CompTIA Security+ (SY0-601): Compare and Contrast Different Types of Social Engineering Techniques
Introduction
Social engineering is really just a way of getting people to make a bad decision by using deception, pressure, or influence. The goal is simple: get someone to hand over information, take an action they normally wouldn’t take, or open a digital or physical door that should’ve stayed closed. For Security+ SY0-601, this is a big deal because attackers usually find people a lot easier to manipulate than technical controls. Honestly, that’s one of the main reasons these attacks show up so often. Honestly, even a patched server, a strong password policy, and a modern firewall won’t save you if someone clicks a fake login page, a help desk analyst resets the wrong account, or an employee politely holds open a secure door for the wrong person.
For exam purposes, keep the focus on recognition and comparison. In the real world, though, social engineering is rarely just “a fake email.” It often leads to credential theft, malware delivery, payment fraud, mailbox compromise, or physical intrusion. The best defenders combine awareness, process controls, and technical controls.
What social engineering really is, and why it keeps working out there in the real world
At the end of the day, social engineering is basically attackers taking advantage of how people naturally behave. It works because people tend to trust what feels familiar, react fast when something seems urgent, worry about getting in trouble, follow curiosity, respect authority, and, honestly, most folks just want to help and get on with their day. Attackers don’t need to fool everyone. They just need one user, one receptionist, one finance clerk, or one help desk analyst to make the wrong call.
A really simple way to compare social engineering scenarios is to ask four questions:
- Channel: Email, SMS, phone, website, messaging platform, or physical interaction?
- Targeting: Broad, targeted, or executive-focused?
- Goal: Credentials, money, malware, information, MFA approval, or physical access?
- Clue: Urgency, authority, reward, fabricated story, or redirection?
That simple framework actually makes a huge difference when you’re trying to separate terms that sound similar on the exam, like phishing versus spear phishing, vishing versus smishing, or pharming versus typosquatting.
Core Security+ social engineering techniques
| Technique | Main channel | Strongest clue | Typical goal |
|---|---|---|---|
| Phishing | Email/messages | Broad deceptive message | Credentials, malware, fraud |
| Spear phishing | Email/messages | Targeted to a specific user or team | Credential theft, fraud, access |
| Whaling | Email/messages | Executive or high-value target | Wire fraud, sensitive access |
| Vishing | Voice/phone | Phone-based deception | Information disclosure, reset abuse |
| Smishing | SMS/text | Text-based phishing | Link click, callback, credential theft |
| Pretexting | Any | Fabricated story | Trust building, info gathering, access |
| Impersonation | Any | Pretending to be trusted person/role | Authority abuse |
| Quid pro quo | Phone/in person | Exchange of help for information | Credentials or access |
| Baiting | Physical/digital | Tempting lure | Malware delivery or access |
| Tailgating | Physical | Unauthorized person follows in | Physical access |
| Piggybacking | Physical | Authorized user knowingly allows entry | Physical access |
| Shoulder surfing | Physical observation | Watching screen or keypad | Capture sensitive info |
| Dumpster diving | Physical | Searching discarded material | Collect sensitive data |
| Watering hole | Web | Trusted site used by target group | Malware, credential theft |
| Typosquatting | Web/domain | Misspelled domain resembling a trusted brand | Redirect users to fake site |
| Pharming | DNS/network | Correct address entered, wrong site reached | Credential theft or malware |
Email, messaging, and business fraud attacks
Phishing is the broad category: deceptive email or messaging intended to get the victim to click, log in, open a file, or send information. Spear phishing is the targeted version, built around a specific person, team, or business process. Whaling is spear phishing aimed at executives or other high-value targets such as finance leaders or attorneys.
A common real-world umbrella term here is Business Email Compromise (BEC). BEC, or business email compromise, is really one of those catch-all terms for money-focused scams. You’ll see CEO fraud, vendor impersonation, payroll diversion, gift card requests, invoice tricks, payment redirection — all the usual stuff that’s meant to move money in the wrong direction. The attacker might send a forged message, set up a lookalike domain, or — and this one’s especially nasty — break into a real mailbox and send from that account instead. And technically, those are three different situations, so it’s worth slowing down a little and separating them instead of just lumping them all together.
- Spoofed email: forged sender information, often blocked or flagged by mail security controls.
- Lookalike domain: attacker registers a deceptive domain that closely resembles a trusted one.
- Compromised legitimate mailbox: attacker logs into a real account and sends messages from it, often by hijacking existing reply chains.
That last one’s especially dangerous because it can look perfectly normal and may not fail email authentication at all.
Spam is unsolicited bulk messaging. It isn’t automatically phishing, but phishing can absolutely be delivered as spam. For exam purposes, think of spam as the delivery style and phishing as the deceptive intent.
Credential theft, MFA abuse, and modern identity attacks
Many social engineering attacks aim at credential harvesting, but that objective can involve more than just passwords. Attackers may go after things like:
- Usernames and passwords
- One-time passcodes, recovery codes, and backup codes
- MFA approvals through push fatigue
- Session cookies or tokens after login
- OAuth consent that grants access without the password being reused
A fake enterprise login portal or single sign-on page is a classic harvesting method. More advanced attacker-in-the-middle phishing kits can relay the real login process and steal session cookies after MFA. That’s why MFA helps, but weaker methods like SMS codes, voice OTP, or a simple push approval aren’t as strong as phishing-resistant MFA.
Phishing-resistant MFA means controls such as FIDO2/WebAuthn security keys or platform-bound passkeys. These are stronger because the authentication is tied to the legitimate site and is harder to relay to a fake one. Number matching and location prompts also improve push-based MFA by reducing accidental approval.
MFA fatigue or push bombing is a modern real-world extension of social engineering. The attacker keeps triggering MFA prompts over and over until the user finally gives in and approves one. It may not always show up as a classic named term in SY0-601, but it fits the same basic idea: pressure a person long enough, and they may approve access they shouldn’t.
Voice, conversation, and help desk abuse
Vishing is phishing over voice. Attackers may use caller ID spoofing, internet-based phone services, fake callback numbers, or even automated phone menu scams to make the call seem real. They often claim to be IT, a bank, a vendor, or an executive assistant. The goal is usually to get credentials, MFA codes, or a password reset.
Pretexting is the invented story: “We are migrating accounts,” “your payroll record needs validation,” or “the CEO is in a meeting and needs this immediately.” Impersonation is pretending to be the trusted role or person. Those two often show up together, but they’re not the same thing, and Security+ absolutely loves testing that distinction. For the exam, remember: pretexting = story, impersonation = role.
Quid pro quo means an exchange. The attacker offers help, support, or some kind of reward, but there’s always a catch — the victim has to give up information or do the thing the attacker wants first. That differs from baiting, which relies on temptation without a direct exchange.
Help desks get targeted a lot because password resets, MFA resets, and account unlocks are all high-value workflows that attackers love to abuse. Good procedures include callback verification using a known number, ticket validation, manager approval for sensitive resets, and clear rules that staff never ask for or accept passwords, OTPs, or approval codes. If a caller pressures staff to bypass process, that pressure is itself a red flag.
Web, domain, and redirection attacks
Typosquatting uses misspelled domains that imitate trusted brands. A related but slightly different trick is the lookalike or homograph domain, where characters are substituted to resemble the real domain. Security+ learners should know the distinction even if many people casually group them together.
Pharming is different: the user may type the correct address and still land on the wrong site because traffic is redirected. That redirect can happen a few different ways — DNS cache poisoning, rogue DNS settings, a modified hosts file, a compromised router, or even bad DHCP settings being pushed into the network. And here’s the part a lot of people miss: an attacker-controlled site can still have a valid TLS certificate. So that little lock icon by itself doesn’t actually prove you’re safe. Better defenses include secure DNS resolvers, DNS filtering, endpoint integrity checks, router hardening, and DNSSEC where it’s available. In practice, you want multiple layers there, not just one control doing all the work. In other words, you don’t just want to protect the website — you want to protect the path the user takes to get there.
Watering hole attacks target sites that a victim group already trusts. The attacker compromises that site or injects malicious content so the victim is exposed during normal browsing. This blends trust, habit, and technical compromise.
Modern phishing variants also show up as fake file-sharing invites, collaboration-platform messages, and QR-code lures, which is exactly why attackers keep following people wherever they’re actually working. For SY0-601, I’d treat those as different delivery variations of phishing rather than as totally separate classic categories.
Physical social engineering attacks
Tailgating means an unauthorized person follows someone into a secure area without permission. Piggybacking means the authorized person knowingly lets them in. Real organizations sometimes use these terms interchangeably, but CompTIA prep commonly distinguishes them this way, so use that distinction on the exam.
Shoulder surfing is observing screens, keypads, or documents. Dumpster diving is searching discarded material for useful information. Baiting often involves physical media like a USB drive labeled to appear valuable or confidential. The modern risk isn’t just autorun anymore. It could be malware, a credential theft tool, or even a USB device that acts like a keyboard and starts typing commands before the user even realizes what’s happening.
Physical impersonation also matters: fake contractors, delivery workers, or technicians using uniforms, clipboards, or badges to blend in. Strong visitor controls, escort rules, badge checks, and camera review all go a long way toward cutting that risk down.
Email authentication and anti-spoofing controls
Social engineering defense is not just training. Email security controls matter, especially against spoofing and impersonation:
- SPF identifies which mail servers are allowed to send for a domain.
- DKIM digitally signs messages so the receiving server can verify integrity and origin.
- DMARC tells receiving systems how to handle messages that fail SPF/DKIM alignment and provides reporting.
These controls help with spoofed-domain email, but they do not stop lookalike domains or a compromised legitimate mailbox. That is why organizations also use secure email gateways, impersonation protection, external sender tagging, message destination analysis, attachment sandboxing, and domain monitoring. Mature programs also monitor certificate transparency logs and suspicious domain registrations for brand abuse.
Defender view: red flags, detection, and mitigation
The strongest warning sign is often not bad grammar. It is a request that breaks normal process. Good red flags include:
- Urgent requests involving credentials, payments, or MFA
- Requests to bypass policy or “keep this confidential”
- Reply-to mismatch, lookalike domain, or unexpected attachment
- Caller refusing callback validation
- Repeated MFA prompts not initiated by the user
- Unexpected bank-detail changes or vendor payment updates
- Unknown visitors, badge excuses, or found USB devices
Detection leans heavily on logs, and honestly, that’s where a lot of the real investigation work starts. Security teams may end up digging through email headers, SPF/DKIM/DMARC results, sign-in telemetry, impossible-travel alerts, mailbox forwarding rules, OAuth app consent, proxy and DNS logs, and badge-access records. Basically, they’re trying to piece together the whole chain of events from every trail the attacker left behind. For a mailbox compromise investigation, I’d usually start with inbox rules, delegated access, recent login IPs, MFA method changes, and any suspicious forwarding to external addresses. That’s usually where the trouble shows up first.
The big mitigations are phishing-resistant MFA, conditional access, secure email gateways, DNS and web filtering, callback verification, dual approval for payments, help desk identity proofing, visitor management, and endpoint controls that block unauthorized USB use. Layering those controls is what really makes the difference.
Incident response basics
If a user clicks a phishing lure, enters credentials, approves a suspicious MFA prompt, or acts on a fraudulent payment request, speed matters a lot. The sooner you react, the less room the attacker has to cause damage. The immediate goals are pretty straightforward: stop the damage from spreading and preserve the evidence before it disappears. That’s the mindset I always push with junior analysts and help desk teams.
- User actions: stop interacting, report quickly, preserve the message or caller details.
- IAM actions: reset passwords if needed, revoke sessions and refresh tokens, review MFA changes and recovery methods.
- Mailbox actions: check forwarding rules, inbox rules, delegated access, and OAuth app consents.
- Endpoint actions: isolate or scan the device if malware is possible.
- Finance actions: halt suspicious payments, verify vendor changes out of band, notify banking and legal contacts if fraud occurred.
- Physical security actions: review badge logs, camera footage, and visitor records for unauthorized entry.
Evidence worth preserving includes full email headers, message IDs, typed or displayed addresses, screenshots, SMS details, caller numbers, call times, and anything else that helps show exactly what happened. displayed addresses, screenshots, SMS details, caller numbers, call times, and any endpoint alerts.erts. If you can capture it before it gets deleted or overwritten, do it.
Security+ exam traps and memory aids
| Common confusion | Best distinction |
|---|---|
| Phishing vs spear phishing | Broad vs targeted |
| Spear phishing vs whaling | Targeted user vs executive/high-value target |
| Smishing vs vishing | SMS vs voice |
| Pretexting vs impersonation | Story vs trusted identity |
| Baiting vs quid pro quo | Lure vs exchange |
| Tailgating vs piggybacking | No permission vs knowingly allowed |
| Typosquatting vs pharming | Wrong domain entered vs correct domain redirected |
| Spam vs phishing | Bulk unsolicited vs deceptive intent |
Best exam strategy: identify the most specific clue. If the scenario says “specific executive,” think whaling. If it says “fabricated story,” think pretexting. If it says “correct address but wrong site,” think pharming. If it says “free USB drive,” think baiting.
Mini scenario practice
Scenario 1: A finance clerk receives an email from a known vendor asking to update bank details for future payments. The message comes from a slightly altered domain. Answer: Spear phishing/BEC with vendor impersonation. Best control: out-of-band vendor callback and dual approval.
Scenario 2: A user gets repeated MFA push requests late at night without trying to sign in. Answer: MFA fatigue, a modern social engineering-related identity attack. Best response: deny prompts, report immediately, review sign-ins, reset credentials if needed.
Scenario 3: A caller claims to be from IT and says an executive account must be reset before a board meeting. The caller refuses callback. Answer: Vishing with pretexting and impersonation. Best control: follow help desk identity verification and callback procedure.
Scenario 4: A user types the correct banking address but sees a strange login page and certificate behavior. Answer: Pharming. Best response: stop, report, and investigate DNS, router, and endpoint integrity.
Scenario 5: Someone carrying boxes asks an employee to hold a secure door because they forgot their badge. Answer: Piggybacking if knowingly allowed; tailgating if they slip in without permission. Best control: challenge and route through visitor procedure.
Conclusion
Social engineering is about influencing people to break trust, process, or security controls. For Security+ SY0-601, the key is to compare attacks by channel, targeting level, and strongest clue. Phishing is broad, spear phishing is targeted, whaling targets executives, vishing uses voice, smishing uses SMS, pretexting uses a fabricated story, baiting uses a lure, quid pro quo uses an exchange, typosquatting uses a deceptive domain, and pharming redirects the victim even when the correct address was entered.
From a defender’s perspective, awareness matters, but process and technical controls matter just as much. Callback verification, approval workflows, SPF/DKIM/DMARC, phishing-resistant MFA, DNS protections, and physical access controls turn social engineering from an easy win for attackers into a much harder path.