Social Engineering Attacks: A+ Core 2 Study Guide
Social engineering attacks manipulate human psychology to gain unauthorized access to systems or data. For the CompTIA A+ Core 2 exam, you must distinguish between digital lures like phishing, vishing, and smishing, and physical breaches like tailgating and shoulder surfing, while implementing strict security policies and user awareness training.
What is the difference between Phishing, Vishing, and Smishing?
When you're studying for the 220-1102, you'll notice that CompTIA loves to test your ability to distinguish between different delivery methods of the same attack. At its core, phishing is the broad umbrella, but it specifically refers to email-based attacks. These usually involve a sense of urgency—like a 'frozen account'—and a malicious link or attachment designed to steal credentials.
Vishing (voice phishing) moves the attack to the phone. Whether it's a robocall or a live actor pretending to be from the IRS, the goal is to manipulate you into revealing sensitive data over the phone. Smishing (SMS phishing) is the same concept but delivered via text message. If you see a scenario on the exam where a user receives a text about a 'missed delivery' with a suspicious link, that is a textbook smishing attack. The key to passing these questions is identifying the medium of communication first.
How do Tailgating and Piggybacking differ?
These two terms are often used interchangeably in casual conversation, but for the A+ exam, the distinction is critical. Tailgating occurs when an unauthorized person follows an authorized person into a secure area without their knowledge or consent. Imagine someone slipping through a heavy door just before it closes behind an employee. It's a stealthy, opportunistic move.
Piggybacking, on the other hand, involves a level of cooperation. In this scenario, the authorized person knows the intruder is there and intentionally allows them in—often out of a misplaced sense of politeness or 'being a good coworker.' To mitigate these risks, we recommend focusing on physical controls like mantraps, turnstiles, and strict badge-in policies. Remember, the difference lies in the authorized person's awareness and consent. If the employee holds the door open for a stranger, it's piggybacking; if the stranger slips in behind them, it's tailgating.
What are Pretexting and Shoulder Surfing?
Pretexting is a more sophisticated form of social engineering where the attacker creates a fabricated scenario—a 'pretext'—to steal information. Instead of a generic 'click here' email, a pretexting attacker might call a help desk pretending to be a high-level executive who forgot their password during a critical board meeting. They build a believable story to manipulate the target into bypassing security protocols.
Shoulder surfing is far more low-tech but equally dangerous. This is simply the act of looking over someone's shoulder to observe them entering a PIN at an ATM, typing a password on a laptop, or unlocking a phone. While it seems simple, it's a common way for attackers to gain initial access. To defend against this, you should suggest hardware solutions like privacy screens (physical filters that narrow the viewing angle) and encourage users to be mindful of their surroundings in public spaces.
How can you mitigate these human-centric threats?
You can have the most expensive firewall in the world, but it won't stop a user from giving their password to a 'technician' over the phone. This is why user awareness training is the most effective defense against social engineering. Employees need to be trained to recognize the red flags: urgent language, requests for passwords, and unexpected attachments. A culture of 'verify then trust' is essential for any secure organization.
Beyond training, you must implement technical safeguards. Multi-Factor Authentication (MFA) is your best friend here; even if an attacker successfully phishes a password, they still can't get in without the second factor. Implementing a 'Zero Trust' architecture and strict access control lists (ACLs) further limits the blast radius if a social engineering attack succeeds. On the exam, always look for the answer that combines technical controls with human education.
Why is practice the key to mastering these concepts?
The CompTIA A+ exam rarely asks you to simply define 'phishing.' Instead, it gives you a complex scenario and asks you to identify the attack and the best remediation step. This requires a level of pattern recognition that you can only develop through high-volume, high-quality practice. You need to see 50 different versions of a 'vishing' scenario before it becomes second nature.
This is exactly why we built Cert Sensei. We provide 1,000 expert-curated practice questions specifically for the A+ Core 2 (220-1102) exam. Rather than just telling you if you're wrong, our platform provides detailed expert reasoning for every single answer, explaining the 'why' behind the correct choice. With our domain-level analytics, you can see exactly where you're struggling—whether it's physical security or OS troubleshooting—so you can stop wasting time on what you already know and focus on your weak points.
❓ Frequently Asked Questions
Is spear phishing different from standard phishing?
Yes. Standard phishing is a 'cast a wide net' approach sent to thousands. Spear phishing is a targeted attack aimed at a specific individual or organization, often using personal details to make the lure more convincing.
What is the most effective physical control to stop tailgating?
A mantrap (or security portal) is the most effective. It consists of two interlocking doors where the first must close before the second opens, ensuring only one person enters at a time.
How do I tell the difference between a legit IT call and vishing?
Legitimate IT departments will almost never ask for your password over the phone. The best practice is to hang up and call the IT department back using a verified internal extension.