Section 29 - Social Engineering Flashcards
What is “Social Engineering”?
Any act that manipulates users into revealing confidential information or performing other actions that are detrimental to that user or the security of our systems
What is “pretexting”?
When an attacker gives some amount information that seems true so that you’ll give us more information to fill in the gaps
What is an “insider threat”?
Somebody who works for your organization but they ulterior motives and they want to do something negative to your organization
What is “phishing”?
A victim is contacted by email, telephone, text message, or some other method posing as a legitimate organization.
*** When you see phishing on the exam, always equate it to mean “email” because telephone and text messages are called something else.
What is “vishing”?
Phishing to telephones
What is “smishing”?
Phishing to text messages
The best practice to prevent phishing is…?
Don’t click on any links in emails
What is “spear phishing”?
Phishing that’s focused on a specific person
What is “whaling”?
Phishing that’s focused specifically on a high-level executive
What is pharming?
Tricking someone to go to a different website
*** often used in conjunction with vishing or smishing to get you directed to that fraudulent link
What motivates the users to fall for social engineering?
- Authority - people make these mistakes when they believe someone of authority is demanding it of them
- Financial institutions - when people believe they own money, have lost money or could gain money
- Urgency - people naturally want to help others so when someone asks you for a favor people tend to comply especially if the situation at hand is urgent
- Social proof - people are likely to click on things that are popular. Those that have lots of likes, shares and when they see their friends doing it.
- Scarcity - when there’s a good deal but supplies are limited. This tricks many people into falling for a scam
- Likeability - When the person scamming you is so incredibly likeable that you fall for their proposed scam (ex. a very attractive woman)
- Fear - being threatened to not act will result in some kind of penalty to you (like being arrested)
What is “diversion theft”?
This occurs when a thief tries to divert a shipment and take responsibility for it and sends it to a different location
What is a “hoax”?
This is an attempt at deceiving people into believing something is false even if it’s true or making them believe something is true even if it’s false.
What is “shoulder surfing”?
Literally what it sounds like. Someone obtains information from you by looking at your screen from behind where you are.
What is “eavesdropping”?
Overhearing information that an attacker wants to get
What is “dumpster diving”?
Scavenging for personal or confidential information in garbage or recycling containers
What is “baiting”?
When a malicious individual leaves behind a malware-infected device someplace where someone curious enough will pick it up and connect it to one of their devices
What is “piggybacking”?
When an unauthorized person tags along with an authorized person to gain access into a restricted area
What is a “watering hole” attack?
When an attacker figures out where your users like to go, like a common website, they then attack that website, embed malware so the next time when they go to that website they download that malware.
What is “fraud”?
The wrongful or criminal deception intended to result in financial or personal gain
*** This isn’t like stealing because you’re being tricked into doing it yourself
What is “identity fraud”?
The use by one person of another person’s personal information without their authorization to commit a crime or to deceive or defraud that other person or some other third party
*** like stealing your credit card info and making charges as if they are you
What is the difference between identity fraud and identity theft?
When somebody commits identity theft, they’re actually stealing another person’s identity and using it at their own. They become you.
What is a “scam”?
A scam is a fraudulent or deceptive act or operation
*** Essentially, someone trying to deceive you into doing something
What is an “invoice scam”?
This is a scam in which a person is tricked into paying for a fake invoice for a product or service that they did not actually order
What is “prepending”?
This is a very technical method that’s used in social engineering to trick users into entering their usernames and passwords and other sensitive information by adding what’s considered essentially an invisible string before the web link when they go to click on something in an email.
What is an “influence operation”?
This is a collection of tactical information about an adversary, as well as the dissemination of propaganda in pursuit of a competitive advantage over an opponent
*** When you take information and use it against someone. This is a military term but CompTIA use the term “influence campaign.” An influence campaign is one small part of a larger influence operation but the two terms are used interchangeably.
What is “hybrid warfare”?
This is a military strategy that employs the full spectrum of warfare. It uses political warfare, conventional warfare, regular warfare and cyber warfare.
