Spec & Goals 3 min
AQA Spec 3.6.1.2 — Social engineering: blagging, phishing, pharming, shouldering
By the end of this lesson you can:
- Define social engineering.
- Describe blagging, phishing, pharming and shouldering.
- State how each can be protected against.
Warm-Up 5 min
Last lesson you learned the human is often the weakest link. Social engineering is the set of tricks attackers use to exploit exactly that.
Quick starter
A text message says: "Your parcel is held. Pay RM 2.00 to release it: [link]." What two tricks is the sender using on you?
Reveal the idea
Urgency ("held") and a small, believable request (RM 2.00) lower your guard so you click without thinking. That's phishing.
Key Concept — hacking the human 14 min
Social engineering is the art of manipulating people into giving away confidential information or access, rather than attacking the technology.
The four forms AQA examines
| Form | What it is | Protect against it by… |
|---|---|---|
| Blagging (pretexting) | Inventing a convincing scenario / pretending to be someone (e.g. "IT support") to get information. | Verify identity before sharing anything; never give details to unsolicited callers. |
| Phishing | Fake emails/texts pretending to be a trusted organisation, with a link to a fake site, to steal logins/details. | Check the sender and link; don't click unexpected links; banks never ask for passwords by email. |
| Pharming | Redirecting a user from a real website address to a fake copy (often via malicious code), to harvest details. | Check for https and the padlock; keep software updated; type addresses yourself. |
| Shouldering (shoulder surfing) | Watching over someone's shoulder as they type a PIN or password. | Shield the keypad; be aware of who is nearby at ATMs/keypads. |
Worked Example — spot the attack 12 min
Problem: For each scenario, name the social-engineering technique and give one way to protect against it.
| Scenario | Technique | Protection |
|---|---|---|
| A caller says "I'm from the bank's fraud team — confirm your card PIN." | Blagging | Hang up and call the bank back on its official number; banks never ask for a full PIN. |
| An email "from Maybank" warns the account is locked; a link leads to a look-alike login page. | Phishing | Check the sender/link; go to the site directly, not via the email link. |
| Priya types the right web address but lands on a fake bank site that steals her login. | Pharming | Check for HTTPS / the padlock; keep the browser and security software updated. |
| Someone behind Arjun at the ATM watches him enter his PIN. | Shouldering | Cover the keypad with your hand; check no one is too close. |
Try It Yourself 12 min
Goal: Define social engineering.
Goal: Describe the difference between phishing and blagging.
Goal: Write a checklist a school could give students to avoid phishing.
Hint: sender, links, urgency, asking for passwords.
📝 Exam Practice 10 min
Define the term social engineering.
Mark scheme
- Manipulating / tricking people into revealing confidential information or giving access (1).
Describe what happens in a phishing attack.
Mark scheme
- A fake message/email appears to be from a trusted source / organisation (1).
- It tricks the victim into revealing personal details / clicking a link to a fake site (1).
A company is worried about social engineering. Explain two forms it could take and how the company could protect against each.
Mark scheme
Two forms, each with a matching protection (1 + 1 per form), e.g.:
- Phishing — fake emails (1); train staff to check senders/links and not click unexpected links (1).
- Blagging — impersonating IT/management (1); verify identity before sharing information / call-back policy (1).
- (Also accept pharming or shouldering with matching protection.)
Recap & Key Terms 3 min
Social engineering tricks people, not technology. Blagging invents a false scenario; phishing uses fake messages with links; pharming redirects you to a fake site; shouldering watches you type. Defend by verifying identity, checking senders and links, using HTTPS, and shielding keypads.
- Social engineering
- Tricking people into revealing confidential information or granting access.
- Blagging
- Inventing a false scenario or identity to obtain information.
- Phishing
- Fake messages from a seemingly trusted source to steal personal details.
- Pharming
- Redirecting a user to a fake website to harvest their details.
- Shouldering
- Watching over someone's shoulder to steal a PIN or password.
Homework 1 min
Task (≤ 15 min): Design a phishing email that pretends to be from a delivery company — then annotate it with three "red flags" that would help someone spot it as fake.
Model answer (red flags)
Three giveaways to label: (1) the sender's address doesn't match the real company / is misspelled; (2) urgent threat ("parcel will be returned today"); (3) a link to a non-official web address asking for a login or payment. Also accept: poor spelling/grammar; generic greeting ("Dear customer").
Award marks for: three valid red flags (3).