Chapter 4 – Phishing & Social Engineering¶
Modern attackers don’t always hack code – they hack people. This chapter helps you recognise deceptive messages, fake login pages, and manipulative tactics designed to trick you into giving away credentials or access.
Humans are the weakest link
Most breaches begin with a successful phishing email or social-engineering phone call.
4.1 What Is Phishing?¶
Phishing is a scam where attackers send fake messages (usually emails or texts) that:
- Appear to come from a trusted source
- Urge you to click a link, download a file, or enter credentials
- Create urgency or fear (e.g., “Your account will be deleted!”)
Urgency = red flag
The more pressure a message applies, the more suspicious you should be.
4.2 Common Forms of Phishing¶
| Type | Description | Example |
|---|---|---|
| Email phishing | Mass emails with malicious links | "Verify your PayPal account" |
| Spear phishing | Targeted, personalised email | "Hi John, here's that invoice…" |
| Smishing | Phishing via SMS | "Your DHL package is waiting" |
| Vishing | Voice-based social engineering | "This is your bank, confirm details" |
4.3 Red Flags to Watch For¶
- Misspelled or look-alike sender addresses
- Urgent / threatening language
- Requests for passwords, PINs, or 2FA codes
- Generic greetings ("Dear Customer")
- Unexpected attachments or shortened links
Hover before you click
Always preview the full URL – is the domain really the one you trust?
4.4 What Is Social Engineering?¶
Social engineering manipulates people into revealing information or performing actions.
Typical tactics:
- Pretending to be IT support, HR, or a delivery service
- Exploiting fear or authority (“Your system is compromised…”)
- Building rapport over time (pretexting)
4.5 Example Attack Scenario¶
Scenario: A call from “Microsoft Support” claims your PC is infected. They ask you to install a remote-access tool. Once you comply, they steal passwords and demand payment.
Reality: Microsoft or Apple will never call you unsolicited – it’s a scam.
When in doubt, hang up
Legitimate companies don’t pressure you to install software or share passwords over the phone.
4.6 How to Respond to Suspicious Messages¶
- Don’t click unexpected links or attachments
- Verify independently – visit the official site or call the real number
- Report phishing via your mail provider (Gmail, Outlook, etc.)
- Delete confirmed phishing messages
4.7 Self-Check: Are You Phish-Proof?¶
- I can spot phishing red flags in an email
- I hover over links before clicking
- I pause before acting on urgent or unusual requests
Trust your gut
If something feels off, it probably is. Slow down and verify before you click.