Social Engineering, Phishing, and Your First Risk Assessment

1.1.A–CConcept

Recognizing Social Engineering

Social engineering attacks lean on psychological tactics to get a target to reveal sensitive information, download a malicious file, or click a malicious link. It can happen in person, but far more often it arrives by email, text message, or social media. Seven tactics show up again and again:

Pretexting
A fabricated, believable scenario used to justify a request.
Authority
Impersonating someone with power, or relaying their supposed instructions.
Intimidation
Threatening negative consequences if the target doesn't comply.
Consensus
Implying everyone else is already doing the requested action.
Scarcity
Creating a false sense of limited supply or a closing window.
Familiarity
Faking rapport or a personal connection with the target.
Urgency
Setting a deadline that pressures a quick, unverified decision.
🔑Intimidation and urgency are the two called out explicitly in the AP course content — both work by short-circuiting careful thought. Intimidation leans on a natural aversion to negative consequences; urgency leans on a natural instinct to react fast under time pressure. Combined, they're a reliable one-two punch.

What a victim actually loses

A successful attack usually nets an adversary one of three things: personal information that enables impersonation (name, birthdate, pet's name — often the same details used for security questions); secure information like a one-time password that lets the adversary log in as the victim; or a malware infection from a downloaded file or malicious link.

1.1.ATactic

The Phishing Family Tree

"Phishing" is the umbrella term, but the same underlying tactics show up under different names depending on the channel:

📨 The Phishing Family — click each type
Channel: Email
Sent broadly to as many inboxes as possible, hoping a small percentage of recipients fall for it. No personalization — the same message goes to thousands of people.
ExampleGuided Example — Spot the Indicators

A teacher receives an email that appears to be from a school-approved cloud storage service. It claims a student's file needs 'urgent access approval' or the student will be locked out of their assignment. The sender's email domain is spelled almost — but not exactly — like the real service.

Step 1Check the sender
The domain doesn't exactly match the real service's domain — a classic sign of a spoofed sender.
1.3.AConcept

Who's on the Other End?

Adversaries vary along a skill spectrum. Low-skilled adversaries rely on tools built by someone else, purchased or downloaded online, and usually exploit already-known vulnerabilities. High-skilled adversaries can build or modify their own tools, adapt to new defenses, and even discover undocumented vulnerabilities — called zero days — that no defender knows about yet.

Motivation varies just as widely: greed, a desire for recognition, dedication to a cause, revenge, politics, or personal beliefs can all drive an attack — and knowing the likely motivation helps predict the likely target.

💡A hacktivist motivated by an environmental cause is unlikely to target a random small business — but highly likely to target a company's public-facing website if that company is seen as environmentally irresponsible. The motivation shapes the target, not just the method.
1.3.CConcept

Protecting Yourself on Public Networks

A few concrete habits go a long way on public Wi-Fi:

ActionWhy it helps
Use a VPNEncrypts your traffic to the VPN provider — though the provider itself can still see it
Avoid sensitive data on unencrypted Wi-FiUnencrypted networks expose things like DNS queries to anyone nearby
Verify the network name exactlyA name that's almost right may be an evil twin set up to capture your traffic
2.1.DConcept

Building Your First Risk Assessment Matrix

Risk occurs when a threat can exploit a vulnerability to compromise an asset — and assessing it means weighing two factors: likelihood (how probable the attack is) and severity (how bad the damage would be, usually in financial, operational, or reputational terms).

Low
Medium
High
High
High×Low
High×Medium
High×High
Medium
Medium×Low
Medium×Medium
Medium×High
Low
Low×Low
Low×Medium
Low×High
↑ LikelihoodSeverity →

A complete risk assessment write-up documents four things for each risk identified: the asset at stake, the threat facing it, the specific vulnerability being exploited, and a final rating — which can be quantitative (a 1–10 scale, or a dollar figure) or qualitative (low/medium/high/severe).

ExampleWorked Example — Rating a Risk

A school's staff email system has no multifactor authentication enabled, and staff frequently reuse passwords across personal and work accounts. A recent phishing campaign targeting schools in the region has been widely reported.

← Back to Activity 1.1.3Next: Project 1.1.4 →Save the Day.
Built with v0