Fatskills
Practice. Master. Repeat.
Study Guide: CompTIA Security+ Deep Dive - Phishing, Spear Phishing, Whaling, Vishing, Smishing
Source: https://www.fatskills.com/comptia-security-/chapter/tech-comptia-security-deep-dive-phishing-spear-phishing-whaling-vishing-smishing

CompTIA Security+ Deep Dive - Phishing, Spear Phishing, Whaling, Vishing, Smishing

By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.

⏱️ ~7 min read

CompTIA Security+ Deep Dive: Phishing, Spear Phishing, Whaling, Vishing, Smishing

A hyper-practical, zero-fluff guide for engineers, SOC analysts, and certification candidates

1. What This Is & Why It Matters

Phishing is the #1 initial attack vector in 90% of breaches (Verizon DBIR). If you ignore it, you’re ignoring the front door to your company’s data.

Real-world scenario: You’re a SOC analyst at a mid-sized healthcare provider. At 3 AM, your SIEM alerts on a user downloading a "patient records update" Excel file from a Gmail address. By 4 AM, ransomware encrypts 80% of your EHR database. The root cause? A spear-phishing email impersonating your CFO, sent to the finance team with a malicious macro.

This guide will teach you: - How to spot phishing variants in the wild (with real email samples). - How to simulate phishing tests (legally) to train your team. - How to harden defenses (SPF, DKIM, DMARC, MFA, and user training). - How to respond when (not if) an employee clicks a link.

By the end, you’ll be able to: ? Pass Security+ questions on phishing variants (they appear in every exam). ? Run a phishing simulation in your own environment (using free tools). ? Write a 1-page phishing response playbook for your team.

2. Core Concepts & Components

Term Definition Production Insight
Phishing Broad, untargeted email/SMS/call scams designed to trick users into revealing credentials or installing malware. 91% of cyberattacks start with phishing (KnowBe4). If your users can’t spot a generic phishing email, no firewall will save you.
Spear Phishing Highly targeted phishing, customized for a specific individual or role (e.g., "Hi [First Name], here’s the Q3 budget report you requested"). 65% of advanced threat groups use spear phishing (Symantec). Attackers research LinkedIn, company websites, and past breaches to craft convincing lures.
Whaling Spear phishing aimed at high-value targets (C-level execs, board members, or finance teams). Whaling emails often bypass spam filters because they use legitimate-looking domains (e.g., paypa1.com instead of paypal.com).
Vishing (Voice Phishing) Phishing via phone calls (e.g., "This is IT support. Your account is locked. Give me your password to unlock it."). Vishing bypasses email security controls. Attackers spoof caller ID (e.g., showing your company’s real IT support number).
Smishing (SMS Phishing) Phishing via text messages (e.g., "Your Netflix account is suspended. Click here to verify: bit.ly/3xYz123"). Smishing is exploding (400% increase in 2023, Proofpoint). Users trust SMS more than email.
Clone Phishing Attacker copies a legitimate email (e.g., a real invoice from a vendor), replaces a link/file with malware, and resends it. Hard to detect because the email looks identical to a previous legitimate one. Always verify unexpected attachments.
Business Email Compromise (BEC) A subset of phishing where attackers impersonate executives or vendors to trick employees into wiring money or sharing data. BEC scams cost businesses $2.7B in 2022 (FBI IC3). Always call the sender (using a known number) to verify wire transfer requests.
Credential Harvesting Phishing designed to steal usernames/passwords (e.g., fake login pages for Microsoft 365, Google, or VPN portals). MFA is the #1 defense against credential harvesting. If you don’t enforce MFA, assume all passwords are compromised.

3. Step-by-Step: Run a Phishing Simulation (Legally & Ethically)

Prerequisites: - A test environment (e.g., a lab domain, not your production email). - Permission from management (never test without approval). - Gophish (free, open-source phishing framework) or KnowBe4 (paid, enterprise-grade).

Step 1: Install Gophish

# On a Linux VM (Ubuntu 22.04)
sudo apt update && sudo apt install -y git golang
git clone https://github.com/gophish/gophish.git
cd gophish
go build
./gophish
  • Gophish will start on https://127.0.0.1:3333 (default creds: admin:gophish).

Step 2: Create a Phishing Campaign

  1. Set up a sending profile (use a disposable email like [email protected]).
  2. Import a template (or create one): ```html

    Hi {{.FirstName}},

    Your password for {{.Email}} expires in 24 hours. Click here to reset it.

    IT Support

``
3. Configure landing page (host a fake login page on a temporary domain likeyourcompany-login-test.com).
4. Select targets (use a CSV with test users, e.g.,[email protected]`).

Step 3: Launch & Monitor

  • Send the campaign.
  • Track click rates and credential submissions in the Gophish dashboard.
  • Expected output: Campaign: "Password Reset Test" Sent: 50 Opened: 35 (70%) Clicked: 12 (24%) Submitted Data: 5 (10%)

Step 4: Debrief & Train

  • Show users their results (without shaming).
  • Train on red flags:
  • Urgency ("Act now or your account will be locked!").
  • Mismatched domains (microsoft-support.com vs microsoft.com).
  • Generic greetings ("Dear User" instead of your name).

4.-Production-Ready Best Practices

Security

  • Enforce MFA everywhere (SMS is weak; use TOTP or FIDO2).
  • Deploy SPF, DKIM, and DMARC (prevents email spoofing): bash # Example DMARC record (add to DNS TXT) v=DMARC1; p=reject; rua=mailto:[email protected]; pct=100
  • Block known malicious domains (use Cisco Umbrella, Quad9, or Cloudflare DNS).
  • Disable macros in Office files (via GPO or Microsoft 365 policies).

User Training

  • Run quarterly phishing simulations (track click rates over time).
  • Teach the "SLAM" method for spotting phishing:
  • Sender (Is the email from a known contact?)
  • Links (Hover before clicking; does the URL match?)
  • Attachments (Unexpected? Scan with VirusTotal.)
  • Message (Urgency? Poor grammar? Too good to be true?)

Detection & Response

  • Monitor for impossible travel (e.g., a login from New York at 2 PM, then Moscow at 3 PM).
  • Set up alerts for suspicious logins (e.g., first-time logins from new countries).
  • Have a phishing response playbook:
  • Isolate the device (disconnect from network).
  • Reset credentials (for the affected account).
  • Scan for malware (use CrowdStrike, SentinelOne, or Windows Defender).
  • Check for lateral movement (review logs for unusual access).

5. Common Mistakes & Traps

Mistake Symptom Fix/Prevention
Not enforcing MFA Credential stuffing attacks succeed. Enable MFA on all external-facing systems (email, VPN, SaaS apps).
Ignoring DMARC Spoofed emails bypass spam filters. Set DMARC to p=reject (start with p=none to monitor first).
Assuming users will "just know" High click rates on phishing tests. Train monthly (use KnowBe4, Proofpoint, or free tools like Gophish).
Not monitoring for BEC Finance wires money to attacker-controlled accounts. Require verbal confirmation for wire transfers over $1,000.
Blocking all external emails Legitimate emails get quarantined. Use a whitelist for known vendors (but don’t rely on it—attackers spoof them).

6.-Exam/Certification Focus (CompTIA Security+)

Question Patterns

  1. "Which phishing variant targets high-level executives?"
  2. ? Whaling (not spear phishing—whaling is a subset of spear phishing for C-level).
  3. ? Spear phishing (too broad).

  4. Vishing (voice-based, not email).

  5. "What’s the best defense against credential harvesting?"

  6. ? MFA (even if passwords are stolen, MFA blocks access).
  7. ? Password complexity (attackers don’t brute-force; they phish).

  8. Email filtering (phishing emails still get through).

  9. "An employee receives an email from ‘IT Support’ asking for their password. What’s the next step?"

  10. ? Report it to the security team (never reply or click links).
  11. ? Change their password (attacker may have already stolen it).
  12. ? Ignore it (someone else might fall for it).

Key Distinctions

Term Security+ Trap
Phishing Generic, untargeted.
Spear Phishing Targeted (e.g., "Hi [Name], here’s the invoice you requested").
Whaling Spear phishing for executives (e.g., CEO, CFO).
Vishing Voice-based (phone calls).
Smishing SMS-based (text messages).

7.-Hands-On Challenge

Challenge: You receive an email from [email protected] with the subject: "Urgent: Your AWS Account Has Been Compromised – Verify Now" The email contains a link to https://aws-account-verification.com/login.

Task:
1. Identify 3 red flags in this email.
2. Write a 1-line CLI command to check if the domain is malicious.
3. Draft a response email to the sender (if you were to reply).

Solution:
1. Red flags: - Domain is amazon-security.com (not amazon.com). - Urgency ("Urgent: Your account has been compromised"). - Link goes to aws-account-verification.com (not aws.amazon.com).

  1. Check domain reputation: bash curl -s "https://www.virustotal.com/api/v3/domains/aws-account-verification.com" -H "x-apikey: YOUR_API_KEY" | jq '.data.attributes.last_analysis_stats.malicious' (If you don’t have VirusTotal API, use URLScan.io.)

  2. Response email (do NOT send this—just for training):

    "This email appears suspicious. I’ve reported it to our security team. For future reference, please contact us via our official support portal at support.amazon.com."

8.-Rapid-Reference Crib Sheet

Item Key Info
Phishing Red Flags Urgency, mismatched domains, generic greetings, unexpected attachments.
MFA Types SMS (weak) < TOTP (Google Auth) < FIDO2 (YubiKey).
DMARC Record v=DMARC1; p=reject; rua=mailto:[email protected]
SPF Record v=spf1 include:_spf.google.com ~all (for Google Workspace).
DKIM Selector Added to DNS as selector._domainkey.yourcompany.com.
Vishing Defense Never give passwords over the phone. Call back using a known number.
Smishing Defense Don’t click SMS links. Go to the official website manually.
BEC Defense Always verify wire transfers via phone (using a known number).
Phishing Response Isolate device-Reset credentials-Scan for malware-Check logs.
Free Phishing Tools Gophish (simulations), VirusTotal (domain checks), URLScan.io (link checks).

9.-Where to Go Next

  1. Gophish GitHub – Free phishing simulation tool.
  2. KnowBe4 Free Phishing Test – Test your users in 5 minutes.
  3. CISA Phishing Guide – Government best practices.
  4. Proofpoint State of Phish Report – Latest phishing trends.

⚡ Recently practiced quizzes in this class
SY0-501 CompTIA Security+ Certification Exam SY0-501 CompTIA Security+ Certification Exam - Practice Test 2 SY0-401 Exam: CompTIA Security+ CS0-001 Exam: CompTIA Cybersecurity Analyst (CySA+)

 
If you liked Fatskills, consider supporting us by checking out The Life Manuals You Never Got.

🌈  Our mission is to help improve your scores in any subject and exam withonline quizzes, practice tests, study guides, & advice for students. Since 2018.
About | Explore | User Guide | Topics | Subjects | Doubt Solver | Career Aptitude Test | Answers | Free Tools | What Should We Know?
Privacy | Terms |
Without work one finishes nothing. - Ralph Waldo Emerson
© 2026 Fatskills.com

All trademarks, logos and brand names are the property of their respective owners. All company, product and service names used in this website are for identification purposes only. Use of these names, trademarks and brands does not imply endorsement.