A penetration tester calls a staff member for her target organization and introduces herself as a member of the IT support team. She inquires if the staff member has addressed a problem with their system, then proceeds to ask for details about the individual, claiming she needs to verify that she is talking to the right person. Which of the following types of social engineering attack is this?

Pretexting is a type of social engineering that involves using a false motive and lying to obtain information. Here, the penetration tester lied about their role and why they are calling (impersonation), and then built some trust with the user before asking for personal information. A watering hole attack leverages a website that the targeted users all use and places malware on it to achieve their purpose. Prepending is described by CompTIA as “adding an expression or a phrase,” and shoulder surfing involves looking over an individual’s shoulder or otherwise observing them entering sensitive information like passwords.