| 🏠 Back to Exam Syllabus | 📺 RooCloud on YouTube | 🌐 RooCloud Practice Exams |
CISSP 2.3 - Social Engineering (Part 2 of 3)
This episode of the ISC2 Certified Information Systems Security Professional (CISSP) exam prep series continues the social engineering coverage in Domain 1, cataloging the specific attack forms that ride on human trust — the phishing variants that follow people onto phones and voice calls, the targeted cons aimed at executives, and the low-tech tricks that steal information in person.
What this episode covers
- Smishing — phishing over text messaging, from fraudulent-charge replies to scam links and costly toll numbers.
- Vishing — phishing over telephone or voice systems, with spoofed caller identification that fakes a local number.
- Spear phishing — aimed at a specific group rather than scattered, often built on a stolen customer database.
- Business email compromise (BEC) — executive impersonation pressuring finance staff, countered by out-of-band confirmation.
- Whaling — heavily researched spear phishing against chief executives, senior leaders, and high-net-worth clients.
- Spam — a delivery vehicle for malware and hoaxes, countered by filters and sender authentication.
- Shoulder surfing — watching screens and keyboards, defeated with physical layout, masking, and privacy filters.
- Invoice scams, hoaxes, and impersonation — abusing routine trust in documents, warnings, and identities.
Watch the full episode above for the worked examples and detailed explanations of each concept.
Frequently Asked Questions
How does phishing move onto text messages?
Through smishing, which is phishing carried out over text messaging services. A smishing message might ask for a reply that triggers a fraudulent charge on your mobile plan, include a link to a scam site, or list a phone number that looks local but is actually a costly long-distance toll. Research any unexpected number before calling, and treat unsolicited texts with the same suspicion you give email.
How does phishing move onto voice calls?
Through vishing, which is phishing over any telephone or voice system, usually run over internet calling. That lets attackers operate from anywhere, call for free, and spoof their caller identification, often duplicating your area code and prefix so the call looks like a neighbor. Always assume caller identification is unreliable and verify through a number you already trust.
What is business email compromise?
Business email compromise is a form of spear phishing in which the message appears to come from a chief executive or senior leader, usually pressuring finance or accounting staff to transfer funds or pay an invoice. Watch for requests to pay via prepaid gift cards, last-minute changes to wiring details, or rushed, atypical purchases. The critical defense is out-of-band confirmation, verifying through a different channel than the one the request arrived on.
What is whaling?
Whaling is spear phishing aimed at the biggest targets, such as chief executives, other senior leaders, or high-net-worth clients. These attacks demand far more research and planning, because such people usually know they are prime targets and stay alert. The lesson is that no one is too senior to be targeted, and the most privileged accounts deserve the most scrutiny.
What is shoulder surfing?
Shoulder surfing happens when someone views your screen or keyboard to capture sensitive information. Defenses are largely physical: separate work areas by sensitivity, use locked doors, and avoid orienting displays toward windows or busy walkways. Password fields should mask characters, and screen privacy filters narrow the viewing angle so only the person directly in front can read the display.
📚 Master the ISC2 CISSP Exam!
Ready to test your knowledge? Access chapter-specific Multiple Choice Questions (MCQs) and full-length practice exams for the ISC2 CISSP certification at RooCloud.com. Solve the chapter-wise questions to reinforce this lesson before moving to the next episode.
Reference: This article is based on concepts discussed in CISSP 2.3 - Social Engineering (Part 2 of 3).