeted email/message Personalized to a person or team Fraud, credentials, malware Verify through a separate trusted channel
Whaling Targeted executive message Executive impersonation or executive target Wire fraud, gift cards, privileged access Escalate and verify identity
Vishing Phone/voicemail Caller pressures user to act Passwords, MFA codes, remote access End call and call back using a known number
Smishing SMS/text Text with urgent message or code request Credentials, malicious apps, MFA theft Do not interact; open the service separately
Pretexting Phone, email, in person Believable fake story or role Trust, data, access Verify role and request independently
Quid pro quo Phone, chat, in person Offer of help or reward in exchange Credentials or unsafe action Refuse and use approved process
Baiting USB/media/file delivery Tempting item or file Malware execution or data theft Do not use it; submit to IT/security
Shoulder surfing Physical observation Watching screen or keypad PINs, passwords, data Shield screen and restrict proximity
Dumpster diving Trash/recycling Discarded sensitive material Recon, impersonation, access Use locked shred bins and proper disposal
Tailgating Physical entry Unauthorized person follows through door Building access Deny entry and enforce badge use
Piggybacking Physical entry Authorized user knowingly holds door Building access Require badge or escort despite courtesy pressure
Evil twin Wi-Fi Fake SSID imitating a real network Credential theft, traffic interception Verify SSID and avoid unexpected sign-in prompts
Hoax Email, pop-up, message post False warning or fake alert Panic, bad decisions, fake support contact Verify with official internal sources before acting

4. Common Social-Engineering Attacks: What They Look Like and the Little Clues That Usually Tip Them Off

Phishing, spear phishing, and whaling: phishing is broad, spear phishing is targeted, and whaling targets executives or other high-value roles. A common exam trap is confusing a generic password-reset email with a vendor-payment scam sent specifically to accounting. The first is phishing; the second is spear phishing. If I see a message pretending to come from the CEO, or I see pressure on the CFO to move money fast, I’m immediately thinking whaling or business email compromise. That’s a big red flag in any support queue.

Business Email Compromise (BEC): BEC is a major social-engineering pattern in which attackers impersonate executives, vendors, or compromised internal mailboxes to request wire transfers, payroll changes, gift cards, or banking updates. Honestly, after you’ve handled a few of these in a real environment, the pattern starts jumping out at you pretty quickly. A lookalike domain, a reply-to address that doesn’t match, that odd rush to act right now, a request to keep it quiet, and pressure to skip the normal approval steps — those are all classic warning signs. Honestly, those clues come up over and over. The best move is to verify any payment or banking change out of band using a trusted phone number you already know — not the email thread you’re staring at.

Vishing and smishing: vishing uses voice calls or voicemail; smishing uses text messages. And here’s the part people forget all the time: caller ID and text sender names can be spoofed, so they don’t prove who’s really on the other end. These scams usually try to get something useful out of you — a password, a one-time code, permission to install remote-control software, or a quick tap on an MFA prompt. Real IT staff shouldn’t ask for your password, and they absolutely shouldn’t ask you to read back your MFA code.

Pretexting, impersonation, and quid pro quo: pretexting is the fake story, impersonation is the fake identity, and quid pro quo is the offer of value in exchange for cooperation. For example: “I’m from IT onboarding, and I can fix your VPN if you give me your sign-in code.” That’s exactly the kind of line that should make your internal alarm bells go off right away. That is impersonation plus quid pro quo, built on a pretext.

Baiting and USB attacks: baiting relies on curiosity or temptation, such as a USB drive labeled “Payroll” or a fake file claiming to be a browser update. On modern Windows systems, classic autorun usually isn’t the big risk people think it is anymore. The bigger risk is usually a malicious file somebody opens, or a USB device that shows up pretending to be a keyboard and starts typing commands on its own. Unknown media should be treated as potential evidence, not as something to test on a production endpoint.

Shoulder surfing, dumpster diving, tailgating, and piggybacking: these are physical social-engineering attacks. Shoulder surfing is when someone steals information just by watching you work — maybe they’re looking over your shoulder, catching your screen from an angle, or memorizing what you type when you’re not paying attention. It sounds almost too simple to be a real threat, but honestly, it works way more often than people expect. Dumpster diving is exactly what it sounds like — somebody rooting through trash or recycling for anything useful, like old printouts, sticky notes, sensitive papers, or even tiny scraps of information they can piece together and use later. And yeah, it’s every bit as messy and unglamorous as it sounds. Tailgating is usually when an unauthorized person slips in behind someone without them realizing it, while piggybacking is when the badge holder knows it’s happening but lets the person in out of courtesy. CompTIA often tests that distinction.

Evil twin and rogue access point: an evil twin is a specific rogue access point that imitates a legitimate SSID, such as a hotel or airport network. More generally, a rogue access point is any Wi-Fi device that’s been plugged in or set up without approval — basically, it’s not supposed to be there in the first place. The risk is not that all encrypted traffic automatically becomes readable. The bigger problems are fake captive portals, stolen credentials, traffic interception where possible, and people trusting a network that really shouldn’t be trusted.

Hoaxes and influence campaigns: a hoax may be a fake malware alert, false internal emergency notice, or bogus support pop-up. Unlike classic phishing, a hoax is usually more about panic and bad information than about stealing your password right away. At A+ level, think false alerts that cause bad user decisions.

5. Phishing Technical Analysis Basics

When I’m checking a suspicious email, I always tell people to slow down and look at the display name, the real sender address, the reply-to address, where the link actually goes, the tone of the message, and the attachment type. Just checking the real destination, without clicking it, can often expose a mismatched domain. Attackers also love lookalike domains, shortened links, QR codes, and fake single sign-on pages because, honestly, those tricks can look convincing long enough to catch somebody who’s in a rush. A password manager can actually help a lot here because it often won’t autofill on the wrong domain.

From a technical-control standpoint, organizations cut phishing risk with secure email gateways, attachment sandboxing, URL filtering, and email authentication standards like SPF, DKIM, and DMARC. You don’t need to configure all of that for A+, but you should know these controls help validate sending domains and make spoofing a lot less successful. They are layered controls, not guarantees.

If a user reports a suspicious email, keep the useful evidence. That usually means the sender, subject line, when it arrived, screenshots if they help, and the full headers if your process asks for them. Use your organization’s phishing-report button or ticket process instead of just forwarding the message around and hoping someone else handles it.

Social engineering is an initial access technique — it’s not malware itself. In a real workplace, one bad click can snowball into malware, stolen credentials, or outright fraud. Once somebody bites, things can unravel pretty quickly. I’m talking info-stealers, remote access trojans, loaders, spyware, keyloggers, ransomware, and mailbox compromise that later gets abused for BEC. After a compromise, attackers may set up inbox rules, add forwarding rules, or keep access alive by stealing session tokens.

The vulnerabilities that make this worse are not only human. They include weak identity verification, poor password-reset processes, password reuse, lack of phishing-resistant MFA, excessive permissions, weak email filtering, missing DNS or web filtering, unmanaged mobile devices, poor vendor verification, weak joiner, mover, and leaver processes, and insecure physical controls. If one compromised account has too much access, the blast radius gets much larger.

MFA deserves special attention. SMS-based MFA is definitely better than having no MFA at all, but in my experience, app-based methods and hardware-backed options are usually stronger and a lot more reliable. Phishing-resistant MFA, like FIDO2 or WebAuthn, usually holds up a lot better than push prompts or SMS codes because it’s much harder for an attacker to trick or replay. MFA fatigue attacks usually kick in after the attacker already has valid credentials, and then they keep sending prompt after prompt until somebody gets tired, distracted, or annoyed enough to approve one. They’ll keep hammering the user with repeated prompts and hope that eventually somebody gets annoyed, distracted, or just worn down enough to hit approve. Then they keep pushing approval prompts until one eventually gets accepted. Number matching, device context, and user reporting reduce that risk.

7. Prevention and Layered Controls

The best defense is layered. You really want administrative, technical, and physical controls all working together in the same direction. Relying on just one safeguard is usually asking for trouble.

Administrative controls: security awareness training, acceptable use policies, vendor verification procedures, invoice-change verification, and strict password-reset workflows. Good training usually includes phishing simulations, an easy way to report suspicious messages, regular refreshers, and a way to measure things like click rates and report rates. That feedback is honestly a lot more useful than most people realize.

Technical controls: MFA, password managers, secure email gateways, SPF, DKIM, DMARC, DNS or web filtering, endpoint protection, EDR, MDM, and least privilege. The big thing to remember is that each control has its own job, and they work best when they’re layered together instead of depending on just one of them. That’s why they work a whole lot better together than any single control does by itself. EDR helps spot suspicious endpoint behavior, email security filters out bad messages, DNS filtering blocks known-bad destinations, and MDM helps enforce mobile settings like encryption, screen locks, app restrictions, and remote wipe options. In practice, that layered approach can make a huge difference.

Physical controls: badge readers, visitor logs, escort requirements, mantraps, CCTV, privacy screens, locked shred bins, and access-log review. Each one maps to a specific risk. Badges and escorts help cut down impersonation risk, privacy screens help reduce shoulder surfing, and locked disposal containers help stop dumpster diving. Simple stuff, but it works.

When it comes to public Wi-Fi, I’d definitely recommend turning off auto-join for unknown SSIDs, confirming the exact SSID with staff, preferring WPA2 or WPA3 networks, avoiding credentials in unexpected captive portals, and using a corporate VPN or a trusted cellular hotspot whenever you can. Those habits save people a ton of headaches, honestly. A VPN helps protect traffic while it’s moving across the network, but it doesn’t magically make a fake portal safe, trusted, or legitimate. And it definitely won’t stop somebody from typing their credentials into a phishing page.

8. Help Desk and Account Recovery Security

Help desk staff are prime targets because they can reset passwords, unlock accounts, and trigger recovery actions. Your procedure is a security control.

A solid verification workflow might include confirming the ticket number if there is one, checking employee ID or HRIS details, calling back using the number already on file, requiring manager approval for high-risk requests, and using out-of-band verification for executives or finance staff. That extra step is absolutely worth the time. Caller ID, display name, and urgency are not identity proof.

Hard rules really matter here: never ask for the user’s current password, never ask for an MFA code to “verify” them, never skip the workflow just because the caller sounds important, and never send temporary credentials through an unapproved channel. After a secure reset, force a password change at the next sign-in if policy calls for it, revoke active sessions when compromise is suspected, and review any MFA re-registration or recovery-option changes. That’s the kind of follow-through that actually limits damage.

Sample technician script: “I can help, but I need to follow our identity-verification process. I’m going to call you back at the number on file and validate the request against your ticket. If this is urgent, I’ll escalate it through the approved workflow.” That script protects both the user and the technician.

9. Troubleshooting and Incident Response Basics

For A+, the key is the best immediate action. Usually that means stop, verify, report, and contain.

If this happens Do this first
User receives suspicious email Do not interact; report through phishing workflow
User interacted with a suspicious destination but entered nothing Report, close the page, and assess endpoint or browser exposure
User entered credentials Reset password, revoke sessions or tokens, review sign-ins and MFA methods
User approved unexpected MFA prompt Report immediately, change password, revoke sessions, investigate account activity
User opened malicious attachment or installed remote tool Isolate device per policy and escalate for endpoint review
Unknown USB inserted Stop using device, isolate if needed, preserve evidence, escalate
Unescorted visitor or door hold request Deny entry, verify identity, follow visitor process

If someone entered credentials on a phishing page, the response needs to be more than just “change the password.” You’ll also want to invalidate active sessions or tokens, inspect recent sign-ins, review MFA enrollment changes, verify account recovery options, and check for mailbox forwarding or inbox rules if BEC might be in play. If malware is suspected, follow your organization’s incident-response steps before powering off or making major changes, because preserving evidence can really matter.

Useful evidence includes email headers, screenshots, call details, ticket numbers, timestamps, endpoint alerts, sign-in logs, and access logs. Escalate quickly if the incident involves finance, executives, privileged accounts, remote-access tool installation, suspicious mailbox rules, or repeated MFA prompts.

10. Exam Scenarios and Common Traps

Scenario 1: A text says your company account will be locked unless you sign in now. That is smishing. Best first action: do not interact with the message; open the service through a known app or approved internal access method and report the text.

Scenario 2: A caller claiming to be IT asks for your MFA code so they can fix VPN access. That is vishing plus impersonation, possibly quid pro quo. Best action: refuse, end the call, and verify through the official help desk number.

Scenario 3: A person carrying boxes asks you to hold the secure door. If you knowingly let them in, that is piggybacking. If they slip in behind you without your awareness, that is tailgating.

Scenario 4: Finance receives an urgent email from the CEO requesting a wire transfer or gift cards. Think whaling or BEC. Best control: out-of-band verification and approval workflow.

Scenario 5: At an airport, you see two similar Wi-Fi names and one presents an unexpected portal asking for corporate credentials. Think evil twin. Best action: do not authenticate there; verify the SSID, use a hotspot or trusted VPN connection, and avoid entering credentials into the portal.

Common exam distinctions to memorize: vishing equals voice, smishing equals SMS, whaling equals executives, quid pro quo equals something for something, pretexting equals fake story, and hoax equals false alert or misinformation. Also remember that CompTIA often asks for the best immediate action, not the most complete long-term remediation.

11. Conclusion

Social engineering is really about one thing: using human behavior to bypass security controls. For CompTIA A+ Core 2, focus on recognizing the attack type, understanding the threat it can lead to, spotting the vulnerability being exploited, and choosing the best first response. In practice, the habits are simple: pause, verify, report, and follow procedure.

If you remember nothing else, remember these rules: never trust urgency as proof, never treat caller ID or display name as identity, never share passwords or MFA codes, never plug in unknown media, and never bypass verification because someone sounds important. Those habits will help you pass the exam and make you a much stronger technician on the job.