AP CSP Cybersecurity Phishing
AP CSP Cybersecurity, Phishing & Social Engineering: Complete Guide (2025‑2026)
Cybersecurity protects digital systems, data, and networks from unauthorized access or disruption. AP CSP Big Idea 5 draws a critical distinction between technical attacks (exploiting software vulnerabilities) and human-layer attacks (manipulating people). Phishing and social engineering bypass all technical controls by targeting the human. The exam tests: what each attack type does, which defenses address which threats, and why the human is often the weakest link.
Contents
Technical vs. Human-Layer Attacks
- SQL injection into database
- Unpatched operating system exploit
- Man-in-the-middle on unsecured WiFi
- Brute force password guessing
- Defense: patches, firewalls, encryption
- Fake “your account is suspended” email
- IT support impersonation via phone call
- Urgent wire transfer email from fake CEO
- USB drop attack in parking lot
- Defense: ONLY user awareness — no patch exists
An employee receives a call from someone claiming to be the company’s IT help desk. The caller says suspicious activity was detected on the employee’s account and asks for their password to “verify identity” before resetting it. The employee provides the password.
What type of attack is this? What makes it different from a technical attack? What is the only effective defense?
Social engineering (vishing — voice phishing). The attacker impersonates a trusted authority figure (IT help desk) to manipulate the victim into voluntarily revealing credentials. No software was exploited — the attack targeted human trust and authority bias. The only effective defense is user awareness training: legitimate IT departments never ask for your password to verify identity.
Multi-Factor Authentication
A stolen password alone should not be enough to access an account. MFA requires a second factor from a different category, so compromising one factor does not grant access.
MFA most commonly combines Factor 1 (password) with Factor 2 (phone/token). Compromising one factor is not enough — the attacker also needs the second.
A company deploys MFA for all employee accounts. Two months later, an attacker successfully phishes an employee’s password. The attacker attempts to log in but is stopped at the MFA prompt because they don’t have the employee’s phone. The attacker then calls the employee, claims to be IT support, and asks them to read the MFA code “to verify their identity.” The employee provides the code.
Did MFA fail? What does this scenario illustrate?
MFA worked as designed — until the human layer was exploited again. The attacker could not bypass MFA through technical means. They bypassed it by social engineering the second factor directly from the victim. This illustrates that MFA is a strong technical control, but social engineering can defeat any technical control by targeting the human. The defense is the same: user awareness that no legitimate IT team asks for MFA codes.
Symmetric vs. Asymmetric Encryption
- Same key encrypts AND decrypts
- Both parties must have the key in advance
- Problem: how do you share the key securely?
- Fast — used for bulk data encryption
- Example: AES (file encryption)
- Public key: share openly, used to ENCRYPT
- Private key: kept secret, used to DECRYPT
- No shared secret needed — key exchange solved
- Slower — used to establish session keys
- Example: RSA (HTTPS handshake)
Alice wants to send Bob a confidential message over the internet. They have never communicated before and have no pre-shared secret. Alice finds Bob’s public key published on his website. She uses it to encrypt the message and sends it. Only Bob’s private key can decrypt it.
Which type of encryption is this? What problem does it solve?
Asymmetric encryption. It solves the key distribution problem: Alice and Bob never needed to meet or share a secret in advance. Bob’s public key is freely published — anyone can encrypt with it, but only Bob (with his private key) can decrypt. This is exactly how HTTPS works: the browser uses the server’s public certificate to establish a secure session without any prior secret.
Common Exam Pitfalls
HTTPS means the connection is encrypted and the domain certificate is verified. It does not mean the organization is legitimate. Phishing sites routinely use HTTPS. The padlock means encrypted transit to that domain — not that the domain is safe.
Encryption scrambles data so only the intended recipient can read it. Authentication verifies identity. HTTPS provides both, but they are separate. You can have encrypted access to a fraudulent site (HTTPS phishing page).
A strong password is useless if phished. A breach at another site using the same password (credential stuffing) also defeats strong passwords. MFA addresses both scenarios by requiring a second factor the attacker cannot obtain from a stolen password alone.
Phishing occurs via email (phishing), SMS (smishing), and voice calls (vishing). The common element is impersonation and psychological manipulation, not the delivery channel. AP exam scenarios may use any medium.
Check for Understanding
1. A website uses HTTPS. Which statement about this connection is accurate?
- Data transmitted to and from the site is encrypted during transit.
- The website has been verified as trustworthy by a government authority.
- The server stores passwords in plaintext because HTTPS already secures them.
- The site cannot collect user data without explicit consent.
2. An employee receives a call from someone claiming to be IT support asking for their password. This attack is best classified as:
- A man-in-the-middle attack, because the attacker intercepts communication.
- A brute force attack, because the attacker is attempting to access the account.
- Social engineering, because the attacker manipulates the victim rather than exploiting software.
- A denial-of-service attack, because it disrupts normal operations.
3. Consider statements about MFA:
I. MFA requires a second factor even when the correct password is provided.
II. MFA eliminates the risk of phishing entirely.
III. MFA most commonly combines something you know with something you have.
Which statements are correct?
- I only
- I and II only
- I and III only
- I, II, and III
4. Which of the following best describes the difference between symmetric and asymmetric encryption?
- Symmetric uses longer keys; asymmetric uses shorter keys.
- Symmetric uses one shared key for both encryption and decryption; asymmetric uses a public key to encrypt and a different private key to decrypt.
- Symmetric is used only for passwords; asymmetric is used only for file storage.
- Asymmetric is always faster than symmetric because it uses a key pair.
5. A company encrypts all stored customer data with a single master key stored in the same database. Which vulnerability does this most directly create?
- An attacker who gains database access obtains both the encrypted data and the key to decrypt it.
- The encryption algorithm becomes weaker when the key is near the data.
- The database cannot perform queries on encrypted fields without decrypting all records.
- Regulatory frameworks require keys to be stored on a separate continent.
6. A company implements 16-character minimum passwords. Phishing attacks against the company subsequently increase by 40%. The most likely explanation is:
- Longer passwords are easier to guess using dictionary attacks.
- Attackers shifted to social engineering because stronger passwords made technical credential theft harder.
- The password policy caused employees to write passwords down, leaving them physically exposed.
- 16-character passwords exceed the hash capacity of standard bcrypt.
Frequently Asked Questions
How the AP Exam Tests This
- Identify a described attack as phishing, malware, DDoS, or another specific threat
- Explain why a specific security measure (2FA, encryption, strong passwords) mitigates a described attack
- Determine which security principle (least privilege, defense in depth) applies to a scenario
- I/II/III: which statements about cybersecurity threats and defenses are correct
- Identify the most effective defense against a specific social engineering attack
7. A user receives an email claiming their bank account is suspended. The email provides a link to a login page that looks identical to their bank’s website. This is:
- Malware — the email contains a virus.
- Phishing — the attacker creates a fake site to steal credentials.
- A DDoS attack against the bank.
- Ransomware targeting the user’s files.
8. Two-factor authentication (2FA) is most effective against:
- Malware that has already been installed on the device.
- Phishing attacks where the password is stolen but the attacker lacks the second factor.
- DDoS attacks that overwhelm server capacity.
- SQL injection attacks on a database.
9. Consider: I. Strong passwords alone are sufficient to protect online accounts. II. Phishing attacks target human behavior rather than technical vulnerabilities. III. Defense in depth means using multiple overlapping security measures.
- I only
- II and III only
- I, II, and III
- I and III only
10. An attacker calls an employee claiming to be from IT support and asks for their login credentials to ‘fix an urgent problem.’ This is:
- Brute force — trying many passwords until one works.
- Social engineering — manipulating a person into revealing confidential information.
- Malware installation via phone.
- A man-in-the-middle attack.
Get in Touch
Whether you're a student, parent, or teacher — I'd love to hear from you.
Just want free AP CS resources?
Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.
Message Sent!
Thanks for reaching out. I'll get back to you within 24 hours.
Prefer email? Reach me directly at [email protected]