Social engineering — SY0-701
Master the Security+ SY0-701 concept of social engineering: what it is, how it works, and the exam traps around it — grounded in NIST, MITRE ATT&CK, and CAPEC.
WHAT IT IS
Social engineering is the act of deceiving an individual into revealing sensitive information, obtaining unauthorized access, or committing fraud by associating with the individual to gain confidence and trust. (NIST SP 1800-21B / NIST SP 800-63-4)
An earlier NIST formulation captures the narrower framing: "An attempt to trick someone into revealing information (e.g., a password) that can be used to attack systems or networks." (CNSSI 4009-2015 / NIST SP 800-82r3)
CAPEC characterizes social engineering as a category of attack patterns focusing on "the manipulation and exploitation of people," with techniques that convince targets to perform actions or disclose confidential information benefiting the adversary. In most cases, the adversary never comes face-to-face with the victim. (CAPEC-403)
Mental model
Think of the attacker as a confidence artist, not a code writer. Every social engineering move has the same skeleton: establish trust, exploit that trust, extract value. The technical controls — firewalls, patch management, encryption — are irrelevant once a person has been convinced to hand over credentials or click a link. The human is the attack surface.
CAPEC frames the root mechanism as "exploiting inherent human psychological predisposition to influence a targeted individual or group." (CAPEC-416) The adversary does not break a system; the adversary persuades someone to open a door that was locked.
When to use it
The exam regularly tests whether candidates can distinguish social engineering from adjacent concepts. The key boundary question is: is the mechanism human manipulation, or is it a technical exploit?
| Scenario | Is it social engineering? | Why |
|---|---|---|
| Attacker sends an email posing as IT, asks user to reset password on a fake site | Yes | Uses deception to manipulate a person; the human is the vector (CAPEC-403) |
| Attacker sends an email with a malicious PDF attachment that auto-executes shellcode | Social engineering delivery, technical payload | MITRE ATT&CK classifies phishing (T1566) as "electronically delivered social engineering" but the access technique is code execution |
| Attacker phones an employee, poses as a vendor, and asks for VPN credentials | Yes | Voice-based manipulation — MITRE T1598.004 (Spearphishing Voice) uses "social engineering techniques" via voice calls |
| Attacker exploits an unpatched buffer overflow in a web server | No | Pure technical exploitation; no human deception involved |
| Attacker creates a fabricated scenario (false identity, invented role) to build trust before extracting information | Yes | CAPEC-407 (Pretexting): "an adversary creating an invented scenario and assuming a false identity to manipulate targets" |
MITRE ATT&CK draws a precise boundary between two phishing-family techniques that the exam may test:
- T1566 (Phishing) — the objective is gaining initial access (executing malicious code or directing the victim to a malicious site)
- T1598 (Phishing for Information) — "the objective is gathering data from the victim rather than executing malicious code"
Both use social engineering as the manipulation mechanism; they differ in attacker goal.
COMMON MISCONCEPTION
Social engineering is only about phishing emails.
This is the trap. CAPEC-403 defines social engineering as manipulation and exploitation of people, not a specific channel. CAPEC-416 describes human behavior manipulation as the meta-level pattern, with child patterns covering psychological influence, framing, incentives, and psychological principles — none of which require email.
Similarly, CAPEC-407 (Pretexting) describes fabricating an entire identity and scenario that may be delivered by phone, in-person interaction, or other channels. MITRE ATT&CK T1598.004 (Spearphishing Voice) explicitly describes voice calls using social engineering techniques to "trick targets into divulging information."
Identity Spoofing (CAPEC-151) — "assuming the identity of some other entity and then using that identity to accomplish a goal" — is classified under social engineering in CAPEC and does not require email.
The broader error behind this misconception is confusing the delivery channel with the mechanism. Social engineering is the mechanism (human deception and manipulation). Phishing, vishing, smishing, and pretexting are delivery modalities that all employ it.
How it shows up on the exam
The cognitive target for this concept is distinguishing mechanism from method. Exam scenarios will describe an incident and ask candidates to identify the type of attack. Common confusions include:
- Calling any malicious email "social engineering" when the question is asking about the access technique (which might be credential harvesting vs. malware delivery — each has a different response and classification)
- Assuming that a technically sophisticated attack cannot involve social engineering — MITRE ATT&CK explicitly classifies phishing as "electronically delivered social engineering" even when the payload is malware
- Treating "pretexting" and "phishing" as synonyms — CAPEC-407 grounds pretexting in fabricating a false identity and scenario; phishing as defined by NIST is specifically a fraudulent solicitation masquerading as a legitimate business or reputable person, with the goal of acquiring sensitive data
- Missing that the harm from social engineering is not always information disclosure — NIST SP 1800-21B includes "obtaining unauthorized access" and "committing fraud" as outcomes alongside information revelation
Signal phrases to watch for: posed as, claimed to be, convinced the employee, called pretending, sent an email requesting credentials, created a false scenario, gained trust before asking for.
Related concepts
- Threat Vectors
- Message-Based Vectors
- Network Attack Vectors
Sources
Every claim on this page traces to the public exam blueprint and official documentation: