Message-based attack vectors — SY0-701
CompTIA Security+ SY0-701 reference: message-based attack vectors — phishing, spear phishing, smishing, vishing, and spam defined and compared.
WHAT IT IS
Message-based attack vectors are the channels through which adversaries deliver socially engineered messages to deceive recipients into revealing information, granting access, or executing malicious content. NIST defines social engineering as "the act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust." The messages themselves — email, SMS, voice call, or messages through third-party services — are the delivery medium, not the payload; the deception is the mechanism.
The foundational form is phishing. NIST defines phishing as "an attack in which the subscriber is lured (usually through an email) to interact with a counterfeit verifier or relying party and tricked into revealing information that can be used to masquerade as that subscriber." CAPEC (CAPEC-98) characterizes it more broadly as "a social engineering technique where an attacker masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information."
Mental model
Think of message-based vectors as a targeting dial. At one end is spam — "the abuse of electronic messaging systems to indiscriminately send unsolicited bulk messages" (NIST SP 800-53 Rev. 5). At the other end is spear phishing — what NIST calls "any highly targeted phishing attack" and CAPEC-163 describes as an attack "tailored to a category of users in order to have maximum relevance and deceptive capability." The medium (email, SMS, voice, third-party service) is a separate axis.
The targeting dial and the channel dial together define every variant the exam tests:
| Variant | Channel | Targeting |
|---|---|---|
| Phishing | Broad / untargeted | |
| Spear phishing | Specific individual or group | |
| Smishing (Mobile Phishing, CAPEC-164) | SMS / text message | Broad or targeted |
| Vishing (Voice Phishing, CAPEC-656) | Telephone / VoIP | Broad or targeted |
| Spearphishing via Service (ATT&CK T1566.003) | Social media, personal webmail, messaging apps | Targeted |
When to use it
Use this distinction when a question gives you a message scenario and asks you to classify the attack vector.
| If the message arrives via... | And targets... | The vector is... |
|---|---|---|
| Anyone indiscriminately | Phishing | |
| A named individual or specific organization | Spear phishing | |
| SMS / text | Any recipient | Smishing |
| Phone call or VoIP | Any recipient | Vishing |
| Social media, Teams, WhatsApp, personal webmail | Specific individual | Spearphishing via Service |
The channel tells you phishing vs. smishing vs. vishing. The targeting tells you phishing vs. spear phishing. These are independent decisions.
COMMON MISCONCEPTION
The exam trap: equating "phishing" with "email" and treating all phone calls as a separate category called something other than phishing.
ATT&CK classifies voice-based social engineering as Spearphishing Voice (T1566.004) — it is a sub-technique of Phishing (T1566), not a wholly separate concept. Vishing and smishing are both phishing variants distinguished by channel. CAPEC-656 explicitly names Voice Phishing / Vishing as a phishing pattern; CAPEC-164 names Mobile Phishing / Smishing as one too.
The second trap is conflating spam with phishing. Spam (NIST: "indiscriminately send unsolicited bulk messages") is about volume and lack of consent, not necessarily about deception or credential theft. Phishing is about social engineering to obtain information or access. A spam campaign can carry a phishing payload, but spam itself is not phishing.
A third trap: assuming spear phishing always uses email. ATT&CK T1566.003 (Spearphishing via Service) documents adversaries using "social media services, personal webmail, and other non-enterprise controlled services" — channels that bypass organizational email security — as targeted phishing delivery mechanisms. The "spear" prefix signals targeting precision, not a specific channel.
How it shows up on the exam
The cognitive target is classification: given a scenario describing a message-based attack, candidates must select the correct term. Questions will describe the channel and the targeting and expect you to map them to the right label.
Signal phrases to watch for:
- "an email" with generic or unknown recipients — phishing
- "personalized," "included the victim's name/job/employer," or "tailored" — spear phishing (CAPEC-163 emphasizes knowledge of "targets employment, residence, interests")
- "text message" or "SMS" — smishing (CAPEC-164: "initiated via a text or SMS message")
- "phone call," "called the victim," "impersonated IT support by phone" — vishing (CAPEC-656: "initiates contact via telephone")
- "social media," "LinkedIn message," "Teams or Slack message" — consider Spearphishing via Service (ATT&CK T1566.003)
- "malicious link in an email" — Spearphishing Link (T1566.002); "malicious attachment" — Spearphishing Attachment (T1566.001) — when the question names the payload mechanism inside an email
Candidates often confuse the direction of information flow: phishing extracts information from the victim to the attacker, while spam pushes unwanted content toward the victim. When the scenario describes credential theft or deception, the vector is phishing-family, not spam.
Related concepts
- Threat Vectors
- Network Attack Vectors
- Supply Chain Vector
Sources
Every claim on this page traces to the public exam blueprint and official documentation: