1.1 Compare and contrast different types of social engineering techniques.

Question 1

Social engineering

Answer 1

is a form of attack that exploits human nature and human behavior. The
result of a successful social engineering attack is information leakage or the attacker being
granted logical or physical access to a secure environment.

Question 2

Phishing

Answer 2

is a form of social engineering attack based on the concept of fishing for
information. Phishing can be waged using any communication means, including
face-to-face interactions and over the phone.

Question 3

Smishing

Answer 3

SMS phishing or smishing is a social engineering attack that occurs over or through standard text messaging services or apps.

Question 4

Vishing

Answer 4

Vishing is phishing done over any telephony or voice communication system. This includes
traditional phone lines, Voice-over-IP (VoIP) services, and mobile phones.

Question 5

Spam

Answer 5

Spam is any type of email that is undesired and/or unsolicited. The primary countermeasures against spam are an email filter or rule and antivirus (AV)
scanners. If a message is received from one of the listed spam sources, the email filter blocks
or discards it.

Question 6

Spam over instant messaging(SPIM)

Answer 6

Spam over instant messaging (SPIM) is the transmission of unwanted communications over
any messaging system that is supported by or occurs over the Internet.

Question 7

Spear phishing

Answer 7

Spear phishing is a more targeted form of phishing where the message is crafted and directed
specifically to a group of individuals. Often, attackers will first compromise an online or
digital business to steal their customer database.

Question 8

Dumpster diving

Answer 8

Dumpster diving is the act of digging through trash, discarded equipment, or abandoned
locations to obtain information about a target organization or individual. Just about
anything that is of any minor internal value or sensitivity could make social engineering
attacks easier or more effective.

Question 9

Shoulder surfing

Answer 9

Shoulder surfing occurs when someone is able to watch a user’s keyboard or view their
display.

Question 10

Pharming

Answer 10

Pharming is the malicious redirection of a valid website’s URL or IP address to a fake
website that hosts a false version of the original, valid site.

Question 11

Tailgating

Answer 11

Tailgating occurs when an unauthorized entity gains access to a facility under the authorization of a valid worker but without their knowledge. An attacker may be able to sneak in
behind a valid worker before the door closes.

Question 12

Eliciting information

Answer 12

Eliciting information is the activity of gathering or collecting information from systems or
people.

Question 13

Whaling

Answer 13

Whaling is a form of spear phishing that targets specific high-value individuals, such as the
CEO or other C-level executives, administrators, or high-net-worth clients. Often the goal
of a whaling attack is to steal credentials from the high-level target or to use that target to
steal funds or redirect resources to the benefit of the attacker.

Question 14

Prepending

Answer 14

Prepending is the adding of a term, expression, or phrase to the beginning or header of
a communication.

Question 15

Identity fraud

Answer 15

Identity theft is the act of stealing someone’s identity. This can refer to the initial act of
information gathering or elicitation where usernames, passwords, credit card numbers,
Social Security numbers, and other related, relevant, and personal facts are obtained by
the attacker.

Question 16

Invoice scams

Answer 16

Invoice scams are a social engineering attack that often attempts to steal funds from an
organization or individuals through the presentation of a false invoice often followed
by strong inducements to pay

Question 17

Credential harvesting

Answer 17

Credential harvesting is the activity of collecting and stealing account credentials. Some
hackers will distribute or share harvested credentials with other hacker.

Question 18

Reconnaissance

Answer 18

Reconnaissance is collecting information about a target, often for the purposes of planning
an attack against that target

Question 19

Hoax

Answer 19

A hoax is a form of social engineering designed to convince targets to perform an action
that will cause harm or reduce their IT security.

Question 20

Impersonation

Answer 20

Impersonation is the act of taking on the identity of someone else to use their access or
authority. Impersonation can also be known as masquerading, spoofing, and even identity fraud.

Question 21

Watering hole attack

Answer 21

A watering hole attack is a form of targeted attack against a region, a group, or an organization. The attacker observes the target’s habits to discover a common resource that one or
more members of the target frequent.

Question 22

Typosquatting

Answer 22

Typosquatting is a practice employed to take advantage of when a user mistypes the
domain name or IP address of an intended resource.

Question 23

Pretexting

Answer 23

A pretext is a false statement crafted to sound believable to convince you to act or respond.

Question 24

Influence campaigns

Answer 24

Influence campaigns are social engineering attacks that attempt to guide, adjust, or change
public opinion. (Fake News)

Question 25

Hybrid warfare

Answer 25

Nations no longer limit their attacks against their real or perceived enemies using traditional, kinetic weaponry.

Question 26

Social media

Answer 26

Social media has become a weapon in the hands of nation-states as they wage elements of
hybrid warfare against their targets.