How do attackers trick people instead of computers?
Understand social engineering, including phishing, shouldering and pretexting, and why people are often the weakest point in security.
A focused answer to AQA GCSE Computer Science 3.6, covering social engineering, including phishing, shouldering and pretexting, and why people are often the weakest point in security.
Reviewed by: AI editorial process; not yet individually human-reviewed
Have a quick question? Jump to the Q&A page
Jump to a section
What this dot point is asking
AQA wants you to explain social engineering, describe forms such as phishing, shouldering and pretexting (blagging), and explain why people are often the weakest point in security.
What social engineering is
Phishing
Phishing works by combining a trusted appearance with pressure: the message looks official and often creates urgency ("your account will be locked") so the victim acts before checking. Warning signs include a mismatched sender address, poor spelling, unexpected requests for personal details, and links whose real destination differs from the claimed site.
Shouldering and pretexting
Why people are the weakest point
Why social engineering is so effective
Social engineering works because it bypasses technical defences entirely. A firewall, strong passwords and encryption cannot help if a user is persuaded to hand over their password or click a malicious link of their own accord. Attackers exploit natural human tendencies: trust in authority (pretending to be IT support or a manager), helpfulness (wanting to assist a colleague in a hurry), fear (a message warning the account will be closed), and curiosity (an enticing link). Because the weakness is human rather than technical, the strongest defence is education: training people to be sceptical of unexpected requests, to verify identities through a known channel, and never to share passwords, supported by technical aids such as spam filters.
Try this
Q1. State what social engineering is. [2 marks]
- Cue. Tricking or manipulating people into giving away information or access, rather than attacking the technology directly.
Q2. Describe what phishing is. [2 marks]
- Cue. Fake emails or messages pretending to be from a trusted source to trick someone into revealing details such as passwords.
Exam-style practice questions
Practice questions written in the style of AQA exam questions on this dot point, with worked answer explainers. The year tag is the paper they imitate, not the source.
AQA 20194 marksDescribe what phishing is, and explain two things a user could look for to spot a phishing email.Show worked answer →
Phishing sends fake emails or messages that pretend to be from a trusted organisation, such as a bank, to trick the victim into revealing details such as passwords or card numbers, often by clicking a link to a fake website.
Two signs to look for: the sender's email address does not match the genuine organisation (a slightly wrong or unofficial domain), and the message creates urgency or threats ("your account will be closed") to rush the user; other valid signs are poor spelling and grammar, an unexpected request for personal details, and links whose address does not match the claimed site.
Markers reward a correct description of phishing and two distinct, sensible warning signs.
AQA 20224 marksExplain why people are often described as the weakest point in cyber security, and describe two ways an organisation could reduce this risk.Show worked answer →
People are the weakest point because, unlike a well-configured system that follows fixed rules, people can be fooled, distracted or pressured into mistakes, so attackers target them through social engineering (phishing, pretexting, shouldering) rather than attacking the technology directly.
Two ways to reduce the risk: provide regular user training and awareness so staff can recognise and report phishing and pretexting attempts; and enforce policies such as never sharing passwords and verifying requests through a known channel before acting. Technical aids such as spam filters also help.
Markers reward the reason (humans can be manipulated, unlike systems) and two distinct, practical risk-reduction measures, with training being central.
Related dot points
- Understand the main cyber security threats, including the difference between vulnerabilities and attacks, and forms such as brute-force and denial-of-service attacks.
A focused answer to AQA GCSE Computer Science 3.6, covering the main cyber security threats, the difference between vulnerabilities and attacks, and forms such as brute-force and denial-of-service attacks.
- Understand what malware is and the main forms, including viruses, worms, trojans, spyware and ransomware, and the harm each can cause.
A focused answer to AQA GCSE Computer Science 3.6, covering what malware is and the main forms (viruses, worms, trojans, spyware and ransomware) and the harm each can cause.
- Understand the methods used to detect and prevent cyber security threats, including penetration testing, anti-malware, firewalls, user access levels, passwords and encryption.
A focused answer to AQA GCSE Computer Science 3.6, covering the methods used to detect and prevent cyber security threats, including penetration testing, anti-malware, firewalls, user access levels, passwords and encryption.
- Understand the methods used to keep a network secure, including authentication, encryption, firewalls and MAC address filtering.
A focused answer to AQA GCSE Computer Science 3.5.4, covering the methods used to keep a network secure, including authentication, encryption, firewalls and MAC address filtering.
Sources & how we know this
- AQA GCSE Computer Science (8525) specification — AQA (2020)