If you are studying for Security+, phishing questions are not asking whether you know phishing is bad. They test whether you can read a messy scenario, spot the social engineering pattern, and pick the safest next step without overreacting.
Use these practice questions to drill that skill. Read the scenario first, choose an answer, then check the explanation. The goal is not memorizing trivia. The goal is building the reflex Security+ wants: identify the attack, preserve evidence, verify through a trusted channel, and report through the right process.
For broader prep, pair this with the Security+ study plan template, the Security+ career path guide, and the beginner cybersecurity certifications guide.
Quick answer: what to know for phishing questions
Most Security+ phishing scenarios come down to a few patterns:
| Clue in the question | Likely concept |
|---|---|
| Urgent email from a bank, vendor, payroll, or Microsoft 365 | Phishing |
| Targeted message using job title, manager name, or company project | Spear phishing |
| Executive or high-value employee targeted | Whaling |
| Text message with malicious link | Smishing |
| Phone call pretending to be IT, HR, bank, or vendor | Vishing |
| QR code leading to a fake login page | Quishing / QR phishing |
| Fake login page capturing MFA code | Credential harvesting / adversary-in-the-middle |
| Employee clicked a link | Report, isolate if needed, reset credentials if exposed, preserve evidence |
The exam usually rewards the boring professional answer. Do not click the link to “investigate.” Do not reply to the attacker. Do not delete the message before reporting it. Do not format the user’s laptop because one suspicious email appeared. Pick the measured response.
Practice question 1: fake password reset
A help desk technician receives a message that appears to come from the company’s Microsoft 365 portal. The email says the technician’s mailbox will be disabled in one hour unless they reset their password using the provided link. The sender address is [email protected].
What type of attack is most likely occurring?
A. Tailgating
B. Phishing
C. Watering hole attack
D. Dumpster diving
Answer: B. Phishing
The message uses urgency, impersonates a trusted service, and pushes the user to click a login link. The misspelled domain is another clue. Tailgating is physical access. A watering hole attack compromises a site the victim already visits. Dumpster diving is physical information gathering.
Practice question 2: targeted finance request
A payroll specialist receives an email that appears to come from the CFO. It references an internal payroll project by name and asks the specialist to change an employee’s direct deposit account before the next payroll run.
Which term best describes this attack?
A. Spear phishing
B. Smishing
C. Bluejacking
D. Evil twin
Answer: A. Spear phishing
This is targeted. The attacker uses the victim’s role, an internal project, and a believable business process. Smishing uses SMS/text messages. Bluejacking involves sending unsolicited messages over Bluetooth. Evil twin attacks involve fake wireless access points.
Practice question 3: executive target
An attacker sends a realistic DocuSign email to the CEO and general counsel during an acquisition. The link leads to a fake authentication page designed to capture credentials.
What is the best classification?
A. Whaling
B. Pharming
C. Shoulder surfing
D. Privilege creep
Answer: A. Whaling
Whaling is phishing aimed at executives or other high-value targets. The acquisition detail makes it more believable, but the executive targeting is the key clue. Pharming redirects users to fraudulent sites through DNS or host manipulation. Shoulder surfing is physically observing sensitive information. Privilege creep is excessive access accumulating over time.
Practice question 4: suspicious QR code
Employees find flyers in the break room advertising a “mandatory benefits update.” The flyers include a QR code that opens a fake HR login page.
What should the security team do first?
A. Scan the QR code on a personal phone to see where it goes
B. Remove the flyers and report the campaign through the incident process
C. Email all employees the QR code and ask if anyone used it
D. Disable the corporate Wi-Fi network
Answer: B. Remove the flyers and report the campaign through the incident process
Do not interact with suspicious links or QR codes from a normal device. The practical first move is to remove the bait, preserve/report the evidence, and start the incident workflow. Disabling Wi-Fi is not proportional. Sending the QR code to everyone makes the problem worse.
Practice question 5: user clicked the link
A user reports that they clicked a link in a suspicious email and entered their password on a login page. They are still logged into their workstation and can access email.
What is the best next step?
A. Delete the email so no one else can click it
B. Reset the user’s password and revoke active sessions according to policy
C. Reinstall the operating system immediately
D. Ignore it because the user still has access
Answer: B. Reset the user’s password and revoke active sessions according to policy
The likely exposure is credentials. Resetting the password and revoking sessions limits account takeover. The email should be reported and preserved, not simply deleted. Reimaging may be needed if malware executed, but the scenario only says credentials were submitted. Ignoring it is how small incidents become Monday morning war stories.
Practice question 6: phone call from “IT”
A remote employee receives a call from someone claiming to be from internal IT. The caller says the employee’s VPN profile is broken and asks for the MFA code that just appeared on their phone.
Which attack is this?
A. Vishing
B. Cross-site scripting
C. Replay attack
D. LDAP injection
Answer: A. Vishing
Vishing is voice phishing. Asking for an MFA code is a giant red flag. Real IT should not need the user’s MFA code. Cross-site scripting and LDAP injection are application attacks. Replay attacks reuse captured authentication data, but the phone-based social engineering is the main concept here.
Practice question 7: text message delivery notice
A user receives a text message claiming a package could not be delivered. The link opens a fake shipping page asking for a small redelivery fee and payment card details.
What is the best term?
A. Smishing
B. Typosquatting
C. Pretexting
D. Invoice fraud
Answer: A. Smishing
Smishing is phishing over SMS/text. There may also be pretexting because the attacker invented a delivery story, but the delivery method is the best answer here. Security+ questions often include several true-ish details; pick the term most directly matching the scenario.
Practice question 8: malicious attachment
An employee receives an email from a fake vendor invoice address. The attachment is named Invoice-May2026.xlsm and asks the user to enable macros to view payment details.
What is the main risk?
A. The attachment may execute malicious code if macros are enabled
B. The file extension proves the invoice is legitimate
C. The email is safe because invoices commonly use spreadsheets
D. The user should forward it to coworkers for confirmation
Answer: A. The attachment may execute malicious code if macros are enabled
Macro-enabled Office files have long been abused for malware delivery. The .xlsm extension does not prove a file is malicious by itself, but “enable macros to view the invoice” is the trap. Forwarding suspicious attachments spreads risk.
Practice question 9: lookalike domain
A user reports an email from [email protected]. The final character before .example is an uppercase “I” instead of a lowercase “l.” The email asks the user to verify payment information.
Which technique is being used?
A. Homograph or lookalike domain spoofing
B. Wardriving
C. MAC flooding
D. Credential stuffing
Answer: A. Homograph or lookalike domain spoofing
Attackers use lookalike domains and confusing characters to make malicious senders look familiar. Credential stuffing uses reused passwords across services. Wardriving searches for wireless networks. MAC flooding attacks switches.
Practice question 10: best user training advice
A company wants to reduce successful phishing attacks. Which guidance is most useful for end users?
A. Never open any email from outside the company
B. Verify unusual requests through a known trusted channel before acting
C. Reply to suspicious messages and ask whether they are real
D. Click links only if the email has the company logo
Answer: B. Verify unusual requests through a known trusted channel before acting
The real world still requires email. “Never open outside email” is not usable for most companies. Logos are easy to copy. Replying to the suspicious message keeps you inside the attacker’s channel. A known trusted channel means using a number, chat, ticket, or bookmarked site you already trust.
How to study these without fooling yourself
Do not just read the answer key and nod. That feels productive and teaches almost nothing.
Use this routine instead:
- Cover the explanation.
- Answer the question.
- Say why the other answers are wrong.
- Rewrite one detail that would change the answer.
- Create one workplace version from your own experience.
That last step matters. If you work help desk, you have probably seen fake Microsoft 365 messages, payroll scams, gift card requests, shipping texts, or vendor invoice weirdness. Turn those into study reps.
Common exam traps
Trap 1: choosing the most dramatic response
Security exams love reasonable containment. They do not love panic. If the scenario says a user received an email and did not click, the answer is probably reporting and analysis, not wiping a laptop.
Trap 2: confusing delivery method with technique
A text message is smishing. A phone call is vishing. A targeted email is spear phishing. An executive target is whaling. A fake story used to manipulate someone is pretexting. Many attacks overlap, but the question wording usually points to one best term.
Trap 3: investigating from your normal account
Do not click suspicious links from your daily workstation or personal phone. In real environments, security teams use controlled analysis tooling. On the exam, “click it to check” is usually wrong.
Trap 4: deleting evidence
Users love deleting scary emails. Security teams hate losing evidence. Report first. Let the process handle removal, blocking, and search across mailboxes.
What to review next
If phishing questions feel easy, move into adjacent topics:
- Authentication and MFA controls
- Email security controls like SPF, DKIM, and DMARC
- Security awareness training
- Incident response steps
- Log review and account activity checks
If you want more hands-on support skills around investigation, build a small lab and document what you learn. The home lab resume guide shows how to turn practice into something employers can understand. For networking-heavy practice, use the Network+ subnetting practice questions as a second drill set.
FAQ
Are phishing questions enough to pass Security+?
No. They are one slice of the exam. You still need networking, architecture, identity, risk, operations, cryptography basics, and incident response. But phishing is a high-value area because it connects terminology to real workplace behavior.
Should I memorize every phishing subtype?
Know the common ones: phishing, spear phishing, whaling, vishing, smishing, and QR-code phishing. More importantly, practice reading the scenario carefully. The delivery method and target usually reveal the answer.
What is the safest answer when a user reports a phishing email?
If they did not click, report and preserve it through the approved process. If they entered credentials, reset credentials and revoke sessions according to policy. If malware may have run, escalate for containment and endpoint investigation.
What is the biggest real-world mistake beginners make?
They try to investigate from their normal device. Curiosity is useful. Clicking attacker links from your daily account is not. Be boring, careful, and process-driven.
Bottom line
Security+ phishing questions reward practical judgment. Identify the social engineering pattern, avoid interacting with the bait, preserve evidence, and use the incident process. That is not glamorous, but neither is explaining to your manager that you clicked the fake payroll link “for research.”
If you are building your Security+ plan, start with the Security+ study plan template and use practice sets like this to find weak spots before exam day.