Social Engineering

Question 1

Social Engineering

Answer 1

Manipulative strategy exploiting human psychology for unauthorized access to systems, data, or physical spaces

Question 2

Motivational triggers

Answer 2

• Familiarity and Likability
• Consensus and social proof
• authority and intimidation
• scarcity and urgency
• Fear

Question 3

Social Engineering Techniques

Answer 3

• Impersonation (people and brands) - pretend to be someone else
• Pretexting - create a fabricated scenario

Question 4

Typosquatting (URL Hijacking/Cybersquatting)

Answer 4

Cyber attack where an attacker will register a domain name that is similar to a popular website but contain some kind of common typographical errors

To combat:
- register common misspellings of their own domain names
- use services that monitor for similar domain registrations
- conduct user security awareness training to educate users

Question 5

Watering Hole Attacks

Answer 5

Targeted form of cyber attack where attackers compromise a specific website or service that their target is know to use
- the “watering hole” the attacker chooses to use will usually be a trusted website or online service

Mitigation:
- keep systems up to date
- use threat intelligence services to stay informed about new threats
- employ advanced malware detection and prevention tools

Question 6

Pretexting

Answer 6

Gives some amount of information that seems true so that the victim will give more information

Mitigation: training the employees not to fall for pretext and not to fill in the gaps for people when they are calling

Question 7

Phishing

Answer 7

Sending fraudulent emails that appear to be from reputable sources with
the aim of convincing individuals to reveal personal information

Question 8

Spear Phishing

Answer 8

More targeted form of phishing that is used by cybercriminals who are
more tightly focused on a specific group of individuals or organizations
- Has a higher success rate

Question 9

Whaling

Answer 9

Form of spear phishing that targets high-profile individuals, like CEOs or CFOs
- used as an initial step to compromise an executive’s account for subsequent attacks in their organization

Question 10

Business Email Compromise (BEC)

Answer 10

targets businesses by using one of their internal email accounts to get other employees to perform some kind of malicious actions on behalf of the attacker

Question 11

Vishing

Answer 11

Attacker tricks their victims into sharing personal or financial information over the phone

Question 12

Smishing

Answer 12

Involves the use of text messages to trick individuals into providing their personal information

Question 13

Anti-phishing Campaign

Answer 13

Essential user security awareness training tool that can be used to educate individuals about the risks of phishing and how to best identify potential phishing attempts
- should offer remedial training for users who fell victim to simulated phishing emails

Question 14

Key indicators of phishing attacks

Answer 14

• Urgency
• Unusual requests
• Mismatched URLs
• Strange email addresses
• Poor spelling or grammar

Question 15

Mitigation for phishing

Answer 15

• Training
• Report suspicious messages
• analyze the threat
• inform all users about the threat
• Revise security measures for every successful attack

Question 16

Fraud

Answer 16

Wrongful or criminal deception that is intended to result in financial or personal gain for the attacker

Question 17

Identity Fraud and Identity Theft

Answer 17

Involves the use of another’s personal information without their authorization to commit a crime or to deceive or defraud that other person or some other third party

Difference:
- Fraud - attacker takes victim credit card number and charges it
- Theft - attacker tries to assume the identity of their victim

Question 18

Scams

Answer 18

Fraudulent or deceptive act or operation
- most common scam = invoice scam, trick into paying for a fake invoice for a product or service that they did not order

Question 19

Influence campaigns

Answer 19

Coordinated efforts to affect public perception or behavior towards a particular cause, individual, or group
- a powerful tool for sharing public opinion and behavior
- foster misinformation (no harmful intent, undermines trust, fuels division) and disinformation (harmful intent

Question 20

Diversion Theft

Answer 20

Involves manipulating a situation or creating a distraction to steal
valuable items or information

Question 21

Hoaxes

Answer 21

Malicious deception that is often spread through social media, email, or other communication channels
- often paired with phishing attacks and impersonation attacks
- prevent by fact checking and using critical thinking skills

Question 22

Shoulder Surfing

Answer 22

involves looking over someone’s shoulder to gather personal information
- Includes the use of high powered cameras or closed-circuit television
cameras to steal information from a distance
- To prevent : users must be aware of their surroundings when providing any sensitive information

Question 23

Eaves dropping

Answer 23

Secretly listening to private conversations

Question 24

Baiting

Answer 24

Involves leaving a malware-infected physical device, like a USB drive, in a
place where it will be found by a victim, who will then hopefully use the device to unknowingly install malware on their organization’s computer system

prevent: train users to not use devices they find