The correct answer is C. Spam and Phishing because the campaign is based on unsolicited deceptive messages sent in bulk with the intent to lure many recipients into clicking a link and submitting credentials on a fake site. In CEH-aligned social engineering concepts, phishing is a deception technique used to trick users into revealing sensitive information (such as corporate usernames and passwords) by impersonating a trusted entity or presenting a convincing pretext. When phishing is executed “at scale” using mass messaging—often through email, messaging platforms, or social media—it overlaps strongly with spam, which refers to unsolicited bulk communications distributed to large numbers of targets.

The scenario contains the classic phishing flow: a fraudulent invitation contains a link to a counterfeit “cloud collaboration” login page, and users are prompted to authenticate. Credential capture (“which Nadia captures”) confirms the objective is credential harvesting rather than mere awareness disruption. The detail that she used “compromised social media accounts” is consistent with modern phishing operations that abuse trusted accounts to increase credibility and bypass initial suspicion. This also helps attackers evade some basic filtering and encourages victims to trust the message because it appears to come from a legitimate profile.

Why the other options are less correct: Catfishing typically involves building a fake persona and maintaining a relationship over time (often one-to-one) to manipulate a victim; it is not mainly defined by bulk unsolicited messages. Angler phishing specifically refers to phishing conducted through social media channels, often by impersonating customer support or hijacking brand interactions. While the platform here is social media, the question’s strongest discriminator is “unsolicited deceptive messages delivered at scale,” which points to the combined threat category spam and phishing rather than the more specific “angler” support-impersonation pattern. Involuntary data leakage describes accidental exposure of information, not active deception.

Therefore, Nadia’s campaign most clearly simulates spam and phishing.