Phishing is a social engineering attack in which an adversary uses deceptive emails or messages to manipulate a victim into revealing sensitive information, downloading malware, or clicking a malicious link.
Phishing is a type of social engineering, the broad category of attacks that use psychological tricks instead of code to break in. The attacker sends a message (usually email, but also text or social media) pretending to be someone you trust, like your bank, your boss, or a service you use. The goal is to get you to do something risky: hand over a password, click a link, or download a file (EK 1.1.A.1).
What makes phishing work isn't tech, it's you. Attackers lean on urgency and intimidation to rush you past your own common sense. A classic phishing email says something like "Your account will be deleted in two hours unless you verify your password." That deadline pressure (urgency) and the threat of losing your account (intimidation) push you to act before you stop and ask, "wait, is this real?" (EK 1.1.A.2, EK 1.1.B.3).
Phishing lives in Unit 1: Introduction to Security, specifically Topic 1.1 (Understanding Social Engineering). It's one of the first real attacks you'll learn, because it shows the core idea of cybersecurity: the human is often the weakest link. It directly supports three learning objectives. You identify it as a social engineering tactic (AP Cybersecurity 1.1.A), explain why it works on people (AP Cybersecurity 1.1.B), and describe the damage it causes (AP Cybersecurity 1.1.C). Knowing phishing cold sets you up for the rest of the course, because nearly every later attack starts with someone getting tricked into clicking.
Keep studying AP Cybersecurity Unit 1
Visual cheatsheet
view gallerySocial Engineering (Unit 1)
Phishing is one specific flavor of social engineering. Think of social engineering as the whole toolbox and phishing as the most common tool in it, the one delivered by email.
Smishing and Spear Phishing (Unit 1)
Same trick, different delivery. Smishing is phishing over SMS text, and spear phishing is phishing aimed at one specific person using personal details to make the bait more convincing.
Urgency and Intimidation (Unit 1)
These are the psychological engines behind most phishing emails. Urgency makes you rush, intimidation makes you afraid, and both stop you from pausing to verify whether the message is real (EK 1.1.B.2, EK 1.1.B.3).
Impacts on Victims (Unit 1)
A successful phish can hand the attacker your one-time password, login code, or personal details used for security questions, which lets them impersonate you or install malware on your device (EK 1.1.C.1, EK 1.1.C.2, EK 1.1.C.3).
On multiple-choice questions, you'll get a scenario and have to name the tactic. For example, an email threatening to delete an account unless you verify your password "within two hours" is testing whether you can spot urgency and intimidation in a phishing message. Other stems describe an attacker pretending to be your bank to get your account number and PIN, and ask you to identify what's happening. Your job is to read the scenario, recognize the deceptive-message setup, and connect it to social engineering and the specific psychological tactic in play. Don't just label it "phishing," be ready to explain why it works (the urgency or intimidation) and what the victim loses (sensitive info, a malware infection, or account access).
Phishing is the broad, mass version, the same generic email blasted to thousands of people. Spear phishing is targeted, crafted for one specific victim using personal details (like their name, job, or boss) to make the bait far more believable. Spear phishing is harder to spot precisely because it feels personal.
Phishing is a social engineering attack that uses deceptive messages, usually email, to trick you into revealing sensitive info, clicking a malicious link, or downloading malware.
It works through psychology, not hacking, especially urgency (acting fast) and intimidation (fear of consequences).
Smishing is phishing over text, and spear phishing is phishing aimed at one specific, researched target.
A phishing victim can lose passwords, one-time codes, or personal details that let an attacker impersonate them or break into their accounts.
On the exam, read the scenario and identify both the tactic (phishing) and the psychological principle driving it (urgency or intimidation).
Phishing is a social engineering attack where an adversary sends a deceptive message, often email, to manipulate you into revealing sensitive information, clicking a malicious link, or downloading malware. It's covered in Unit 1, Topic 1.1.
No. Social engineering is the whole category of attacks that manipulate people psychologically, and phishing is just one specific type of it. All phishing is social engineering, but not all social engineering is phishing (in-person manipulation and phone calls count too).
Phishing is a broad attack sent to many people with generic bait. Spear phishing targets one specific victim using personal details to make the message far more convincing and harder to detect.
It relies on psychological tactics like urgency and intimidation. Urgency makes you act fast without thinking, and intimidation uses fear of negative consequences, both of which stop you from pausing to check whether the message is legit (EK 1.1.B.2, EK 1.1.B.3).
You might give up personal info used for security questions, hand over a one-time password or login code, or download malware. Any of these can let an attacker impersonate you, access your accounts, or infect your device (EK 1.1.C.1 through EK 1.1.C.3).
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.