Phishing techniques — SY0-701
Learn phishing technique sub-types for CompTIA Security+ SY0-701: definitions, channel distinctions, and the phishing vs. reconnaissance exam trap.
WHAT IT IS
Phishing is a social engineering technique in which an adversary masquerades as a legitimate entity to trick a target into revealing confidential information or taking an action that grants the adversary access. NIST defines phishing as "an attack in which the subscriber is lured (usually through an email) to interact with a counterfeit verifier or relying party and tricked into revealing information that can be used to masquerade as that subscriber to the real verifier or relying party." CAPEC frames the same attack as one where the attacker "masquerades as a legitimate entity with which the victim might do business in order to prompt the user to reveal some confidential information."
MITRE ATT&CK classifies phishing (T1566) as an Initial Access technique: its goal is entry into a victim system or environment, not just data collection.
Mental model
Think of phishing as a spectrum with two axes: delivery channel and target scope.
- Delivery channel determines the sub-technique: email attachment, email link, third-party service, or voice call.
- Target scope determines specificity: mass campaigns aim at anyone; spear phishing is "electronically delivered social engineering targeted at a specific individual, company, or industry" (MITRE ATT&CK T1566.001).
Every sub-technique is still electronically delivered social engineering. The channel and scope change; the social engineering core does not.
When to use it
The exam tests whether candidates can distinguish phishing sub-techniques from each other and from the related-but-separate "phishing for information" reconnaissance technique. Use this table to anchor those distinctions.
| Technique | ATT&CK ID | Primary channel | What the adversary delivers | Tactic |
|---|---|---|---|---|
| Spearphishing Attachment | T1566.001 | Malicious file (Office doc, PDF, executable, archive) | Initial Access | |
| Spearphishing Link | T1566.002 | URL leading to malware download or credential-harvesting page | Initial Access | |
| Spearphishing via Service | T1566.003 | Social media, personal webmail, messaging apps | Malicious link or attachment through non-enterprise channels | Initial Access |
| Spearphishing Voice | T1566.004 | Phone/voice | Social engineering directing victim to download malware or divulge MFA credentials | Initial Access |
| Phishing for Information | T1598 | Any channel | Message designed to elicit sensitive information (reconnaissance) | Reconnaissance |
| Whaling | — | Typically email | Targeted phishing aimed at "high-ranking members of organizations" | Initial Access |
Key column to notice: T1566 sub-techniques are all Initial Access. T1598 (Phishing for Information) is Reconnaissance. These are separate techniques with different objectives.
COMMON MISCONCEPTION
The most common conceptual error is treating phishing and phishing for information as the same thing. They share delivery mechanics but have different goals.
- T1566 Phishing — adversary wants to gain access: deploy malware, execute code, or harvest tokens for account takeover. MITRE explicitly categorizes this under Initial Access.
- T1598 Phishing for Information — adversary wants to "elicit sensitive information that can be used during targeting." MITRE categorizes this under Reconnaissance.
A credential-harvesting page that produces a token used immediately to log in is Initial Access behavior. A message designed purely to get a victim to reply with answers to security questions is Reconnaissance. The delivery method may look identical; the adversary's objective determines the classification.
A second misconception: "spear phishing" is always a fundamentally different attack from "phishing." NIST defines spear phishing as "a colloquial term that can be used to describe any highly targeted phishing attack." CAPEC describes it as "an enhanced version of the phishing attack targeted to a specific user or group." Targeting scope is a property of how a phishing campaign is executed, not a separate attack category.
How it shows up on the exam
The cognitive target for this concept is differentiation: given a scenario describing an attack, identify the correct sub-technique or distinguish phishing from an adjacent concept.
Signal phrases to watch for in scenario stems:
- "received an email with a PDF attached" — points toward Spearphishing Attachment (T1566.001), where malware is "attached to an email"
- "clicked a link in an email that redirected to a login page" — points toward Spearphishing Link (T1566.002), which uses "malicious link" delivery and can involve credential-harvesting pages
- "received a message on a social media platform or personal webmail containing a file" — points toward Spearphishing via Service (T1566.003), which uses "social media services, personal webmail, and other non-enterprise controlled services"
- "received a phone call from someone claiming to be IT support" — points toward Spearphishing Voice (T1566.004), which involves "phone calls or other voice communications"
- "email asking the target to reply with their current password" — may point toward Phishing for Information (T1598), where the goal is eliciting information rather than delivering a payload
Candidates often confuse whaling with spear phishing. Whaling is not a separate ATT&CK technique; it describes a targeting decision. NIST defines whaling as "a specific kind of phishing that targets high-ranking members of organizations." On a scenario question, the organizational role of the target signals whaling; the delivery mechanism still maps to the relevant T1566 sub-technique.
Related concepts
- Threat vectors
- Message-based vectors
- Network attack vectors
Sources
Every claim on this page traces to the public exam blueprint and official documentation: