Objective C2-2.5

Objective 2.5: Compare and contrast common social engineering attacks, threats, and vulnerabilities

Cert: CompTIA A+ Core 2 (220-1202) V15 Domain: 2.0 Security Weight: Part of the 28% Security domain Depth: Compare and contrast. The candidate must distinguish social engineering attack types, network threat types, and the underlying vulnerabilities that make attacks succeed.

What this objective tests

You should recognize each social engineering and network attack by behavior, name the vulnerability that enabled the attack, and pick the right preventive control.

Key facts

Phishing:

Fraudulent email pretending to be a trusted sender, designed to harvest credentials, install malware, or trick the user into action.
The most common attack vector against businesses.

Vishing (voice phishing):

Phone-based social engineering. Caller poses as IT, bank, IRS, or another authority and pressures the target for credentials or payment.

Smishing (SMS phishing):

Text-message phishing. Often impersonates banks, shipping companies, or government agencies. Includes a link to a fake site.

QR code phishing (quishing):

Phishing via QR codes (printed in public places, emailed, dropped on desks). User scans the code and lands on a malicious site.
Newer V15-era addition to the attack catalog.

Spear phishing:

Targeted phishing aimed at a specific person or small group. References specific details (name, role, recent activity) to seem legitimate.

Whaling:

Spear phishing aimed at executives or other high-value targets. Often pretends to be the CEO or a board member.

Shoulder surfing:

Watching someone's screen or keyboard to harvest passwords, PINs, or other sensitive info.
Mitigation: privacy screens, awareness, screen lock when stepping away.

Tailgating (piggybacking):

Following an authorized person through a controlled door without using your own credential.
Mitigation: access control vestibule (mantrap), badge-required interior doors, security awareness.

Impersonation:

Pretending to be someone the target trusts (vendor, contractor, executive, IT support).

Dumpster diving:

Searching trash for sensitive documents, sticky notes with passwords, discarded hardware.
Mitigation: shredding, secure document destruction policies.

Denial of Service (DoS):

Attack that makes a service unavailable. Single source flooding requests.

Distributed Denial of Service (DDoS):

DoS from many distributed sources (often a botnet). Harder to filter because traffic looks legitimate per-source.
Mitigation: cloud DDoS protection services (Cloudflare, Akamai, AWS Shield).

Evil twin:

Rogue Wi-Fi access point that mimics a legitimate SSID. Users connect, attacker captures traffic and credentials.
Mitigation: use VPN on untrusted Wi-Fi; verify SSID; enterprise wireless with cert-based auth.

Zero-day attack:

Exploit of a vulnerability that the vendor hasn't patched (and may not yet know about).
Mitigation: defense in depth, EDR with behavior detection, network segmentation. Patch is unavailable by definition.

Spoofing:

Pretending to be a trusted source. Email spoofing (forged sender), IP spoofing (forged source IP), ARP spoofing (forged MAC mapping), caller ID spoofing.

On-path attack (formerly man-in-the-middle):

Attacker positions between two communicating parties, intercepts and possibly modifies traffic.
Mitigation: TLS for encryption, certificate validation, VPN.

Brute-force attack:

Tries every possible password combination until one works.
Mitigation: long complex passwords, account lockout after failed attempts, rate limiting, MFA.

Dictionary attack:

Tries common passwords from a list. Much faster than brute force.
Mitigation: same as brute force; ban known-bad passwords.

Insider threat:

Malicious or careless action by someone with legitimate access (employee, contractor, partner).
Mitigation: least privilege, separation of duties, monitoring, exit procedures.

SQL injection (SQLi):

Attack that injects SQL into user input fields to manipulate the database query.
Mitigation: parameterized queries, input validation, principle of least privilege on database accounts.

Cross-site scripting (XSS):

Injects malicious JavaScript into a web page that executes in other users' browsers.
Mitigation: output encoding, Content Security Policy, input validation.

Business email compromise (BEC):

Attacker compromises (or convincingly spoofs) a business email account to defraud the organization. Common shape: "CEO" emails Accounting requesting an urgent wire transfer.
Mitigation: MFA on email, out-of-band verification of wire requests, employee training.

Supply chain / pipeline attack:

Attack that compromises a trusted vendor or software component to reach the target.
Examples: SolarWinds, MOVEit, dependency injection in open-source packages.
Mitigation: vendor risk management, software bill of materials (SBOM), zero trust.

Non-compliant systems:

Systems missing required security controls (patches, AV, configuration baselines).
Vulnerability waiting to be exploited.

Unpatched systems:

Systems running outdated software with known vulnerabilities.
Largest preventable vulnerability category.

Unprotected systems (missing AV / firewall):

Systems without basic endpoint security.
Mitigation: MDM/RMM enforces baseline security.

End-of-life (EOL):

OS or app version no longer receiving security updates.
Migrate before EOL hits.

Bring your own device (BYOD):

Personal devices accessing corporate resources. Less controlled than corporate-issued.
Mitigation: MDM, conditional access, data segregation (corporate work container).

Common gotchas

CEO email request "urgent and confidential." Classic BEC. Always verify wire transfer requests out-of-band.
"Free Wi-Fi" SSID matching the coffee shop's name. Evil twin. Verify SSID with staff or use cellular + VPN.
Vendor email asking for updated banking details. Spoofed or compromised vendor account. Call the vendor on a known-good number to verify.
Strange USB drive in the parking lot. Don't plug it in. USB drop attacks are real.
PowerShell allegedly from "Microsoft Support." Legit Microsoft never calls unsolicited.
Phone tech support requesting remote access. Vishing. Hang up; call the org's verified number to verify if real.

Real-world context

Top SMB threat categories in 2024-2025:

Phishing / BEC delivered via email, gunning for credentials or wire transfers.
Ransomware often arriving via phishing, exploiting unpatched systems, or via compromised RMM tools.
Vendor compromise affecting downstream targets.
Insider threats including departing-employee data exfil.

Layered defense map (matching the threats):

Email gateway + MFA + training → phishing/BEC.
EDR/MDR + patching + segmentation + backups → ransomware.
Vendor risk reviews + MFA + conditional access → vendor compromise.
Least privilege + monitoring + offboarding procedures → insider threats.

Sources

[CompTIA A+ 220-1202 Exam Objectives Version 4.0, Section 2.5](../../../../../../30-RevyTechJourney/CompTIA%20A%2B%20220-1202%20Exam%20Objectives%20%284.0%29.pdf)
[CISA: Phishing](https://www.cisa.gov/news-events/news/avoiding-social-engineering-and-phishing-attacks)
[OWASP: SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection)
[OWASP: Cross-Site Scripting](https://owasp.org/www-community/attacks/xss/)
[FBI: Business Email Compromise](https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/business-email-compromise)

Previous · C2-2.4

Summarize types of malware and tools/methods for detection, removal, and prevention

Next · C2-2.6

Given a scenario, implement procedures for basic SOHO malware removal

Quiz this objective Flashcards