Cybersecurity - Lesson 2

Cybersecurity - Lesson 2 of 6

Social Engineering

The most sophisticated network defence in the world can be bypassed with a single convincing phone call. Social engineering exploits people, not systems - and it's consistently the most effective attack vector in real-world cybercrime.

45 - 60 min Phishing, Blagging, Shoulder Surfing, Baiting

Opening scenario

The hacker never touched the network firewall. They never exploited a software vulnerability. They called the receptionist, said they were from IT support, explained there was an urgent server issue that needed the network admin's login credentials immediately. The receptionist gave them to a complete stranger over the phone. The entire company network was compromised in minutes.

Think about it: No technical vulnerability was exploited. What made this attack so effective? And why is this harder to defend against than a software exploit?

This is social engineering - and in real-world cybercrime, it is responsible for more successful breaches than any technical attack. Understanding how it works is just as important as understanding technical defences.

Why this matters in the exam

Social engineering questions appear on every specification. The most commonly confused terms are phishing vs blagging. Phishing uses digital messages (email); blagging is a fabricated story or pretext (often verbal or written). Examiners will test you on the difference.

Section 1

What is social engineering?

Social engineering is the manipulation of people into performing actions or revealing confidential information. Instead of attacking software and hardware, attackers exploit human psychology - trust, fear, urgency, and helpfulness.

Security professionals often say: "The weakest link in any security system is the human." Even the most technically hardened network can be compromised if an employee is manipulated into handing over access credentials.

Social engineering

Manipulating people into revealing confidential information or performing actions that compromise security.

Pretext

A fabricated scenario or false identity used to make a social engineering attack more convincing.

Psychological triggers

Human tendencies exploited by attackers - urgency, authority, fear, helpfulness, and trust.

Vishing

Phishing conducted via voice calls (phone). Short for "voice phishing".

Section 2

The four social engineering attacks

Attack 1

Phishing

Fraudulent messages - almost always emails - that impersonate trusted organisations (banks, government, employers) to trick recipients into clicking malicious links, entering credentials, or downloading malware.

Spear phishing is a targeted variant using personalised details (your name, your employer, a real invoice number) to appear highly convincing. Smishing uses SMS; vishing uses phone calls.

Exam tip: Phishing is defined by its delivery mechanism - digital messages impersonating a trusted source. The goal is always to steal credentials or install malware. Mention both in exam answers.

Attack 2

Blagging (Pretexting)

Creating a fabricated scenario (a pretext) to manipulate someone into providing information or access. The attacker invents a plausible story and a false identity to gain trust. Unlike phishing, blagging is typically direct and conversational - in person, by phone, or via written correspondence.

Example: calling a company pretending to be from IT support, claiming there is an urgent server issue, and asking for the network password to "fix it".

Exam tip: Blagging = fabricated story / false identity. It exploits trust and authority. Distinguish from phishing - blagging is about the false pretext, not the digital message.

Attack 3

Shoulder Surfing

Physically observing someone as they enter sensitive information. This could be watching someone type a PIN at a cashpoint, a password on a laptop in a café, or a security code at a gate. Simple, low-tech, but consistently effective in the right environment.

Modern shoulder surfing can also involve recording video covertly - a phone propped up on a table, for example.

Exam tip: The key word is physical observation. Defences include screen privacy filters, shielding the keypad, and awareness of surroundings.

Attack 4

Baiting

Luring victims with something enticing. The classic example is leaving infected USB drives in a company car park or reception labelled "Salary Data 2024" or "Confidential". Curious employees plug them in, installing malware. Digital baiting uses online downloads - free software, cracked games, pirated films - as the lure.

Exam tip: Baiting relies on curiosity or greed. The victim actively takes the bait. Emphasise that the attacker does not need to interact with the victim directly.

Section 3

Phishing Email Spotter - find the red flags

Below is a realistic phishing email. Click on any element you think is a red flag - a suspicious part of the email that suggests it is not genuine. Find all 5 red flags.

Hover over suspicious parts and click to identify them. Found: 0 / 5

From:no-reply@h-m-r-c-gov.uk.secure-portal.net

To:you@yourschool.ac.uk

Subject:URGENT: Your tax refund of £842.50 requires immediate action

Dear Valued Customer,

Our records indicate you are eligible for a tax refund of £842.50. To process your refund, we require you to verify your identity within 24 hours or the refund will be permanently cancelled.

Please click the link below to verify your details and claim your refund:

www.gov-uk-tax-refund-claim-secure.com/verify

If you do not complete verification within 24 hours, legal proceedings may be initiated against you.

Regards,
HM Revenue & Customs Digital Services Team

Red flags found so far - keep clicking suspicious parts of the email.

Quick quiz

5-Question Check

Social engineering - test your understanding

Question 1 of 5

An attacker calls a company receptionist pretending to be from the IT department, creating a false emergency to get the receptionist to reveal the admin password. What social engineering technique is this?

Question 2 of 5

What is the key difference between phishing and blagging?

Question 3 of 5

An attacker leaves USB drives in a car park labelled "Staff Payroll 2024". Employees plug them in and install malware. What attack is this?

Question 4 of 5

Which psychological trigger do phishing emails typically use to pressure victims into acting quickly?

Question 5 of 5

Why is social engineering often considered harder to defend against than technical attacks?

0/5

Questions answered correctly

Think deeper

A company installs the most advanced technical security system available - firewalls, encryption, and intrusion detection. Explain why social engineering attacks may still succeed, and suggest two measures the company could take to reduce this risk.

Why technical security is insufficient: Social engineering targets the people using the system, not the technical components. Even with perfect technical defences, an employee who is manipulated into revealing login credentials - through phishing, blagging, or other techniques - gives an attacker legitimate access that bypasses all technical controls. The human element cannot be secured by software alone.

Measure 1 - Staff training: Regular security awareness training teaches employees to recognise social engineering attempts, verify identities before sharing information, and follow procedures even under apparent time pressure.

Measure 2 - Clear security policies: An Acceptable Use Policy and clear protocols (e.g. "IT will never ask for your password by phone") gives employees a framework to fall back on when pressured. Staff should know they can refuse requests that violate policy, even from apparent authority figures.

Printable Worksheets

Practice what you have learned

Three levels of worksheet for this lesson. Download, print and complete offline.

Recall

Social Engineering Tactics

Match each attack type to its definition. Identify which psychological principle each tactic exploits.

Download

Apply

Spot the Attack

Read each scenario and name the social engineering technique. Explain the key indicators that gave it away.

Download

Exam Style

Exam-Style Questions

Scenario-based questions requiring identification and evaluation of social engineering techniques.

Download

Cybersecurity Flashcards

Review all Cybersecurity terms with flashcards. Filter by lesson, shuffle, and track what you know.

Open Flashcards

Lesson 1 Lesson 3: Technical Attacks

Teacher Panel

L2: Social Engineering

Suggested timing

0–8 min: Hook - read and discuss as class
8–20 min: Four attack types - work through cards
20–35 min: Phishing spotter activity - individual then class discussion
35–48 min: Quiz + Think Deeper
48–60 min: Worksheets

Learning objectives

Define social engineering and explain why it exploits humans rather than technology

Describe phishing, blagging, shoulder surfing and baiting with examples

Distinguish between phishing and blagging in exam scenarios

Identify red flags in a phishing email

Starter idea

Show the hook scenario on the board. Ask students: "Was any technical vulnerability exploited here? What made the attack work?" Then ask: "What could the receptionist have done differently?" This anchors the lesson in real human behaviour before introducing the formal vocabulary.

Board vocabulary

Social engineering

Manipulating people into revealing information or performing actions that compromise security

Phishing

Fraudulent digital messages (email) impersonating trusted organisations

Blagging (pretexting)

Fabricated scenario or false identity to manipulate someone directly

Shoulder surfing

Physically watching someone enter sensitive information

Baiting

Luring victims with enticing physical or digital content (e.g. infected USB)

Discussion prompts

Why would a highly technical attacker still choose social engineering over a software exploit?

How can an organisation train staff to resist social engineering without making them paranoid or unhelpful?

Can you think of a social engineering attack in daily life that isn't classified as cybercrime?

Common misconceptions

✗"Phishing and blagging are the same thing" - phishing uses digital messages; blagging uses a fabricated pretext (often verbal).

✗"Only non-technical users fall for phishing" - spear phishing has deceived experienced security professionals.

✗"Baiting only uses USB drives" - digital baiting (fake downloads, free software offers) is equally common.

Exit tickets

Describe phishing and explain two red flags that suggest an email is a phishing attempt.

[4 marks]

Explain the difference between blagging and phishing, using an example of each.

[4 marks]

Suggest two methods an organisation could use to reduce the risk of social engineering attacks.

[4 marks]

Resources

Worksheet 1 - Recall & Definitions Worksheet 2 - Application Questions Worksheet 3 - Exam Practice Unit Exam Paper (all 6 lessons) Cybersecurity Series Overview