Email and Social Media Security Risks

Phishing, vishing, smishing, and your first Risk Assessment Matrix  ·  Approx. 2 class days

StarringRisk = Likelihood × SeverityPhishing → Spear Phishing → Vishing → Smishing

Use this as a quick reference for the 7 social engineering tactics, the phishing family, adversary skill/motivation, and the Risk Assessment Matrix.

Social Engineering in Your Inbox and Feed infographic

🧭 Plot Summary

This is where social engineering gets real. You'll review a fictional social media profile and email inbox — the same way an analyst would — and look for the tells: a name that's spelled almost right, a link that doesn't quite match the real domain, a message that wants you to act right now.

Not all social engineering shows up the same way. It has a family of names depending on the channel it travels through:

Phishing
Broad, untargeted — sent to as many inboxes as possible
Spear Phishing
Targeted — uses real personal details about you
Vishing
Voice — a phone call impersonating someone trusted
Smishing
SMS — the same tactics, delivered by text message

What you will do in this lesson

  • Review a fictional social media profile and email inbox for real attack indicators.
  • Sort attacks into phishing, spear phishing, vishing, and smishing.
  • Connect each attack back to one of the 7 social engineering tactics.
  • Discuss adversary skill level and motivation using real-world framing.
  • Complete your first Risk Assessment Matrix — a format you'll reuse all course.

Why it matters

This is the AP-heavy activity in this unit — the social engineering vocabulary and the Risk Assessment Matrix format you build here both show up repeatedly for the rest of the course, and directly on the exam.

Self-Check Before You Roll On

Check off each item as you get there. These are not grades — they are your own signal.

Built with v0