If you have taken a Security+ practice test, you have hit this question: a scenario describes an email attack, and all four answers are real social engineering terms. Phishing, spear phishing, whaling, business email compromise. They are all "kind of right." Only one matches the scenario. That is the whole trap in Domain 2, and once you see how it is built, you stop guessing.
Here is the mental model that fixed it for me.
Social engineering questions test three different axes
When SY0-701 asks you to name a social engineering attack, it is almost always testing one of three things: who the target is, what channel was used, or what mechanism made it work. Most people study the vocabulary as a flat alphabetical list. The exam reads it as three separate dimensions, and the wrong answers are usually pulled from a different dimension than the one the question cares about.
Sort the terms by axis and the scenarios get a lot easier.
Axis 1: the target (this is the one people get backwards)
- Phishing is the wide net. Generic message, sent to thousands, no personalization.
- Spear phishing is targeted. It names you, your role, or your company. The attacker did homework first.
- Whaling is spear phishing aimed at a "big fish," a senior executive who can authorize money or access.
The classic trap: a scenario where an email pretends to be the CEO and asks a finance clerk to wire money. People pick whaling because they see "CEO." But whaling is about who the victim is, not who is being impersonated. The victim here is the clerk, so the attack is spear phishing, the flavor usually called business email compromise (BEC). Read for who gets fooled, not whose name is in the From field.
Axis 2: the channel
- Vishing is voice. A phone call or a voicemail.
- Smishing is SMS. A text message.
- Plain phishing defaults to email.
These are easy points if you slow down enough to notice the delivery method in the scenario. The exam loves to bury "she received a text message" in the middle of a paragraph and then offer phishing as a tempting distractor.
Axis 3: the mechanism
- Pharming redirects victims to a fake site, usually by poisoning DNS or a local hosts file. The key tell: the victim typed the correct address and still landed on the fake page. No lure, no click required.
- Watering hole compromises a legitimate site the target group already visits, then waits for them to show up.
- Typosquatting registers lookalike domains and waits for a fat finger.
If a scenario stresses that the user did nothing wrong and still got redirected, it is pointing at pharming, not phishing.
The layer underneath: principles of influence
Here is the part a lot of study guides skim. SY0-701 also tests why social engineering works, and in those questions the answer choices are not attacks at all. They are psychological levers: authority, intimidation, urgency, scarcity, consensus (social proof), familiarity, and trust.
A question can describe a textbook phishing email and then ask what principle made it effective. "Your account will be locked in 10 minutes" is urgency and scarcity. "This is the IRS, comply now" is authority and intimidation. If the four answers are pressures and emotions rather than attack names, the question quietly switched axes on you. Recognize that and you answer it in five seconds.
How to actually study this
Flashcards that say "whaling = phishing a high-value target" will not save you, because the exam never hands you the definition. It hands you a paragraph and makes you classify it under pressure. The fix is to practice on scenarios, not definitions, and to force yourself to name the axis before you pick an answer: target, channel, or mechanism?
I have been building practice questions around this exact failure mode at secplusmastery.com, where the social engineering items are written as scenarios with plausible distractors from a different axis, the way the real exam does it. If you want a quick read on where you actually stand before you start grinding, the free diagnostic is a no-signup way to find out which domains are leaking points.
Get the three axes straight and Domain 2 stops being a coin flip. The terms were never the hard part. Knowing which question you are actually being asked is.
Top comments (0)