Social Engineering

Question 1

Social Engineering

Answer 1

• Manipulative strategy that exploits human psychology to gain unauthorized access to systems, data, or physical spaces

Question 2

What is the best defense against social engineering?

Answer 2

• Provide security training to the users

Question 3

The backbone of social engineering lies in the ability of an attacker to trick a user into __________

Answer 3

• Doing something for them

Question 4

What are the six main types of motivational triggers social engineers use?

Answer 4

1. Authority
2. Urgency
3. Social Proof - using influence to lead others to scam
4. Scarcity
5. Likability
6. Fear

Question 5

What is the reason social engineers use a sense of urgency in their tactics?

Answer 5

• To to get employees to ignore or bypass their normal security procedures

Question 6

What are the four main forms of impersonation used by social engineers?

Answer 6

1. Impersonation
2. Brand Impersonation
3. Typosquatting
4. Watering Hole Attacks

Question 7

When it comes to impersonation, attackers must first __________ about the organization so they can more easily earn the trust of their targeting users

Answer 7

• Collect information

Question 8

Brand Impersonation

Answer 8

• Specific form of impersonation where an attacker pretends to represent a legitimate company or brand
• Usually executed via social media, email, or website that appears to be legit… (i.e. logo, language)

Question 9

Typosquatting

Answer 9

• A form of cyber attack where an attacker registers a domain name that is similar to a popular website but contains some kind of common typographical errors
• Similar URL name hoping to catch those messing up (i.e. gnail.com)

Question 10

Watering Hole Attacks

Answer 10

• Targeted form of cyber attack where attackers compromise a specific website or service their target is known to use

Question 11

Pretexting

Answer 11

• Creating a fabricated scenario (the “pretext”) to manipulate a victim into divulging sensitive information or performing actions they normally wouldn’t

Question 12

Phishing

Answer 12

• Fraudulent attack using deceptive emails from trusted sources to trick individuals into disclosing personal information like passwords and credit card numbers

Question 13

Spear Phishing

Answer 13

• Used by cyber criminals who are more tightly focused on a specific group of individuals or organizations
• Customize attack on certain companies/users

Question 14

Whaling

Answer 14

• Form of spear phishing that targets high-profile individuals, like CEOs or CFOs

Question 15

Business Email Compromise (BEC)

Answer 15

• Advanced phishing attack that leverages internal email accounts within a company to manipulate employees into carrying out malicious actions for the attacker
• Taking over internal business email account

Question 16

Vishing (Voice Phishing)

Answer 16

• Phone-based attack in which the attacker deceives victims into divulging personal or financial information

Question 17

Smishing (SMS Phishing)

Answer 17

• Attack that uses text messages to deceive individuals into sharing their personal information

Question 18

Anti-Phishing Campaign

Answer 18

• Vital tool for educating individuals about phishing risks and how to recognize potential phishing attempts in user security awareness training

Question 19

What are some of the common characteristics of phishing emails?

Answer 19

• Generic greetings
• Spelling and grammar mistakes
• Spoofed email addresses
• Urgency
• Unusual requests
• Mismatched URLs

Question 20

Fraud

Answer 20

• The wrongful or criminal deception intended to result in financial or personal gain

Question 21

Identity fraud or Identity theft

Answer 21

• The use by one person of another person’s personal information, without authorization, to commit a crime of to deceive or defraud that other person on a third person

Question 22

What is the difference between identity fraud and identity theft?

Answer 22

• Fraud: Attacker takes victim’s credit card number and makes charges
• Theft: Attacker tries to fully assume identity of victim

Question 23

Invoice Scam

Answer 23

• A scam in which a person is tricked into paying for a fake invoice for a service or product they did not order

Question 24

Influence Campaigns

Answer 24

• Also called information operations or influence operations
• Coordinated efforts to manipulate public opinion, decision-making, or behavior through the spread of misleading, false, or divisive information—typically leveraging digital platforms and cyber capabilities.
• Usually committed by high-level adversaries like hacktivists, or nation-state actors

Question 25

What's the difference between misinformation and disinformation?

Answer 25

MISS: Inaccurate information shared unintentionally DISS: Intentional spread of false information to deceive or mislead

Question 26

Diversion Theft

Answer 26

- Manipulating a situation or creating a distraction to steal valuable items or information - Diverting internet traffic to fake websites

Question 27

DNS Spoofing Attack

Answer 27

- Attacker manipulates DNS Server settings so when a user types in a legitimate website URL, they are redirected to a fake website created by attacker - Usually relies on brand impersonation to prompt user to input PII

Question 28

Hoaxes are often paired with __________ and __________

Answer 28

- Phishing and Impersonation attacks

Question 29

Shoulder Surfing

Answer 29

- Looking over someone's shoulder to gather personal information

Question 30

Dumpster Diving

Answer 30

- Searching through trash to find valuable information