AP CSP Cybersecurity Phishing

AP CSP Topics › Cybersecurity & Phishing

AP CSP Cybersecurity, Phishing & Social Engineering: Complete Guide (2025‑2026)

Cybersecurity protects digital systems, data, and networks from unauthorized access or disruption. AP CSP Big Idea 5 draws a critical distinction between technical attacks (exploiting software vulnerabilities) and human-layer attacks (manipulating people). Phishing and social engineering bypass all technical controls by targeting the human. The exam tests: what each attack type does, which defenses address which threats, and why the human is often the weakest link.

91%Of successful data breaches start with a phishing email — not a software exploit
2Independent factors required by MFA — stealing a password alone is not enough
1Extra second: average time to compromise an account with a weak password via brute force

Technical vs. Human-Layer Attacks

Technical Attack
Exploits software vulnerabilities
  • SQL injection into database
  • Unpatched operating system exploit
  • Man-in-the-middle on unsecured WiFi
  • Brute force password guessing
  • Defense: patches, firewalls, encryption
Human-Layer Attack (Phishing/Social Engineering)
Exploits human psychology
  • Fake “your account is suspended” email
  • IT support impersonation via phone call
  • Urgent wire transfer email from fake CEO
  • USB drop attack in parking lot
  • Defense: ONLY user awareness — no patch exists
Scenario — Classify the Attack

An employee receives a call from someone claiming to be the company’s IT help desk. The caller says suspicious activity was detected on the employee’s account and asks for their password to “verify identity” before resetting it. The employee provides the password.

What type of attack is this? What makes it different from a technical attack? What is the only effective defense?

Answer

Social engineering (vishing — voice phishing). The attacker impersonates a trusted authority figure (IT help desk) to manipulate the victim into voluntarily revealing credentials. No software was exploited — the attack targeted human trust and authority bias. The only effective defense is user awareness training: legitimate IT departments never ask for your password to verify identity.

Multi-Factor Authentication

A stolen password alone should not be enough to access an account. MFA requires a second factor from a different category, so compromising one factor does not grant access.

Multi-Factor Authentication: Three Factor Types Something You KNOW Password PIN Security question Factor 1 Something You HAVE Phone / SMS code Hardware token Authenticator app Factor 2 Something You ARE Fingerprint Face recognition Retina scan Factor 3 MFA requires 2+ factors from different categories

MFA most commonly combines Factor 1 (password) with Factor 2 (phone/token). Compromising one factor is not enough — the attacker also needs the second.

Scenario — Evaluate the Defense

A company deploys MFA for all employee accounts. Two months later, an attacker successfully phishes an employee’s password. The attacker attempts to log in but is stopped at the MFA prompt because they don’t have the employee’s phone. The attacker then calls the employee, claims to be IT support, and asks them to read the MFA code “to verify their identity.” The employee provides the code.

Did MFA fail? What does this scenario illustrate?

Answer

MFA worked as designed — until the human layer was exploited again. The attacker could not bypass MFA through technical means. They bypassed it by social engineering the second factor directly from the victim. This illustrates that MFA is a strong technical control, but social engineering can defeat any technical control by targeting the human. The defense is the same: user awareness that no legitimate IT team asks for MFA codes.

Symmetric vs. Asymmetric Encryption

Symmetric Encryption
One shared key for both directions
  • Same key encrypts AND decrypts
  • Both parties must have the key in advance
  • Problem: how do you share the key securely?
  • Fast — used for bulk data encryption
  • Example: AES (file encryption)
Asymmetric Encryption
Public key in, private key out
  • Public key: share openly, used to ENCRYPT
  • Private key: kept secret, used to DECRYPT
  • No shared secret needed — key exchange solved
  • Slower — used to establish session keys
  • Example: RSA (HTTPS handshake)
Scenario — Which Encryption Type?

Alice wants to send Bob a confidential message over the internet. They have never communicated before and have no pre-shared secret. Alice finds Bob’s public key published on his website. She uses it to encrypt the message and sends it. Only Bob’s private key can decrypt it.

Which type of encryption is this? What problem does it solve?

Answer

Asymmetric encryption. It solves the key distribution problem: Alice and Bob never needed to meet or share a secret in advance. Bob’s public key is freely published — anyone can encrypt with it, but only Bob (with his private key) can decrypt. This is exactly how HTTPS works: the browser uses the server’s public certificate to establish a secure session without any prior secret.

Common Exam Pitfalls

1
Thinking HTTPS means the site is trustworthy

HTTPS means the connection is encrypted and the domain certificate is verified. It does not mean the organization is legitimate. Phishing sites routinely use HTTPS. The padlock means encrypted transit to that domain — not that the domain is safe.

2
Confusing encryption with authentication

Encryption scrambles data so only the intended recipient can read it. Authentication verifies identity. HTTPS provides both, but they are separate. You can have encrypted access to a fraudulent site (HTTPS phishing page).

3
Thinking strong passwords alone prevent account compromise

A strong password is useless if phished. A breach at another site using the same password (credential stuffing) also defeats strong passwords. MFA addresses both scenarios by requiring a second factor the attacker cannot obtain from a stolen password alone.

4
Believing phishing only happens via email

Phishing occurs via email (phishing), SMS (smishing), and voice calls (vishing). The common element is impersonation and psychological manipulation, not the delivery channel. AP exam scenarios may use any medium.

Check for Understanding

1. A website uses HTTPS. Which statement about this connection is accurate?

  • Data transmitted to and from the site is encrypted during transit.
  • The website has been verified as trustworthy by a government authority.
  • The server stores passwords in plaintext because HTTPS already secures them.
  • The site cannot collect user data without explicit consent.
HTTPS encrypts data in transit between browser and server. It verifies the domain certificate (not organizational trustworthiness) and says nothing about server-side practices or data collection.

2. An employee receives a call from someone claiming to be IT support asking for their password. This attack is best classified as:

  • A man-in-the-middle attack, because the attacker intercepts communication.
  • A brute force attack, because the attacker is attempting to access the account.
  • Social engineering, because the attacker manipulates the victim rather than exploiting software.
  • A denial-of-service attack, because it disrupts normal operations.
Social engineering exploits human psychology — trust, authority, urgency — to obtain access without exploiting any software vulnerability. No technical patch can prevent it; only user awareness training is effective.

3. Consider statements about MFA:
I. MFA requires a second factor even when the correct password is provided.
II. MFA eliminates the risk of phishing entirely.
III. MFA most commonly combines something you know with something you have.

Which statements are correct?

  • I only
  • I and II only
  • I and III only
  • I, II, and III
Statement I is correct — MFA always requires the second factor regardless of password correctness. Statement III is correct — password (know) + phone/token (have) is the most common combination. Statement II is false — sophisticated phishing can bypass MFA by social engineering the second factor from the victim.

4. Which of the following best describes the difference between symmetric and asymmetric encryption?

  • Symmetric uses longer keys; asymmetric uses shorter keys.
  • Symmetric uses one shared key for both encryption and decryption; asymmetric uses a public key to encrypt and a different private key to decrypt.
  • Symmetric is used only for passwords; asymmetric is used only for file storage.
  • Asymmetric is always faster than symmetric because it uses a key pair.
Symmetric: same key encrypts and decrypts (key distribution problem). Asymmetric: public key encrypts, private key decrypts (no shared secret needed). HTTPS uses asymmetric to exchange a symmetric session key, combining the benefits of both.

5. A company encrypts all stored customer data with a single master key stored in the same database. Which vulnerability does this most directly create?

  • An attacker who gains database access obtains both the encrypted data and the key to decrypt it.
  • The encryption algorithm becomes weaker when the key is near the data.
  • The database cannot perform queries on encrypted fields without decrypting all records.
  • Regulatory frameworks require keys to be stored on a separate continent.
Co-locating the encryption key with the encrypted data means a single database breach yields both. Proper key management stores keys in a separate hardened system so that compromising the database alone is not sufficient to decrypt the data.

6. A company implements 16-character minimum passwords. Phishing attacks against the company subsequently increase by 40%. The most likely explanation is:

  • Longer passwords are easier to guess using dictionary attacks.
  • Attackers shifted to social engineering because stronger passwords made technical credential theft harder.
  • The password policy caused employees to write passwords down, leaving them physically exposed.
  • 16-character passwords exceed the hash capacity of standard bcrypt.
When technical attack surfaces harden, attackers substitute human-layer attacks. This illustrates the principle that improving technical controls shifts attacker focus to the human — the weakest link that cannot be patched with software updates.

Frequently Asked Questions

What malware types does the AP CSP exam cover?
Know these categories: virus (attaches to files, spreads when executed), worm (self-replicates across networks without user action), ransomware (encrypts victim files, demands payment for decryption key), spyware (monitors user activity covertly), trojan (disguised as legitimate software). Focus on what each type does and its primary impact, not technical implementation details.
Is two-factor authentication (2FA) the same as MFA?
2FA is a specific case of MFA using exactly two factors. MFA is the broader category that can include three or more factors. On the AP exam, both terms refer to the same concept: requiring more than just a password by combining knowledge, possession, and/or biometric factors.
What is the least-privilege principle?
The principle of least privilege states that users, programs, and systems should have access only to what they need for their specific function — nothing more. It limits damage from breaches and insider threats by ensuring a compromised account has limited ability to move laterally through the system.

How the AP Exam Tests This

  • Identify a described attack as phishing, malware, DDoS, or another specific threat
  • Explain why a specific security measure (2FA, encryption, strong passwords) mitigates a described attack
  • Determine which security principle (least privilege, defense in depth) applies to a scenario
  • I/II/III: which statements about cybersecurity threats and defenses are correct
  • Identify the most effective defense against a specific social engineering attack

7. A user receives an email claiming their bank account is suspended. The email provides a link to a login page that looks identical to their bank’s website. This is:

  • Malware — the email contains a virus.
  • Phishing — the attacker creates a fake site to steal credentials.
  • A DDoS attack against the bank.
  • Ransomware targeting the user’s files.
Phishing: attacker impersonates a trusted entity to trick users into providing credentials on a fraudulent site.

8. Two-factor authentication (2FA) is most effective against:

  • Malware that has already been installed on the device.
  • Phishing attacks where the password is stolen but the attacker lacks the second factor.
  • DDoS attacks that overwhelm server capacity.
  • SQL injection attacks on a database.
2FA requires a second verification even if the password is compromised, making stolen passwords alone insufficient for account access.

9. Consider: I. Strong passwords alone are sufficient to protect online accounts. II. Phishing attacks target human behavior rather than technical vulnerabilities. III. Defense in depth means using multiple overlapping security measures.

  • I only
  • II and III only
  • I, II, and III
  • I and III only
II correct — phishing exploits trust and urgency, not code bugs. III correct — defense in depth is a core security principle. I false — passwords are routinely compromised; 2FA, monitoring, and other layers are necessary.

10. An attacker calls an employee claiming to be from IT support and asks for their login credentials to ‘fix an urgent problem.’ This is:

  • Brute force — trying many passwords until one works.
  • Social engineering — manipulating a person into revealing confidential information.
  • Malware installation via phone.
  • A man-in-the-middle attack.
Social engineering manipulates people rather than exploiting technical vulnerabilities. Legitimate IT departments never ask for passwords.

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

[email protected]

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at [email protected]