Attack Types — Click to Select, Then Click a Card to Place
On mobile: tap an attack type below, then tap the card you want to classify.
Phishing
Spear Phishing
Vishing
Smishing
Pretexting
Baiting
Whaling
Quid Pro Quo
Scenario 1
You receive an email from “
[email protected]” warning that your account has been suspended and you must click a link to verify your identity within 24 hours.
Click here after selecting an attack type above
Scenario 2
The CFO of TechCorp gets an email addressed to her by name, referencing last quarter’s merger deal and asking her to approve a wire transfer to a new vendor account she does not recognize.
Click here after selecting an attack type above
Scenario 3
You get a phone call from someone claiming to be from the IRS. They say you owe back taxes and will be arrested unless you provide your Social Security number to “verify your identity” right now.
Click here after selecting an attack type above
Scenario 4
A text message arrives: “USPS: Your package could not be delivered. Update your address now or it will be returned: [link].” You were not expecting any packages.
Click here after selecting an attack type above
Scenario 5
A person calls your company’s help desk claiming to be a new IT contractor who urgently needs a password reset for a server — and they already know the server’s hostname and the name of your IT manager.
Click here after selecting an attack type above
Scenario 6
A USB drive labeled “Q4 Salary Report” is left in a company parking lot. An employee finds it, plugs it in out of curiosity, and malware is silently installed on their workstation.
Click here after selecting an attack type above
Scenario 7
The CEO receives a lawsuit notification email from a law firm, addressed to her by full name and title, referencing a specific contract dispute involving her company’s actual product line. It asks her to click a link to review the filing.
Click here after selecting an attack type above
Scenario 8
A caller tells an employee: “Hi, I’m from IT support. I’ll fix your slow computer remotely if you give me your login credentials. Think of it as a trade — I help you, you help me.”
Click here after selecting an attack type above
AP Exam Strategy — Identifying Attack Types
The AP exam will describe a social engineering scenario and ask you to identify the attack type. Use this mental checklist:
Channel first: Email = Phishing family. Phone call = Vishing. Text = Smishing. In-person = Pretexting or Baiting.
Then specificity: Does the email know your name, role, and specific details about you? That upgrades it to Spear Phishing. Targeting a C-suite executive specifically? That’s Whaling (a subtype of Spear Phishing).
The “something for something” offer is the signature of Quid Pro Quo — the attacker offers a service in exchange for credentials or access.