AP Cybersecurity Topic 1.1: Social Engineering | Complete Lesson

Score 0 / 10
~60 min read Last Updated: March 2026 Lesson 1 of 5 — Unit 1
AP Cybersecurity — Unit 1: Introduction to Security

Topic 1.1: Social Engineering

Understanding how attackers exploit human psychology to bypass technical defenses — the most common, most effective, and most studied attack vector in modern cybersecurity.

Lesson 1 of 5 Skill: Analyze Risk ~60 min Exam Weight: ~15–20% Unit 1 Week 1
In This Lesson
Lesson Overview Topic 1.1: Social Engineering
Taught by Tanner Crow — AP CS Teacher, Blue Valley North
Topic 1.1 — Lesson Slides

Social Engineering Slide Deck

Use these slides alongside the lesson or as a quick review before the quiz. Navigate with the arrows inside the frame or open in full screen.

Open in Google Slides ↗

11.1.1 — Learning Objectives

By the end of this lesson, you will be able to:

  • Define social engineering and explain why it is frequently more effective than purely technical attacks
  • Identify and precisely distinguish between phishing, spear phishing, whaling, vishing, smishing, pretexting, baiting, and quid pro quo
  • Name and explain the six psychological principles (Cialdini) that attackers systematically exploit to manipulate victims
  • Analyze a realistic attack scenario, identify all techniques in use simultaneously, and justify your classification
  • Recognize edge cases where multiple attack types overlap and explain what distinguishes one classification from another
  • Evaluate the strengths and limitations of both technical and human-centered defenses against social engineering
  • Apply AP exam strategies — predict-first approach, slash the trash, key-word identification — to social engineering MCQ scenarios

21.1.2 — Why Social Engineering Works: The Psychology

Social engineering succeeds not by breaking technology, but by exploiting predictable human psychology. Researcher Robert Cialdini identified six core principles of influence that attackers weaponize systematically. Understanding these principles explains why even cautious, intelligent people get compromised.

Principle 1 Authority “I must comply — they’re in charge.”

People comply with requests from perceived authority figures — bosses, IT staff, government agencies, banks. Attackers impersonate executives or law enforcement to override the victim’s skepticism.

“This is Microsoft Support. I need your remote access credentials immediately.”
Exam signal: impersonation of any official/expert role
Principle 2 Scarcity & Urgency “I must act NOW or lose something.”

Artificial time pressure disables deliberate thinking. When people believe they must act immediately or lose something permanently, they skip verification steps.

“Reply within 2 hours or your account will be permanently locked.”
Exam signal: deadlines, permanent consequences, URGENT subject lines
Principle 3 Social Proof “Everyone else is doing it.”

Humans look to others’ behavior to decide what is correct. Attackers fabricate consensus to make compliance feel normal and non-compliance feel abnormal.

“Everyone in your department has already verified — you’re the only one remaining.”
Exam signal: “everyone else,” “only you haven’t,” fabricated statistics
Principle 4 Liking “They’re just like me — I trust them.”

People are more likely to comply with requests from those they like or share something with. Attackers invest in building rapport before making the request — requires time.

A LinkedIn contact claiming your alma mater asks for your work email weeks later.
Exam trap: impersonation ≠ Liking. Liking requires established rapport.
Principle 5 Reciprocity “They helped me — I owe them.”

When someone does something for us, we feel obligated to return the favor. Attackers offer “free” help or gifts first to create a psychological debt before making their real request.

Attacker fixes your “printer jam” then asks for your Wi-Fi credentials “while I’m here.”
Exam signal: attacker gives something first — the defining feature of quid pro quo
Principle 6 Commitment “I already agreed — I must stay consistent.”

Once a person agrees to something small, they feel internal pressure to stay consistent with that commitment. Attackers get minor agreements first, then escalate gradually.

A survey starts with “What bank do you use?” then escalates to account details and login credentials.
Exam signal: gradual escalation from harmless to sensitive requests
AP Exam Tip — Principles Often Stack: Real attacks rarely use just one principle. A well-crafted spear phishing email might combine Authority, Scarcity, and Social Proof. On the AP exam, identify the primary principle at work.
Check for UnderstandingMatching
Q 1 of 10

✎ Before matching, review: which principle relies on fear of missing out? Which exploits a sense of obligation?

Match each Cialdini principle to the scenario that BEST demonstrates it as the primary manipulation technique.

Click a principle on the left, then click its matching scenario on the right. Click a matched pair to undo it.
Principles
1Authority
2Scarcity / Urgency
3Social Proof
4Reciprocity
5Commitment / Consistency
6Liking
Scenarios
A“All 12 members of your team have already verified their accounts — you are the last one remaining.”
BAn online survey begins with “What bank do you use?” then gradually asks for account details and login credentials.
CA voicemail claims to be from the IRS and threatens an arrest warrant if you do not call back immediately.
DA LinkedIn contact who claims to share your alma mater and favorite hobbies asks you for a professional referral and your work email.
EAn attacker fixes a “printer jam” for you, then casually asks for your Wi-Fi credentials “since I am already here.”
F“Your PayPal account will be permanently locked in 90 minutes unless you verify your identity now.”
Correct pairings: Authority → IRS arrest threat (C). Scarcity/Urgency → PayPal 90-minute lockout (F). Social Proof → “You are the last one” (A). Reciprocity → “Fixed your printer, now share Wi-Fi” (E). Commitment/Consistency → Survey escalation from easy to sensitive (B). Liking → Shared alma mater rapport-building (D).
Check for UnderstandingMCQ
Q 2 of 10

✎ Predict first: Before reading the choices, identify which Cialdini principles you see in this scenario.

An attacker sends an email appearing to be from the VP of Finance: “I am in a board meeting — wire $18,500 to this vendor immediately or we lose the contract. Do NOT call me. Reply only.” A security analyst claims: “The primary exploitation here is Liking, because the attacker impersonated someone the employee knew personally.” Which of the following best identifies the flaw in the analyst’s classification?

B is correct. The analyst misidentifies Liking — that principle requires established rapport or genuine similarity, not merely pretending to be someone familiar. The actual attack weaponizes Authority and Scarcity/Urgency. Slash the trash: A is wrong because impersonation does not equal Liking by Cialdini’s definition. C is wrong because no offer or favor is given. D is wrong because there is no prior commitment referenced.

The 8 social engineering attack types organize into two groups: email-based attacks (which have a hierarchy based on targeting) and channel/method-based attacks (classified by delivery mechanism or technique). Master this structure and you can classify any AP exam scenario in under 5 seconds.

Email-Based Attack Hierarchy
@
Phishing Mass untargeted — any recipient
Spear Phishing + personalization via OSINT
Whaling + C-suite or high-privilege target
AP Exam Rule All whaling is spear phishing. Not all spear phishing is whaling. Look for CEO / CFO / admin = whaling signal.
📞 Vishing Voice Phone Call Caller ID spoofed; real-time manipulation; AI voice cloning
📴 Smishing SMS Text Message 95% open rate; obscured URLs on mobile; 2FA theft
💾 Baiting Physical or Digital Lure Victim initiates; curiosity drives contact; USB drops
🎪 Pretexting Any Channel Fabricated backstory is the primary mechanism; embedded in other attacks
Quid Pro Quo Phone or In-Person — Explicit Exchange Attacker offers help first, then requests credentials in return. Reciprocity is the key principle.
!
AP Exam Classification Rule: Identify the delivery channel first — phone = vishing, text = smishing, email = phishing/spear/whaling. Then check targeting (personalized = spear, executive = whaling). Then check mechanism (lure = baiting, exchange = quid pro quo, fabricated story = pretexting).

31.1.3 — Essential Vocabulary & Exam Tips

8 Attack Types — Know All of These
Phishing
Mass email impersonation attack
Spear Phishing
Personalized, targeted phishing
Whaling
Spear phishing targeting executives
Vishing
Voice/phone-based phishing
Smishing
SMS/text-based phishing
Pretexting
Fabricated backstory to gain trust
Baiting
Physical or digital lure left for victim
Quid Pro Quo
Service offered in exchange for credentials

These are the core terms you must be able to define, distinguish from one another, and apply to novel scenarios. The AP exam frequently presents a scenario and asks you to classify the attack — or presents a classification and asks which scenario matches.

Term Precise Definition What Makes It Distinct AP Exam Tip
Social Engineering Psychological manipulation of people into divulging confidential information or performing actions that compromise security Targets humans, not systems; technical skills largely unnecessary Umbrella term. All attack types below are subtypes.
Phishing Mass-distribution fraudulent messages via email that impersonate a trusted entity to steal credentials or deliver malware Untargeted and email-based. Volume is the strategy. Key word: mass distribution, untargeted. Watch for spoofed domains.
Spear Phishing A targeted phishing attack customized with specific personal details about the victim gathered through OSINT Targeted and personalized. Higher success rate than generic phishing. Key distinguisher: personalization with victim-specific details.
Whaling Spear phishing targeting high-value individuals — CEOs, CFOs, IT administrators — with elevated privileges or financial authority A subset of spear phishing targeting specifically high-value individuals. Hierarchy: Phishing → Spear Phishing → Whaling. Whaling = spear phishing + C-suite target.
Vishing Voice-based phishing via telephone call; attacker impersonates authority figures to extract sensitive information verbally Delivery channel is a voice phone call. Caller ID spoofing makes the source appear legitimate. The “v” stands for voice. Phone call = vishing.
Smishing SMS (text message) phishing; fraudulent texts impersonating banks, package carriers, or government agencies Delivery channel is SMS text message. High open rates and obscured URLs on mobile. The “sm” stands for SMS. Text message = smishing.
Pretexting Creating a fabricated, believable scenario that provides context and justification for an otherwise suspicious request The fabricated backstory — often a component of other attacks rather than standalone. Can appear inside vishing or spear phishing. Identify it as a component.
Baiting Luring a victim with something enticing — free software, a found USB drive, pirated media — that delivers malware when used An enticing lure. Can be physical (USB drive) or digital (free download). Physical USB drop is a classic AP scenario.
Quid Pro Quo Offering something in exchange for credentials or access — framing the attack as a transaction rather than a theft Attacker offers value first, then requests credentials. Explicit exchange structure. Distinguish from pretexting: quid pro quo always involves an explicit exchange.
OSINT Open Source Intelligence — gathering information about a target from publicly available sources: LinkedIn, company websites, social media The research phase that enables spear phishing and sophisticated pretexting. If a scenario describes an attacker using public information to personalize an attack, OSINT is involved.
Check for UnderstandingFill in the Blank
Q 3 of 10

✎ Before using the word bank, try to recall each term from memory. Then check yourself against the options.

Place the correct attack type into each blank to complete the classification hierarchy and channel descriptions.

A mass, untargeted email attack sent to thousands of recipients is called . When the attacker researches the victim using OSINT and personalizes the message with real details, it becomes . If the personalized target is a C-suite executive or IT administrator with elevated privileges, it is specifically classified as . When the attack is delivered via a voice phone call, it is classified as , and when delivered via SMS text message, it is . An attack that leaves an enticing physical or digital lure for the victim to find is called .
Word Bank (click to select, then click a blank to place) Smishing Whaling Phishing Pretexting Vishing Spear Phishing Baiting Quid Pro Quo
The classification hierarchy runs: Phishing (mass/untargeted) → Spear Phishing (add personalization) → Whaling (add C-suite/admin target). Channel-based: voice call = Vishing, SMS text = Smishing. Physical/digital lure = Baiting. Pretexting and Quid Pro Quo are distractors that do not fit any blank.

41.1.4 — Attack Types In Depth

Understanding the surface definition is necessary but insufficient. You need to understand the mechanics, the edge cases, and the distinguishing features that separate one attack type from another when scenarios are deliberately constructed to obscure the classification.

Phishing Mass UntargetedEmail
Phishing is a numbers game. A single fraudulent email is sent to tens or hundreds of thousands of recipients simultaneously. A 0.1% click rate on 500,000 emails delivers 500 compromised accounts.
Classic scenario: An email appearing to come from “Chase Bank Security Team” goes to 200,000 email addresses. The email warns of suspicious activity and asks recipients to “verify your identity” via a link to a credential-harvesting page.
Edge case: On the AP exam, phishing in the narrow technical sense refers specifically to email-based mass attacks. When the channel is text, classify as smishing; phone call, classify as vishing.
Spear Phishing TargetedPersonalized
The defining feature of spear phishing is research. The attacker spends time investigating the target using OSINT. The resulting message is so personalized that it bypasses the intuitive red-flag response that catches generic phishing.
Real-world mechanics: An attacker finds on LinkedIn that Marcus Chen is the billing supervisor. They discover the hospital just implemented Epic EHR. The attack email: “Hi Marcus — Dr. Lee asked me to forward the Epic vendor onboarding form. Please enter your credentials to pre-configure your admin access before the Thursday go-live deadline.” Every detail is real except the sender’s actual identity.
Critical distinction: A phishing email says “Dear Customer.” A spear phishing email says “Hi Marcus — Dr. Lee asked me to send this over.” The presence of accurate, researched personal details is the single most reliable indicator of spear phishing.
Whaling High-Value TargetC-Suite / Admin
Whaling is spear phishing at the executive level. The investment in research is far greater because the potential payoff is proportionally larger. The FBI estimates BEC wire fraud losses exceed $2 billion annually.
BEC scenario: An attacker researches the CFO and discovers the CEO is traveling to Singapore. They spoof the CEO’s display name: “Sandra — I’m in sessions all day and cannot take calls. Need you to process a $78,000 wire. Time-sensitive and confidential — do not discuss with anyone until it clears.”
Classification hierarchy: All whaling is spear phishing, but not all spear phishing is whaling. On the AP exam, look for “CEO,” “CFO,” “CIO,” or “IT administrator with elevated privileges” as signals for whaling.
Vishing Voice Phone Call
Vishing exploits the psychological trust we place in voice communication. Attackers use caller ID spoofing to display the phone number of a legitimate organization. Modern AI voice cloning tools allow convincing impersonation of specific individuals.
IRS vishing scenario: A victim receives a call appearing to be from the IRS. The caller states an arrest warrant has been issued for unpaid taxes. To prevent arrest, the victim must purchase gift cards and provide redemption codes. Authority + Urgency + Fear overrides logic for many victims.
Why vishing is dangerous in 2025: AI voice synthesis has lowered the barrier to impersonation. An attacker with 30 seconds of a CEO’s voice from a public earnings call can generate a convincing voice clone.
Smishing SMS Text Message
Smishing targets mobile devices through text messages. SMS open rates exceed 95%, mobile screens display truncated URLs that hide spoofed domains, and users click links more readily on phones.
2FA bypass smishing: An attacker who already has a victim’s password sends a text: “ALERT: We detected a login attempt from an unrecognized device. Reply with your one-time verification code to confirm it was you.” If the victim replies with the code, the attacker completes the login.
Distinguishing smishing from vishing: The delivery channel is the only distinction. Classify each phase of a hybrid attack by its channel.
Pretexting Fabricated Scenario
Pretexting is the art of constructing a plausible cover story that justifies an otherwise suspicious request. The pretext shifts the frame from “stranger asking for something suspicious” to “helpful authority figure solving a problem.”
Layered pretexting: An attacker calls a hospital posing as a health inspector (Authority), establishes the hospital uses Epic EHR, then calls IT posing as an Epic technical consultant, referencing the “ongoing audit,” and requests temporary admin credentials to verify compliance.
Pretexting as a component: Virtually every social engineering attack uses pretexting at some level. Classify it as pretexting when the elaborately constructed false identity is the attack’s primary mechanism.
Baiting Enticing LurePhysical or Digital
Baiting exploits curiosity. Physical baiting involves infected USB drives left where targets will find them. Digital baiting involves enticing downloads. The victim chooses to take the bait, making them unlikely to report even if they suspect something later.
USB drop study: In a published security study, 48% of employees who found infected drives plugged them into work computers without scanning. 90% of drives labeled “Confidential — Payroll Q3 2025” were plugged in within one hour.
Baiting vs. quid pro quo: In baiting, the victim initiates the connection out of curiosity. In quid pro quo, the attacker contacts the victim first and explicitly asks for something in return.
Quid Pro Quo Exchange-BasedReciprocity Exploit
Quid pro quo attacks weaponize reciprocity. The attacker contacts victims proactively, offers something of value first — typically fake technical assistance — and then requests credentials as part of the transaction.
IT support quid pro quo: An attacker calls employees claiming to resolve a “company-wide slowdown.” They walk the employee through a fake diagnostic process, appear to fix it, then say: “I just need your employee number and current network password to mark this ticket as resolved.” The employee, now feeling grateful, complies.
Overlap with pretexting: All quid pro quo attacks use pretexting (the fake IT story), but they add an explicit value exchange. If the scenario describes an explicit offer followed by a request, classify as quid pro quo.
Scenario SortClassify
Q 4 of 10

✎ Read each scenario and predict the classification BEFORE placing it. Use the delivery channel as your first filter.

Sort each scenario into its PRIMARY attack classification. Click a scenario card, then click the correct bucket.

Click a scenario to select it (purple highlight), then click the bucket where it belongs. Click the ✕ on a placed card to move it back.
Vishing
Smishing
Spear Phishing
Baiting
1. An employee finds a USB drive labeled “Salary Data Q1 2026 — Confidential” in the lobby and plugs it into their workstation.
2. A text message reads: “FedEx: Your package could not be delivered. Reschedule: https://fdex-redeliver.net/track”
3. A phone call from “Microsoft Azure Support” claims unusual outbound traffic and requests remote access to “stop the breach.”
4. An email to the school’s IT director uses their real name, references the district’s recent switch to Google Workspace, and asks them to “verify admin access.”
5. A phone call claims your Social Security number has been “suspended due to suspicious activity” and you must “press 1 to speak with an agent.”
Correct sorting: #1 (USB drive) → Baiting. #2 (FedEx text) → Smishing. #3 (Azure phone call) → Vishing. #4 (personalized email to IT director) → Spear Phishing. #5 (SSN phone call) → Vishing. Channel is always the first filter: phone = vishing, text = smishing. The USB lure = baiting. Personalized email with OSINT details = spear phishing.

51.1.5 — Attack Classification Quick Reference

Use this table to build the classification reflex required for AP exam scenario questions.

Ch. Attack Channel / Method Target Primary Principle Distinguishing Feature
Phishing
Email Anyone — mass Authority + Urgency Untargeted; generic greeting; high volume strategy
Spear Phishing
Email Specific individual Liking + Authority Personalized with victim-specific OSINT details
Whaling
Email C-suite / admin Authority + Urgency Spear phishing + executive/high-privilege target Exam Trap
📞
Vishing
Voice phone call Anyone Authority + Urgency Voice delivery; caller ID spoofing; real-time manipulation
📴
Smishing
SMS text message Mobile users Urgency + Authority SMS delivery; obscured URLs; 95% open rate
🎪
Pretexting
Any channel Anyone Authority + Liking Fabricated identity/scenario is the core mechanism
💾
Baiting
Physical or digital Anyone (curiosity) Curiosity / Greed Enticing lure; victim initiates; often physical USB
Quid Pro Quo
Phone / in-person Anyone Reciprocity Explicit exchange: attacker offers value, requests credentials Exam Trap
Check for UnderstandingMCQ
Q 5 of 10
A penetration tester drops 20 USB drives labeled “HR Salary Review — Confidential Q1 2026” in the parking lot and lobby of a target company. Within 2 hours, 13 of the drives have been plugged into company computers, installing a remote access tool.

What is the PRIMARY attack classification? What psychological principle makes it effective?

C is correct. Baiting is defined by leaving a physical or digital lure that victims initiate contact with on their own. The label exploits both curiosity and self-interest. A is wrong: quid pro quo requires the attacker to contact the victim first. B is wrong: no fabricated backstory is delivered directly. D is wrong: no personalization or email channel.

61.1.6 — Real-World Case Studies

Understanding how these attacks have played out in the real world builds the pattern recognition that scenario-based exam questions test.

2020 Twitter HackSpear Phishing + Vishing + Social Engineering Chain

In July 2020, attackers compromised over 130 high-profile Twitter accounts by calling Twitter staff members posing as the company’s IT department (vishing + pretexting), convincing them to provide credentials for internal admin tools.

The attackers had previously conducted OSINT to identify Twitter employees who had admin tool access. With the credentials, they were able to reset two-factor authentication on target accounts and generate over $120,000 in Bitcoin transfers.

AP Lesson

The attackers never exploited a technical vulnerability. They exploited employees. This attack combined OSINT research, pretexting, vishing, and social proof. Technical controls alone could not have prevented it.

Classic BEC AttackWhaling via Business Email Compromise

A CFO received an email appearing to come from the CEO (spoofed display name) explaining that the company was finalizing a confidential acquisition and that a wire transfer of $245,000 needed to be processed. The email requested strict confidentiality — “do not discuss with legal or finance team until the deal closes.”

The request to avoid verification removes the CFO’s natural safeguards by weaponizing professionalism against security. The CFO processed the wire. The attack was discovered three days later when the CEO returned from travel.

AP Lesson

Textbook whaling. Effective defense: mandatory callback verification for any financial wire request, regardless of apparent source.

Classic Physical AttackBaiting via USB Drop Campaign

Penetration testers placed 50 USB drives labeled with variants of “Employee Benefits Update 2025” and “Confidential — HR Only” throughout a healthcare organization. Within 24 hours, 31 of the 50 drives had been plugged in. In two cases, employees brought drives to HR, who plugged them in on HR department computers.

AP Lesson

62% success rate using nothing but curiosity and labeled drives. Defense: organizational policies blocking USB auto-run and training employees to turn in found media without plugging it in.

Check for UnderstandingMatching
Q 6 of 10

Match each attack type to the feature that MOST reliably distinguishes it from the others.

Click an attack on the left, then click its distinguishing feature on the right.
Attack Type
1Phishing
2Pretexting
3Quid Pro Quo
4Whaling
Distinguishing Feature
AAttacker explicitly offers a service first, then requests credentials in return
BUntargeted mass distribution with generic greetings sent to thousands
CPersonalized attack specifically targeting C-suite executives or IT administrators
DA fabricated identity and backstory is the primary manipulation mechanism
Correct pairings: Phishing → Untargeted mass distribution (B). Pretexting → Fabricated identity/backstory (D). Quid Pro Quo → Explicit service-for-credentials exchange (A). Whaling → Personalized attack on C-suite/admin (C).

71.1.7 — Defense Strategies

No single control eliminates social engineering risk. Effective defense requires layering technical and human controls.

Technical Controls

  • Email authentication (DMARC / SPF / DKIM) to block domain spoofing
  • Email filtering with attachment sandboxing and link reputation scanning
  • Multi-Factor Authentication (MFA) on all accounts
  • Hardware MFA (FIDO2 keys) — phishing-resistant
  • Caller ID verification and callback protocols for financial transactions
  • Endpoint policies blocking auto-run on removable USB media
  • URL reputation filtering that scans links before they load
  • Browser isolation for high-risk links and attachments

Human Controls

  • Annual security awareness training (mandatory, role-specific)
  • Simulated phishing campaigns with immediate targeted follow-up training
  • Mandatory independent callback verification for any wire transfer request
  • Clear “stop, call, verify” procedures that employees feel empowered to follow
  • Psychological safety culture: no punishment for refusing suspicious requests
  • Separation of duties for high-risk financial approvals (two-person rule)
  • Out-of-band verification: confirm high-stakes requests through a different channel
  • Visible reporting procedures for suspicious contacts
Why MFA Is Not Enough

MFA dramatically reduces risk from credential theft, but it does not eliminate social engineering risk. Attackers defeat common MFA: real-time phishing proxies capture session tokens; MFA fatigue attacks flood users with push notifications; social engineering convinces victims to share codes verbally. Only hardware security keys (FIDO2) are fully phishing-resistant.

The Golden Rule — No Exceptions

No legitimate organization will ever ask for your password via email, phone, or text. Ever. Any request for a password, security code, or one-time passcode from an inbound contact is an automatic red flag requiring immediate independent verification through a known, trusted channel.

Check for UnderstandingMCQ
Q 7 of 10

A company deploys SMS-based MFA for all employee accounts. An attacker calls an employee, impersonates IT support, and says: “We are migrating your account — just read me the 6-digit code that was just texted to you.” The employee complies. Which statement BEST evaluates the role of MFA in this outcome?

C is correct. MFA is a technical control that reduces impact when credentials are stolen, but cannot stop a person who is psychologically manipulated into voluntarily sharing the code. D is wrong — app-based TOTP codes are equally vulnerable to a caller asking you to read them aloud; only FIDO2/hardware keys resist this attack.
Premium Feature

1-on-1 Expert Support

Get personalized help from an AP Cybersecurity instructor — 1,845+ verified hours, 5.0 rating, 451+ reviews.

Learn About Expert Sessions →
Defense ClassificationSort
Q 8 of 10

✎ Think: does this defense work by changing software/hardware behavior, or by changing human behavior?

Sort each defense measure into the correct category: Technical Control or Human Control.

Click a defense card, then click the category where it belongs.
Technical Controls
Human Controls
1. DMARC / SPF / DKIM email authentication to block domain spoofing
2. Mandatory callback verification for all wire transfer requests
3. Simulated phishing campaigns with immediate follow-up training
4. Hardware FIDO2 security keys for phishing-resistant MFA
5. Psychological safety culture: no punishment for refusing suspicious requests
6. Endpoint policies blocking USB auto-run on removable media
Technical: DMARC/SPF/DKIM (#1), FIDO2 keys (#4), USB auto-run blocking (#6) — these change how systems behave. Human: Callback verification (#2), simulated phishing training (#3), psychological safety culture (#5) — these change how people behave. Effective defense layers both types together.

81.1.8 — Worked Examples: Predict First, Then Classify

Use the “predict-first” approach on all scenario questions: before reading the answer choices, form your own classification and identify the key elements of the attack.

1
The Package Delivery Text
Scenario: Maria receives the following text message: “USPS Alert: Your package (Tracking #9400111899222375) could not be delivered. Reschedule delivery: https://usps-redelivery-confirm.net/track — USPS Support.” The URL leads to a page requesting her name, address, and credit card number for a “$3.99 redelivery fee.”
1

Predict Before Looking at Options

Delivery channel is SMS (text message). Attacker impersonates USPS (Authority). Mild urgency (package not delivered). Goal is payment card harvesting. Classification prediction: smishing.

2

Slash the Trash

Phishing? Must be email — eliminate. Vishing? Must be phone call — eliminate. Baiting? Must involve a lure the victim seeks out — eliminate. Quid pro quo? Must involve attacker offering value first — eliminate. This leaves smishing.

3

Identify the Red Flags

  • Channel: SMS text (primary smishing indicator)
  • Domain: usps-redelivery-confirm.net is not usps.com
  • Request: payment card for a “redelivery fee” — USPS does not charge redelivery fees
  • Psychological principles: Authority (USPS impersonation) + urgency (undelivered package)
Classification

Smishing. The delivery channel (SMS) is the defining factor. Correct response: navigate directly to usps.com in a browser. Never follow links in unsolicited text messages.

2
The Multi-Phase Attack — What is the Primary Classification?
Scenario: James, an IT help desk employee, receives a call from “Alex from the Epic EHR implementation team.” Alex references a login issue James had mentioned in a company-wide IT ticket last week, walks him through steps to “verify his account configuration,” then asks James to read his current network password aloud to “compare it against the directory entry to find the mismatch.”
1

Predict the Classification(s)

Delivery channel: phone call (vishing). Fabricated scenario (pretexting): “Epic EHR implementation team” troubleshooting a real known issue. Attacker offers help first (quid pro quo structure), then asks for the password. Multiple techniques present simultaneously.

2

Identify Every Technique Present

  • Vishing: Attack delivered via phone call
  • Pretexting: Fabricated identity as Epic EHR tech; fabricated “directory mismatch” problem
  • OSINT: Attacker knew about James’s real IT ticket
  • Quid pro quo: Attacker “helps” James first, then requests password
  • Authority: IT implementation team carries authority over help desk staff
Classification & Analysis

Primary: Vishing with pretexting and quid pro quo elements. The fatal flaw: legitimate IT staff never need your password; they have administrative access. James should refuse, hang up, and call IT on an internally-verified number.

Spot the Red FlagsInteractive
Q 9 of 10

This email was sent to a school district employee. Click on every element you believe is a red flag indicating a social engineering attack. There are 6 red flags hidden in this email.

Click suspicious elements to flag them (they turn yellow). Click again to un-flag. Not every element is a red flag — flagging something that is not suspicious will count against you.
Flags placed: 0 / 6
From: IT-Security@blueva11ey-k12.org To: jthompson@bluevalley-k12.org Subject: URGENT: Mandatory Password Reset — Account Will Be Locked Date: March 5, 2026 at 4:47 PM

Dear Ms. Thompson,

The Blue Valley School District IT Security team has detected unauthorized access to your account from an IP address in Eastern Europe. As part of our emergency response protocol, all affected accounts must be re-verified within the next 2 hours or your account will be permanently disabled.

Please click the secure link below to verify your identity and reset your password:

Verify My Account Now
https://bluevalley-k12-secure-verify.net/reset

This reset is mandatory for all district employees. If you have questions, contact the IT Help Desk.

Thank you for helping keep our district secure.

Best regards,
District IT Security Team
Blue Valley Unified School District
Do NOT reply to this email — call our office at (913) 555-0199

The 6 red flags:
Spoofed sender domain: “blueva11ey” uses the number 11 instead of “ll” — a classic homoglyph attack.
URGENT subject line: Creates artificial urgency and fear of account lockout (Scarcity principle).
Vague threat: “Unauthorized access from Eastern Europe” is designed to trigger fear without verifiable details.
Artificial deadline: “2 hours or permanently disabled” pressures fast action without verification (Urgency principle).
Suspicious link: “bluevalley-k12-secure-verify.net” is NOT the real district domain — legitimate resets would use the actual district portal.
“Do NOT reply / call this number”: Directs victims to attacker-controlled contact while blocking them from reaching real IT staff.
Correctly flagged Incorrectly flagged Missed flag

91.1.9 — AP Exam Strategy: Social Engineering Questions

Tip 1

Predict the Answer Before Reading Options

Read the scenario fully, then form your own classification before looking at answer choices. Write it down mentally: “This is smishing because the channel is SMS.” This anchors your thinking and prevents convincing wrong answers from swaying you.

Tip 2

Slash the Trash: Eliminate by Channel First

Phone call → vishing. Text message → smishing. Email (generic) → phishing. Email (personalized) → spear phishing or whaling. Use the channel to immediately eliminate two or three wrong answers. Channel is always your first filter.

Tip 3

Highlight Keywords — NOT / EXCEPT / ALWAYS

Underline or mentally flag: NOT, EXCEPT, ALWAYS, NEVER, LEAST, MOST. Also watch “best describes,” “most accurately,” and “primarily” — these signal that some options may be partially correct but one is more correct than the others.

Tip 4

Know the Classification Hierarchy

The exam will give you a scenario with a high-privilege target and test whether you call it whaling or spear phishing. Know the hierarchy: Phishing → Spear Phishing (add: personalization) → Whaling (add: C-suite/admin target).

Tip 5

Multi-Technique Scenarios: Primary Classification

When a scenario involves both vishing and pretexting, the primary classification is usually the delivery mechanism unless the question specifically asks about the psychological technique or targeting approach.

Tip 6

Defense Questions: Technical vs. Human Controls

Technical controls reduce impact but cannot prevent human decision-making. Questions asking for the “most effective defense against social engineering” should be answered with layered controls — both technical and human.

High-Frequency AP Cyber Scenario Patterns

Expect scenario questions that: (1) present an email with personalized details — spear phishing vs. whaling depends on the target’s role; (2) describe an attacker calling and offering help then requesting credentials — quid pro quo + vishing + pretexting; (3) describe a found USB drive being plugged in — baiting; (4) ask which defense would have prevented a specific attack — layer technical and human; (5) present a CEO wire fraud scenario — whaling + BEC, defense is callback verification + separation of duties.

101.1.10 — Frequently Asked Questions

  • What is the difference between phishing and spear phishing?

    Phishing is a mass, untargeted attack where one fraudulent email is sent to thousands of recipients simultaneously. Spear phishing is targeted and personalized — the attacker researches the specific victim using OSINT and customizes the message with real details like the victim’s name, employer, colleagues, or recent projects. If the email says “Dear Customer,” it’s phishing. If it uses your actual name and your boss’s name, it’s spear phishing.

  • What is the difference between vishing and smishing?

    Vishing (voice phishing) is delivered via a phone call. Smishing (SMS phishing) is delivered via text message. The delivery channel is the only distinguishing factor: a phone call means vishing, a text message means smishing. On the AP Cybersecurity exam, always identify the channel first when classifying these attacks.

  • What is pretexting in cybersecurity?

    Pretexting is the creation of a fabricated, believable backstory that makes an otherwise suspicious request appear legitimate. An attacker posing as IT support who claims your account was compromised is using pretexting — the fake scenario provides context that justifies requesting your password. Pretexting is often a component inside other attack types rather than a standalone technique.

  • What is the difference between baiting and quid pro quo in cybersecurity?

    In baiting, the attacker leaves an enticing lure and the victim initiates contact by picking it up out of curiosity. In quid pro quo, the attacker contacts the victim first, offers something of value, and then explicitly requests credentials in exchange. Baiting exploits curiosity and requires no direct attacker contact. Quid pro quo exploits reciprocity and requires the attacker to initiate an exchange.

  • How does social engineering appear on the AP Cybersecurity exam?

    AP Cybersecurity exam questions typically present a realistic attack scenario and ask you to classify the attack type, identify the psychological principles being exploited, or select the most effective defense. Identify the delivery channel first, then check for personalization, then check the target’s authority level. Always predict your own classification before reading answer choices.

End of Lesson — CumulativeIntegrative
Q 10 of 10
An attacker calls an executive assistant named Paula and says: “Hi Paula, this is James from IT Security. We have detected that your CEO’s laptop is actively being exfiltrated — incident reference ICR-4471. I need you to have him approve an emergency credential reset right now or we will have to lock the entire executive suite out of the network. Can you hand him the phone?” Paula transfers the call. The attacker then tells the CEO his credentials need to be verbally confirmed to cancel the lockout. The CEO complies.

Which of the following MOST completely and accurately describes all attack elements present in this scenario?

C is correct. The delivery channel is a voice phone call (vishing). The fabricated incident reference, fake IT identity, and invented exfiltration emergency constitute pretexting. The ultimate target is the CEO — a high-privilege executive — making this whaling. B is a strong distractor but quid pro quo requires the attacker to offer a service as the primary mechanism; here the primary mechanism is fear and authority. D is wrong: pretexting is a technique inside other attack types, not a classification that subsumes them.
TC
Tanner Crow
AP Computer Science Teacher — Blue Valley North High School

Tanner has taught AP Computer Science for 11+ years and built APCSExamPrep.com to give every student access to the same resources his own students use. He holds 1,845+ verified tutoring hours on Wyzant with a 5.0 rating from 451+ reviews. His AP CSA students score 5s at more than double the national average (54.5% vs. 25.5% nationally).

11+ Years Teaching AP CS 1,845+ Verified Tutoring Hours 451+ Five-Star Reviews 54.5% of Students Score 5s 5.0 Rating on Wyzant
Content last reviewed and updated: March 2026

+Continue Learning

Practice what you learned, then move to the next topic in Unit 1:

ExerciseTopic 1.1 Exercise 1 — Guided Practice
ExerciseTopic 1.1 Exercise 2 — Applied Challenge
LabTopic 1.1 Lab — Phishing Email Dissection
QuizTopic 1.1 Quiz — 5 Questions, Instant Feedback
Unit ProjectUnit 1 Project — Security Consultant Report
Unit ExamUnit 1 Exam — 20 Questions, All Lessons
Unit GuideUnit 1: Introduction to Security — Full Study Guide
Course HubAP Cybersecurity Complete Course Guide
← Unit 1 Overview
Topic 1.1 — Lesson (Step 1 of 5)
Lesson → Exercise 1 → Exercise 2 → Lab → Quiz
Exercise 1 →

Get in Touch

Whether you're a student, parent, or teacher — I'd love to hear from you.

Just want free AP CS resources?

Enter your email below and check the subscribe box — no message needed. Students get daily practice questions and study tips. Teachers get curriculum resources and teaching strategies.

Typically responds within 24 hours

Message Sent!

Thanks for reaching out. I'll get back to you within 24 hours.

🏫 Welcome, fellow educator!

I offer curriculum resources, practice materials, and study guides designed for AP CS teachers. Let me know what you're looking for — whether it's classroom materials, a guest speaker, or Teachers Pay Teachers resources.

Email

tanner@apcsexamprep.com

📚

Courses

AP CSA, CSP, & Cybersecurity

Response Time

Within 24 hours

Prefer email? Reach me directly at tanner@apcsexamprep.com