Saturday, November 14, 2009


When preparing for the CompTIA Security+ (SY0-201) exam, you should understand different social engineering tactics such as phishing.

Phishing is the practice of sending unwanted email to users with the purpose of tricking them into revealing personal information (such as user account or bank account information) or clicking on a link.

As an example, I have an email account with and I often receive different phishing email’s from accounts that state they’re from (but they aren't). These follow a similar format of many phishing emails.
  • They state some fictitious problem. Some state they’ve noticed suspicious activity on my account, others state that my account has been discovered to be accessed from different computers, others state that they are upgrading security, and some just say they're upgrading their database.
  • They request personal information such as username, password, PIN, SSN and/or my date of birth.  This is supposed to be to be verify my account, but instead the purpose is access my account with an ultimate goal of stealing my identity.
  • They include a threat such as disabling my account if I don’t reply. Phishing emails often say this is to protect my privacy, but it’s really a “call to action.” They are trying to create some sense of urgency.
Most (if not all today) organizations will never follow this type of a format to request your personal information.  However, the emails are often pretty sophisticated.  They use images from the actual company and often look official.  If you think there may be a chance it's real, check out the message header. 

The following image shows the message options from one of these phishing messages in Microsoft Outlook.  You can access this page by right-clicking the message and selecting Message Options. 

While the From address may sometimes look official and at least have the address of the company (such as, the Reply-To address is the real destination.  When the From and Reply-To addresses are different with different domain names ( instead of, it's a real give away.  Don't trust it.

Links within email can also lead unsuspecting users to install malware.
Other common social engineering tactics are:

Good luck with your studies.
Darril Gibson
CompTIA Security+: Get Certified Get Ahead: SY0-201 Study Guide