In AP Computer Science Principles, phishing is a technique that tricks a user into providing personal information (like passwords or bank logins) by posing as a trustworthy source, which attackers then use to access sensitive online resources (EK IOC-2.C.1, Topic 5.6).
Phishing is a con job that runs over email, text, or a fake website. An attacker pretends to be someone you trust, like your bank or your school's IT department, and asks you to "verify" your password, credit card number, or other personal information. The moment you type it in, the attacker has it and can use it to log into your real accounts, such as your bank or email (EK IOC-2.C.1).
The key thing the AP CSP CED wants you to understand is that phishing doesn't break any technology. There's no code being cracked. Phishing exploits people. The fake bank email and the fake login page can look pixel-perfect, but the security failure happens when a human voluntarily hands over their credentials. That's why phishing sits in Topic 5.6 (Safe Computing) under the learning objective about how unauthorized access is gained, right alongside keylogging and rogue access points.
Phishing lives in Unit 5: Impact of Computing, Topic 5.6 Safe Computing, and directly supports learning objective AP Comp Sci P 5.6.C (explain how unauthorized access to computing resources is gained). It also connects to 5.6.A, because the stuff phishing steals is personally identifiable information (PII) like Social Security numbers and financial data, and to 5.6.B, because the defenses the CED names (strong passwords, multifactor authentication) are exactly what limit the damage when a phishing attempt succeeds. Unit 5 is all about the human and societal side of computing, and phishing is the clearest example on the exam of a security threat aimed at humans instead of machines.
Keep studying AP Computer Science Principles Unit RHQfKp2hEgUxtUw1
Keylogging (Unit 5)
Keylogging is phishing's neighbor in EK IOC-2.C: both are ways attackers gain unauthorized access to passwords. The difference is the method. Keylogging is software secretly recording your keystrokes, while phishing is a fake message convincing you to type your info into the wrong place on purpose.
Two-Factor Authentication (Unit 5)
Multifactor authentication (EK IOC-2.B.3) is the standard exam answer for defending against phishing. Even if you get tricked into giving up your password, the attacker still can't log in without your second factor, like a code on your phone or a fingerprint.
Social Engineering (Unit 5)
Phishing is the most common form of social engineering, which means manipulating people rather than hacking systems. If a question describes tricking, impersonating, or pressuring a person into giving up information, you're in social engineering territory, and phishing is usually the specific technique.
Personally Identifiable Information / PII (Unit 5)
Phishing is the attack; PII is the prize. EK IOC-2.A.1 lists exactly what attackers are fishing for, including Social Security numbers, phone numbers, and financial and medical information. Knowing what counts as PII helps you spot why a phishing scenario is dangerous.
AP CSP tests phishing through multiple-choice scenario questions (there's no written FRQ on the exam, just the Create performance task, so this is pure MCQ material). The classic stem describes a situation and asks you to name the attack or pick the best defense. For example, an email that appears to come from a legitimate bank directs users to a fake login page, or emails pretending to be from the IT department ask employees to verify their credentials. Both are phishing. Your job is to (1) recognize phishing from the description, (2) distinguish it from keylogging, rogue access points, and other unauthorized-access methods, and (3) match it to the right protection, usually multifactor authentication, caution with suspicious links, and never entering credentials on pages reached through unsolicited messages.
Both steal personal information like passwords, but the mechanism is opposite. Phishing tricks the user into willingly typing their info into a fake site or replying to a fake message, so the attack works through deception. Keylogging is malicious software installed on a device that silently records every keystroke, so the user never agrees to anything. Quick test for MCQs: if the scenario involves a fake email or fake website, it's phishing; if it involves a program recording what you type, it's keylogging.
Phishing is a technique that tricks a user into providing personal information, which attackers then use to access sensitive online resources like bank accounts and emails (EK IOC-2.C.1).
Phishing targets people, not technology; the fake email or website works only because a human is fooled into handing over their credentials.
On the exam, a scenario with a fake email directing users to a counterfeit login page is phishing, while a program recording keystrokes is keylogging.
Multifactor authentication is the go-to defense, because a stolen password alone isn't enough to log in when a second piece of evidence is required.
Phishing connects all three parts of Topic 5.6: it steals PII (5.6.A), is blocked by authentication measures (5.6.B), and is a named method of unauthorized access (5.6.C).
Phishing is a technique that attempts to trick a user into providing personal information by posing as a trustworthy source, often through fake emails or websites. Per EK IOC-2.C.1, that stolen information can then be used to access sensitive online resources like bank accounts and emails.
Not really. Phishing doesn't break into a system through code or technical exploits; it manipulates a person into voluntarily giving up their credentials. The AP CSP CED classifies it as one way unauthorized access is gained, but the vulnerability it exploits is human trust, not software.
Phishing tricks you into typing your information into a fake site, while keylogging uses a program to secretly record every keystroke you make. Both appear in EK IOC-2.C as unauthorized-access methods, and MCQs love asking you to tell them apart based on the scenario.
It doesn't stop the phishing email from arriving, but it limits the damage. Per EK IOC-2.B.3, multifactor authentication requires at least two separate pieces of evidence to log in, so an attacker with just your phished password still can't get into your account.
Yes. Phishing is explicitly named in essential knowledge statement IOC-2.C.1 under Topic 5.6 Safe Computing, and it shows up in multiple-choice questions asking you to identify the attack in a scenario or choose the best way to protect against it.