Phishing campaigns and reporting — SY0-701
Master phishing campaigns and reporting for CompTIA Security+ SY0-701: definitions, variants, the reporting chain, and the trap the exam exploits.
WHAT IT IS
Phishing is a technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person (NIST CNSSI 4009-2015). It is a form of social engineering — specifically, an attempt to trick someone into revealing information that can be used to attack systems or networks (NIST CNSSI 4009-2015).
A phishing campaign is an organised series of such fraudulent solicitations, often launched against many targets at once. Reporting is the act of a user or system surfacing a suspected phishing attempt to the appropriate security team so the organisation can contain it, correlate it with other signals, and close the attack path.
Mental model
Think of phishing as the attacker's opening move in a deception chain. The attacker crafts a message that impersonates a trusted entity, a user responds by revealing credentials or clicking a link, and the attacker exploits what was obtained. Reporting breaks that chain at the user step: instead of completing the attacker's intended action, the user escalates the message so the security team can treat it as an incident — an occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or that constitutes a violation or imminent threat of violation of security policies (NIST FIPS 200).
The campaign lifecycle therefore has two parallel paths:
- Attacker path: craft lure → deliver → deceive → exploit
- Defender path: recognise lure → report → contain → remediate
User reporting is the earliest point the organisation can intervene on the defender path.
When to use it
Exam questions frequently test whether candidates can match a described attack to the correct phishing variant. The NIST glossary provides grounded distinctions:
| Variant | NIST-grounded scope | Key signal in a scenario |
|---|---|---|
| Phishing | Broad fraudulent solicitation masquerading as a legitimate business or reputable person (CNSSI 4009-2015) | Mass email campaign; generic lure |
| Spear phishing | Any highly targeted phishing attack (CNSSI 4009-2015) | Personalised details; named individual or team |
| Whaling | A specific kind of phishing that targets high-ranking members of organisations (CNSSI 4009-2015) | Target is a senior executive or officer |
All three are sub-types of social engineering. The reporting obligation applies equally regardless of variant: any suspected phishing message should be escalated so the security function can determine whether an incident has occurred.
COMMON MISCONCEPTION
The trap: candidates assume that a user who did not click the link or enter credentials has nothing to report. This inverts the purpose of reporting.
Reporting a phishing message is valuable even when the user took no harmful action. The security team needs the message itself — headers, payload, sender domain, embedded URLs — to determine whether other users did interact with it, to identify command-and-control infrastructure, and to update filters. An incident is defined as an occurrence that potentially jeopardizes confidentiality, integrity, or availability (NIST FIPS 200) — a delivered phishing message satisfies "potentially" before any credential is entered.
A related trap conflates awareness with training. NIST SP 800-50 is explicit: awareness is not training. The purpose of awareness presentations is to focus attention on security and allow individuals to recognise concerns and respond accordingly. Recognising a phishing lure and knowing to report it is an awareness outcome. Knowing how your organisation's ticketing or email-abuse workflow functions is a training outcome. Both matter, but they are distinct and exam scenarios may ask which intervention addresses which gap.
How it shows up on the exam
Questions in this area tend to target application and analysis cognitive levels — reading a scenario and selecting the correct label for the attack, or choosing the most appropriate immediate action for an affected user.
Signal phrases that suggest this concept is in play:
- A described email impersonates a known vendor, bank, or internal system → phishing
- The email is addressed by name and references the recipient's role, project, or recent activity → spear phishing
- The target is described as a C-suite executive or board member → whaling
- A user asks whether to forward a suspicious message → the answer involves reporting to the security team, not simply deleting it
- A question asks what a security awareness program should teach users to do when they receive a suspicious message → report it
Candidates often conflate the attacker technique (social engineering via fraudulent solicitation) with the organisational control (the reporting mechanism). The technique is the threat; the reporting process is the countermeasure. Exam distractors may offer "delete the message" as the user's best action — this eliminates evidence and prevents incident analysis, which is why reporting is the preferred response within a security program.
Related concepts
- Security Awareness Training — the program that teaches users to recognise phishing lures and know where to report them; complements campaign simulation
- Insider Threat Awareness — phishing that succeeds may produce a compromised insider; awareness of both vectors is part of the same security culture program
- Security Governance — the policy and oversight layer that mandates phishing simulations, defines reporting procedures, and tracks metrics across the security program
Sources
Every claim on this page traces to the public exam blueprint and official documentation: