Topic

3.6.2.1 Social engineering

GCSE Computer Science AQA

This resource covers 3.6.2.1 Social engineering for AQA GCSE Computer Science. It sits within the cyber security threats section and focuses on a very specific exam idea: students must understand that some attacks work by manipulating people, not by directly attacking hardware or software. That distinction matters, because many students can spot the word phishing but still describe it as generic hacking and hope the mark scheme feels generous.

For this specification point, teachers need students to define social engineering clearly, explain the required forms of social engineering, and describe sensible ways to protect against them. This page is designed to help you teach the topic tightly to the specification, anticipate the usual misconceptions, and mark answers with more confidence and less eyebrow-raising.


At a Glance

🧠 Specification context: AQA GCSE Computer Science, 3.6.2.1 Social engineering within 3.6.2 Cyber security threats

  • Students must know: what social engineering means

  • Students must know: how blagging (pretexting), phishing, and shouldering work

  • Students must know: how social engineering can be protected against

  • Key exam focus: accurate definition, precise examples, and explanation of how the attacker manipulates the victim

  • Common student challenges: calling everything “hacking”, mixing up phishing and pharming, and forgetting that shouldering is still a cyber security threat because confidential information is being obtained through observation


Understanding the Topic

Where this sits in the curriculum

In AQA GCSE Computer Science, this specification point sits inside the cyber security threats section. It is a focused subsection rather than a broad tour of all online scams. Students are expected to understand that social engineering is the art of manipulating people so they give up confidential information. The human being is the target, even when the final aim is access to a computer system, account, or network.

That matters in exams because stronger answers explain both parts:

  • the attacker tricks the person
  • the trick leads to confidential information being revealed or access being gained

What students need to know securely

  • Social engineering is about exploiting human behaviour such as trust, panic, urgency, helpfulness, or inattention
  • it is different from attacks that mainly exploit software weaknesses
  • the required forms for this specification point are:
    • blagging (pretexting)
    • phishing
    • shouldering (shoulder surfing)
  • students should also be able to explain straightforward ways to reduce the risk, such as staff awareness, checking identity, not sharing credentials, and being cautious with suspicious messages or visible passwords

The three forms AQA expects

Blagging (pretexting)

Blagging happens when an attacker invents a believable story in order to persuade someone to reveal confidential information or carry out an action they would not normally agree to.

Typical examples include:

  • pretending to be a member of technical support
  • posing as a bank employee
  • claiming to be a colleague, supplier, or school administrator who urgently needs login details or account information

The important teaching point is that the attacker relies on the story sounding plausible. Students should avoid vague phrasing like they trick them somehow. A stronger explanation makes clear that the attacker creates a false identity or scenario to gain trust.

Phishing

Phishing is the use of fraudulent messages, usually emails, texts, or similar communications, to trick a user into revealing personal or login information.

Students should understand that phishing often involves:

  • a message that appears to come from a trusted source
  • urgent or alarming wording
  • a fake link or request for details
  • a victim entering usernames, passwords, or bank information

A strong answer explains the sequence clearly: the message looks genuine, the user trusts it, confidential information is entered or sent, and the attacker then uses that information.

Shouldering (shoulder surfing)

Shouldering is the act of watching someone enter confidential information, such as a password or PIN, in order to steal it.

Students often underestimate this one because it sounds low-tech. That is exactly why it is worth teaching carefully. It is still social engineering because the attacker is exploiting human behaviour and physical carelessness rather than breaking through a technical defence.

Useful classroom examples include:

  • watching a student or staff member type a password
  • observing someone enter a PIN at a cash machine
  • standing close enough to read confidential information on a screen

Protection against social engineering

Protection should be taught as practical behaviour, not as magic cybersecurity dust sprinkled over the network.

Ways to protect against social engineering include:

  • training users to recognise suspicious messages and unusual requests
  • verifying identity before sharing information
  • not clicking unexpected links or downloading unknown attachments
  • using strong passwords and keeping them private
  • changing passwords if details may have been exposed
  • shielding screens or keypads when entering passwords or PINs
  • locking devices when left unattended

⚠️ Exam trap: students often confuse phishing with pharming. For this specification point, keep the focus on social engineering. Phishing involves deceptive communication to trick the user. Pharming is a separate threat in the wider cyber security section and involves redirection to a fake website.


Key Terms and Concepts

Term Teacher-ready explanation
Social engineering The manipulation of people so they reveal confidential information or allow access.
Confidential information Private data such as passwords, PINs, usernames, account details, or personal information.
Blagging (pretexting) Using an invented story or false identity to persuade someone to give away information.
Phishing Sending fraudulent messages that appear genuine in order to steal information.
Shouldering Watching someone enter confidential information, such as a PIN or password.
Credentials Login information, usually a username and password, used to access a system.
Verification Checking that a person or request is genuine before sharing information or granting access.

How to Teach This Topic

A strong teaching sequence

  1. Start with the big idea that people can be the weakest point in a system
  2. Give students a clear definition of social engineering and ask them to identify what makes it different from a software-based attack
  3. Teach the three required forms one at a time with short everyday scenarios
  4. Compare the methods using the same structure each time:
    • who the attacker pretends to be or how they observe
    • what the victim is persuaded to do
    • what confidential information is obtained
  5. Finish by linking each threat to a practical protection strategy

🧑‍🏫 Teaching moves that work well

  • Use short scenarios and ask students to name the exact form of social engineering

  • Model the difference between a vague answer and a developed answer

  • Revisit the phrase confidential information often

  • Use role-play carefully for blagging so students hear how the invented story does the work

What to listen for in student explanations

  • the attacker manipulates the victim

  • the method is named accurately

  • the explanation shows how trust, panic, or carelessness is exploited

  • the consequence is clear, such as stolen login details or unauthorised access

Discussion prompts

  • Why might a person be easier to exploit than a computer system?
  • Why does phishing often use urgency or fear?
  • Why is shouldering still dangerous even though no malware is involved?
  • Why should staff verify identity even when a request sounds routine?

Scaffolding ideas

  • Give students sentence stems such as:
    • This is social engineering because...
    • The attacker gains information by...
    • A suitable protection is... because...
  • Use a matching task with method, example, and protection
  • Provide weak exam answers and ask students to improve them by adding the missing mechanism

Extension ideas

  • Ask students to compare blagging and phishing and explain which relies more heavily on a convincing message
  • Give students mixed examples and ask them to decide whether each one is social engineering, a different cyber threat, or not a cyber threat at all
  • Challenge students to write a 4-mark answer using the structure method → manipulation → information gained → consequence

How to Mark This Topic Effectively

What strong answers usually include

  • a precise definition or correctly named method
  • a clear explanation of how the victim is manipulated
  • accurate use of terms such as confidential information, credentials, or trusted source
  • a clear outcome, such as stolen login details, access to an account, or unauthorised access to data

What examiners reward

Feature What to reward
Accurate knowledge Correctly identifying social engineering or naming the specific method asked for.
Explanation Showing how the attacker manipulates the victim, not just saying they were tricked.
Development Linking the method to a consequence such as stolen credentials or unauthorised access.
Precision Distinguishing blagging, phishing, and shouldering clearly rather than blending them together.

Common weaknesses in student answers

  • using hacking as a catch-all word instead of naming the method
  • describing phishing as just “a bad email” without explaining the deception
  • forgetting that blagging depends on an invented scenario or false identity
  • treating shouldering as if it is not part of cyber security because it does not involve code
  • giving a protection method without explaining how it reduces the risk

📝 Marking reminder: if a student names the correct method but does not explain how the victim is manipulated, the answer is usually only partly secure. The extra marks tend to live in the mechanism and consequence, not in the label alone.


Example Student Responses

Example question

Question: Explain one form of social engineering. [4 marks]

Marking guidance:

  • 1 mark for naming a valid form of social engineering
  • further marks for explaining how the attacker manipulates the victim
  • reward clear reference to confidential information or unauthorised access
Strong response

Student response:

Phishing is a form of social engineering where an attacker sends a fake email that looks as if it comes from a trusted company. The message may ask the user to click a link and sign in. If the user enters their username and password on the fake site, the attacker can steal those details and use them to access the real account.

Why this is strong:

  • names a correct form of social engineering
  • explains how the message appears trustworthy
  • shows how the victim is manipulated into giving away credentials
  • links the method to unauthorised access
Weak response

Student response:

It is when someone hacks your email and gets your password.

Why this is weak:

  • the method is not identified clearly
  • it does not explain the manipulation of the victim
  • it jumps straight to the result without describing the process
  • the wording is too vague to show secure specification knowledge

Quick second example for retrieval

Question: Describe how shouldering can be used to gain confidential information. [3 marks]

Marking guidance:

  • reward the idea of observing a person enter information
  • reward a clear example such as a password or PIN
  • reward the consequence of using that information later

Practice Questions

  • 2 marks: Define the term social engineering.
    • Marking guidance: reward the idea of manipulating people to give up confidential information.
  • 3 marks: Describe how blagging works.
    • Marking guidance: reward the use of an invented scenario or false identity to persuade the victim to reveal information.
  • 4 marks: Explain how phishing can lead to unauthorised access to an account.
    • Marking guidance: reward a fake message, apparent trustworthiness, stolen credentials, and resulting access.
  • 4 marks: Explain one way to protect a user against shouldering.
    • Marking guidance: reward a valid method such as shielding the screen or keypad, and explain how it prevents others from observing confidential information.
  • 6 marks: Compare blagging and phishing as forms of social engineering.
    • Marking guidance: reward similarities in manipulation and information theft, plus clear differences in method.

🎯 Exam technique: train students to answer using a simple pattern: name the method → explain the manipulation → identify the information obtained → state the consequence. It is not flashy, but it is reliably mark-friendly.


Common Misconceptions

  • Misconception: Social engineering means hacking directly into a system.
    • Quick correction: Social engineering targets the person, not the machine.
  • Misconception: Phishing and pharming are the same thing.
    • Quick correction: Phishing uses deceptive messages. Pharming is a separate threat involving redirection to a fake website.
  • Misconception: Blagging is just another word for phishing.
    • Quick correction: Blagging relies on an invented story or false identity rather than necessarily using a fake email or text.
  • Misconception: Shouldering is too simple to matter in exams.
    • Quick correction: It still counts because confidential information is obtained by observing the victim.
  • Misconception: Protection only means installing better software.
    • Quick correction: User awareness and careful behaviour are central protections against social engineering.

FAQ

Do students need to know all cyber threats here, or just social engineering?

Students should stay tightly focused on 3.6.2.1 Social engineering for this specification point. It helps to place it inside the wider cyber security section, but the core requirement here is definition, forms, and protection against social engineering.

How can I help students remember blagging more confidently?

Teach the word through the idea of a made-up story. If students remember that blagging depends on an invented scenario designed to gain trust, they are much more likely to explain it accurately.

Should I teach shouldering even though it feels obvious?

Yes. Students often overlook it because it seems simple, but that simplicity is exactly why they under-explain it in exams. They still need to show how the observation leads to stolen confidential information.

What is the most common weakness in exam answers on this topic?

Students often recognise the correct example but do not explain the mechanism. They write that a user is tricked, but they do not show how the trick works or what information is revealed.

Is it worth teaching protection methods alongside each form?

Yes. Pairing each method with a practical protection makes the topic easier to remember and helps students answer questions that ask how social engineering can be reduced or prevented.


Save time while keeping feedback sharp

Marking explanations of phishing, blagging, and shouldering can become surprisingly repetitive, especially when half the class writes “they got hacked” and expects that to cover the finer details. Marking.ai helps teachers review responses more quickly, apply marking criteria more consistently, and give clearer feedback on whether students have actually explained the method or only named it.

Used well, it can help keep feedback focused on the things that matter most in this topic: precision, clear explanation, and secure use of the specification language.