Practice social engineering vocabulary for security awareness: phishing simulation, pretexting, vishing, attack chain language, and security awareness training communication.
0 / 5 completed
1 / 5
A security awareness trainer explains: "We ran a phishing simulation last month. 23% of employees clicked the link." What is a 'phishing simulation'?
Phishing simulations measure real susceptibility — not just self-reported awareness. Metrics tracked: open rate, click rate, credential submission rate. The gold standard: immediate teachable moment (employees who click see an educational page explaining what they missed), plus aggregate reporting to leadership. Simulation results drive training prioritisation: teams with high click rates get targeted awareness training.
2 / 5
A social engineering report mentions 'pretexting.' What does pretexting mean in this context?
Pretexting is the foundation of most social engineering: the attacker builds a believable story (pretext) to justify their request. Classic pretexts: 'I'm from IT, your account shows suspicious activity — I need to verify your credentials,' 'I'm a vendor auditor, I need access to the server room.' Pretexting exploits trust, authority, and helpfulness rather than technical vulnerabilities. It is used in both phishing emails and vishing calls.
3 / 5
A security report flags a 'vishing attempt targeting the finance team.' What is vishing?
Vishing (voice phishing) is telephone-based social engineering. Common scenarios: fake IT helpdesk calls requesting password resets, fake bank fraud alerts asking for card details, Business Email Compromise (BEC) paired with a phone call to authorise a wire transfer. Vishing is particularly effective against finance teams (BEC fraud) and customer service staff (SIM swapping). Defence: callback verification procedures, never act on unsolicited calls requesting sensitive actions.
4 / 5
A red team debrief describes a 'social engineering attack chain.' What does this term mean?
Attack chains show how individual social engineering techniques combine. No single step may be sufficient alone, but chaining them achieves the goal. Example: a spear-phishing email (step 1) installs a keylogger → credentials are captured (step 2) → an attacker calls the IT helpdesk using those credentials to add a new MFA device (step 3, pretexting as the employee) → full account takeover (step 4). Understanding attack chains helps defenders identify which link to break.
5 / 5
A security awareness training announcement reads: "This training helps prevent social engineering attacks by building a human firewall." What does 'human firewall' mean?
Technical controls (spam filters, MFA, endpoint detection) can be bypassed by targeting humans directly. The 'human firewall' concept recognises that security-aware employees are a critical defence layer. Training objectives: recognise phishing indicators, verify identity before acting on requests, report suspicious activity without fear, and follow procedures even when an 'authority figure' pressures them to skip steps. Simulation exercises + training build this firewall.