🚀 Launch Special: $29/mo for life --d --h --m --s Claim Your Price →
Coming Soon
Expected availability announced soon

This course is in active development. Preview the scope below and create a free account to be notified the moment it goes live.

Notify me
Security Awareness Coming Soon

SA Social Engineering

The course teaches employees to identify common social‑engineering tactics, understand how attackers exploit human behavior, and follow proper security procedures to protect corporate data in daily work.

Who Should Take This

All staff members who handle email, phone, or in‑person communications are ideal participants. They may have limited technical background but need to recognize manipulation, adhere to security policies, and know how to report suspicious interactions promptly to safeguard the organization.

What's Included in AccelaStudy® AI

Adaptive Knowledge Graph
Practice Questions
Lesson Modules
Console Simulator Labs
Exam Tips & Strategy
20 Activity Formats

Course Outline

61 learning goals
1 Understanding Social Engineering
2 topics

What social engineering is and how it works

  • Recognize social engineering as the manipulation of people into performing actions or divulging confidential information through deception rather than technical exploitation.
  • Explain the social engineering attack lifecycle including research and reconnaissance, establishing rapport, exploiting trust, and executing the attack objective.
  • Describe why social engineering is effective against organizations regardless of technical security controls because it exploits human behavior rather than system vulnerabilities.
  • Describe the potential consequences of a successful social engineering attack including unauthorized facility access, data theft, financial fraud, malware installation, and reputational damage.

Psychological principles exploited

  • Recognize how attackers exploit the principle of authority by impersonating executives, IT administrators, or law enforcement to bypass employee resistance.
  • Recognize how attackers exploit urgency and scarcity by creating artificial time pressure that causes employees to skip verification procedures.
  • Recognize how attackers exploit reciprocity by offering a small favor or helpful information before making a request that serves the attacker's objectives.
  • Recognize how attackers exploit social proof by claiming that other employees have already complied with a request or that a procedure is standard practice.
  • Explain how fear and intimidation tactics such as threats of job loss, legal action, or system shutdown override rational decision-making in targeted employees.
  • Explain how the liking principle makes employees more compliant with requests from people who appear friendly, attractive, or similar to themselves.
  • Explain how the commitment and consistency principle causes employees who have already agreed to a small request to feel obligated to comply with increasingly larger requests.
  • Analyze how social engineers combine multiple psychological principles in a single attack to create compounding pressure that is harder to resist than any single tactic alone.
2 Social Engineering Attack Types
5 topics

Pretexting and impersonation

  • Recognize pretexting attacks where the attacker creates a fabricated scenario or identity to establish credibility and extract information from employees.
  • Recognize impersonation of IT support staff who request login credentials, remote access, or system changes under the guise of troubleshooting or maintenance.
  • Recognize impersonation of vendors, contractors, or service providers who request access to facilities, systems, or confidential business information.
  • Explain how attackers research employees on LinkedIn, company websites, and social media to craft convincing pretexts that reference real projects, colleagues, or events.
  • Describe common pretexting scenarios targeting specific departments including HR (employee verification), finance (invoice inquiries), and front desk (delivery impersonation).
  • Recognize impersonation of government officials, auditors, or regulatory inspectors who demand immediate access to records, systems, or facilities without proper advance coordination.

Baiting and quid pro quo

  • Recognize baiting attacks that use physical media such as infected USB drives, CDs, or external hard drives left in common areas to entice employees to connect them to corporate devices.
  • Recognize digital baiting attacks that use enticing downloads such as free software, pirated content, or fake security tools to deliver malware to corporate systems.
  • Recognize quid pro quo attacks where an attacker offers something of value such as technical assistance or a service in exchange for login credentials or system access.
  • Explain how curiosity and the desire for free items make baiting attacks effective and why corporate policy prohibits connecting unknown devices or downloading unauthorized software.
  • Describe the proper procedure for handling found USB drives or unknown media including turning them in to IT security rather than connecting them to any device.

Phone-based social engineering

  • Recognize phone-based pretexting where callers impersonate colleagues, vendors, or authority figures to extract sensitive information or compel unauthorized actions.
  • Recognize help desk manipulation where attackers call IT support requesting password resets or account unlocks while impersonating legitimate employees.
  • Explain how caller ID spoofing allows attackers to display legitimate phone numbers, making it appear that a call originates from a trusted internal or external source.
  • Describe callback verification procedures for handling suspicious calls including hanging up and calling the person back at a known-good number from the corporate directory.
  • Explain how AI-generated voice cloning enables attackers to impersonate specific individuals on phone calls with convincing vocal characteristics and speech patterns.

Physical social engineering

  • Recognize tailgating attacks where an unauthorized person follows an authorized employee through a secured door without presenting their own credentials or badge.
  • Recognize piggybacking scenarios where an attacker asks an employee to hold the door, often using social pressure such as carrying packages or claiming to have forgotten their badge.
  • Recognize shoulder surfing where an attacker observes an employee entering passwords, PINs, or viewing sensitive information on screens in public or shared spaces.
  • Recognize dumpster diving as a reconnaissance method where attackers retrieve discarded documents, notes, or hardware containing sensitive information from trash or recycling.
  • Explain how social norms of politeness make it psychologically difficult for employees to challenge someone following them through a door or to refuse to hold a door open.
  • Recognize unauthorized photography or recording in secure areas where attackers use smartphone cameras to capture whiteboard contents, screen information, or facility layouts.

Digital and emerging social engineering

  • Recognize watering hole attacks where attackers compromise websites frequently visited by target employees to deliver malware or harvest credentials.
  • Recognize fake social media profiles and LinkedIn connection requests used by attackers to build rapport, gather intelligence, or deliver malicious links to targeted employees.
  • Explain how deepfake video technology can be used in video calls to impersonate executives or colleagues, making remote social engineering attacks appear legitimate.
3 Defending Against Social Engineering
3 topics

Verification and challenge procedures

  • Explain the verify-then-trust principle of confirming the identity and authorization of anyone requesting sensitive information, access, or actions before complying.
  • Describe out-of-band verification procedures for confirming requests by contacting the requestor through a separate channel such as a known phone number or in person.
  • Explain how to politely but firmly challenge unverified individuals requesting physical access, sensitive information, or unusual actions without feeling rude or insubordinate.
  • Describe the principle that legitimate IT support, management, and vendors will never be offended by identity verification and will support employees who follow security procedures.
  • Explain how to recognize when urgency is being manufactured to bypass verification and why slowing down to follow procedures is the correct response to pressure.

Physical security awareness

  • Describe badge-in-one-at-a-time discipline including not holding doors for unfamiliar individuals and directing visitors to reception for proper sign-in procedures.
  • Describe clean desk practices that prevent shoulder surfing and document theft including locking screens when away, storing papers in locked drawers, and using privacy screens.
  • Explain proper document disposal procedures including shredding sensitive documents and using secure recycling bins rather than regular trash.
  • Describe visitor management procedures including requiring escorts for visitors, checking visitor badges, and challenging unescorted individuals in restricted areas.

Information sharing discipline

  • Explain the need-to-know principle that employees should only share information with individuals who have a verified, legitimate business need for that information.
  • Describe the risks of oversharing on social media including posting job titles, project details, travel plans, and organizational charts that attackers use for reconnaissance.
  • Explain why employees should never share passwords, badges, access cards, or security tokens even with colleagues and especially not in response to phone or email requests.
  • Describe safe practices for handling inquiries about organizational information including directing external callers to official channels and not confirming employee details to unverified requestors.
  • Explain the risks of discussing sensitive business information in public places such as airports, restaurants, and elevators where conversations may be overheard by unauthorized individuals.
4 Reporting and Response
2 topics

Recognizing and reporting attempts

  • Describe the organizational procedure for reporting suspected social engineering attempts including who to contact, what information to provide, and the expected response timeline.
  • Explain why reporting social engineering attempts is critical even when the attempt was unsuccessful because it helps security teams identify patterns and warn other employees.
  • Describe the information to capture when reporting including the attacker's claimed identity, what they requested, what communication channel was used, and what information may have been disclosed.
  • Explain how to respond if you realize you have already complied with a social engineering request including immediately reporting the incident and documenting what information or access was provided.

Scenario analysis and response

  • Analyze a pretexting scenario to identify which psychological manipulation tactics were used and determine the appropriate defensive response at each stage.
  • Analyze a physical social engineering scenario involving tailgating, impersonation, and shoulder surfing to determine which security procedures were violated.
  • Analyze a phone-based social engineering scenario to identify the pretext used, the information disclosed, and the corrective actions needed.
  • Analyze a multi-vector social engineering attack that combines email, phone, and in-person tactics to identify the full attack chain and recommend layered defenses.
  • Synthesize a comprehensive defense plan for a department that addresses the most common social engineering vectors including pretexting, tailgating, baiting, and phone-based attacks.
  • Synthesize recommendations for building a security-conscious organizational culture that empowers employees to challenge and report social engineering without fear of reprisal.

Scope

Included Topics

  • All major social engineering attack types targeting corporate employees: pretexting, baiting, tailgating and piggybacking, impersonation, authority exploitation, quid pro quo attacks, and watering hole attacks.
  • Psychological manipulation tactics exploited by social engineers including reciprocity, urgency and scarcity, fear and intimidation, trust and liking, social proof, authority compliance, and commitment and consistency.
  • Phone-based social engineering including vishing, pretexting calls, help desk manipulation, callback scams, and AI-generated voice impersonation targeting employees at all levels.
  • In-person social engineering attacks including tailgating through secured doors, impersonating delivery personnel or contractors, shoulder surfing, dumpster diving, and unauthorized photography.
  • Digital social engineering beyond email including social media reconnaissance, fake LinkedIn profiles, malicious collaboration platform messages, and deepfake video impersonation.
  • Defensive strategies for employees including verification procedures, challenge culture, physical access discipline, information sharing discipline, and reporting suspected social engineering attempts.

Not Covered

  • Technical countermeasures such as network access control configuration, badge system administration, and CCTV system management (covered by IT and physical security teams).
  • Advanced social engineering techniques used in penetration testing and red team operations.
  • Detailed psychological research and academic study of persuasion and influence beyond practical workplace application.
  • Law enforcement investigation procedures for social engineering crimes.

SA Social Engineering is coming soon

Adaptive learning that maps your knowledge and closes your gaps.

Create Free Account to Be Notified