2.2 Deception

Question 1

2.2.1 Social Engineering

Answer 1

Social engineering is a non-technical strategy that attempts to manipulate individuals into performing risky actions or divulging confidential information.

Rather than software or hardware vulnerabilities, social engineering exploits human nature by taking advantage of people’s willingness to help or preying on their weaknesses, such as greed or vanity.

Question 2

Pretexting

Answer 2

This type of attack occurs when an individual lies to gain access to privileged data. For example, an attacker pretends to need personal or financial data in order to confirm a person’s identity.

Question 3

Something for something (quid pro quo)

Answer 3

Quid pro quo attacks involve a request for personal information in exchange for something, like a gift. For example, a malicious email could ask you to give your sensitive personal details in exchange for a free vacation.

Question 4

Identity fraud

Answer 4

This is the use of a person’s stolen identity to obtain goods or services by deception. For example, someone acquires your personal information and attempts to apply for a credit card in your name.

Question 5

2.2.2 Social Engineering Tactics

Answer 5

Cybercriminals rely on several social engineering tactics to gain access to sensitive information.

Question 6

Authority

Answer 6

Attackers prey on the fact that people are more likely to comply when instructed by someone they perceive as an authority figure.

For example, an executive opens what looks like an official subpoena attachment but is actually an infected PDF.

Question 7

Intimidation

Answer 7

Cybercriminals will often bully a victim into taking an action that compromises security.

For example, a secretary receives a call that their boss is about to give an important presentation but the files are corrupt. The criminal on the phone claims it’s the secretary’s fault and pressures the secretary to send across the files immediately or risk dismissal.

Question 8

Consensus

Answer 8

Often called ‘social proof,’ consensus attacks work because people tend to act in the same way as other people around them, thinking that something must be right if others are doing it.

For example, cybercriminals may publish a social media post about a false business opportunity and get dozens of legitimate or illegitimate accounts to comment on its validity. This encourages unsuspecting victims to make a purchase.

Question 9

Scarcity

Answer 9

A well known marketing tactic, scarcity attacks work because attackers know that people tend to act when they think there is a limited quantity of something available.

For example, someone receives an email about a luxury item being sold for very little money, but it states that there are only a handful available at this very favorable price. This may spur the unsuspecting victim into impulsively taking action.

Question 10

Urgency

Answer 10

Similarly, people also tend to act when they think there is a limited time to do so.

For example, cybercriminals promote a fake time-limited shipping offer to try and prompt victims to take action quickly.

Question 11

Familiarity

Answer 11

People are more likely to do what another person asks if they like this person.

Therefore, attackers will often try to build a rapport with their victim in order to establish a relationship. In other cases, they may clone the social media profile of a friend of yours, in order to get you to think you are speaking to them.

Question 12

Trust

Answer 12

Building trust in a relationship with a victim may require more time to establish.

For example, a cybercriminal disguised as a security expert calls the unsuspecting victim to offer advice. When helping the victim, the ‘security expert’ discovers a ‘serious error’ that needs immediate attention. The solution provides the cybercriminal with the opportunity to violate the victim’s security.

Question 13

2.2.4 Shoulder Surfing and Dumpster Diving

Answer 13

Shoulder surfing is a simple attack that involves observing or literally looking over a target’s shoulder to gain valuable information such as PINs, access codes, or credit card details. Criminals do not always have to be near their victim to shoulder surf — they can use binoculars or security cameras to obtain this information.

This is one reason why an ATM screen can only be viewed at certain angles. These types of safeguards make shoulder surfing much more difficult.

You may have heard of the phrase, ‘one man’s trash is another man’s treasure.’ Nowhere is this more true than in the world of dumpster diving — the process of going through a target’s trash to see what information has been thrown out.

This is why documents containing sensitive information should be shredded or stored in burn bags until they can be destroyed.

Question 14

2.2.5 Impersonation and Hoaxes

Question 15

Impersonation

Answer 15

Impersonation is the act of pretending to be someone else to trick someone into doing something they would not ordinarily do. For example, a cybercriminal posing as an IRS employee recently targeted taxpayers, telling the victims that they owed money that had to be paid immediately via wire transfer — or risk arrest.

Criminals can also use impersonation to attack others. For example, they can pose as their victim online and post on websites or social media pages to undermine the victim’s credibility.

Question 16

Hoaxes

Answer 16

A hoax is an act intended to deceive or trick someone. Hoaxes can cause just as much disruption as an actual security breach.

For example, a message warns of a (non-existent) virus threat on a device and asks the recipient to share this information with everyone they know. This hoax elicits a user reaction, creating fear and irrational behavior that is propagated through email and social media.

Question 17

2.2.6 Piggybacking and Tailgating

Answer 17

Piggybacking or tailgating occurs when a criminal follows an authorized person to gain physical entry into a secure location or a restricted area. Criminals can achieve this by:

Giving the appearance of being escorted into the facility by an authorized person
Joining and pretending to be part of a large crowd that enters the facility
Targeting an authorized person who is careless about the rules of the facility
One way of preventing this is to use two sets of doors. This is sometimes referred to as a mantrap and means individuals enter through an outer door, which must close before they can gain access through an inner door.

Question 18

Invoice scam

Answer 18

Fake invoices are sent with the goal of receiving money from a victim by prompting them to put their credentials into a fake login screen. The fake invoice may also include urgent or threatening language.

Question 19

Watering hole attack

Answer 19

A watering hole attack describes an exploit in which an attacker observes or guesses what websites an organization uses most often and infects one or more of them with malware.

Question 20

Typo sqautting

Answer 20

This type of attack relies on common mistakes such as typos made by individuals when inputting a website address into their browser. The incorrect URL will bring the individuals to a legitimate-looking website owned by the attacker, whose goal is to gather their personal or financial information.

Question 21

Prepending

Answer 21

Attackers can remove the ‘external’ email tag used by organizations to warn the recipient that an email has originated from an external source. This tricks individuals into believing that a malicious email was sent from inside their organization.

Question 22

Influence campaign

Answer 22

Often used in cyberwarfare, influence campaigns are usually very well coordinated and blend various methods such as fake news, disinformation campaigns, and social media posts.

Question 23

2.2.9 Defending Against Deception

Answer 23

Organizations need to promote awareness of social engineering tactics and properly educate employees on prevention measures. Here are some top tips.

Never disclose confidential information or credentials to unknown parties via email, chat, text messages, or in conversation.
Resist the urge to click on enticing emails and web links.
Be wary of uninitiated or automatic downloads.
Establish and educate employees on key security policies.
Encourage employees to take ownership of security issues.
Do not give in to pressure by unknown individuals.