CompTIA Security+ (SY0-701) S5 Social Engineering M

Questions and Answers

True or false: Eavesdropping involves the process of openly listening to private conversations?

False (B)

True or false: Baiting involves leaving a malware-infected physical device in a place where it will be found by a victim, who will then unknowingly install malware on their organization's computer system?

True (A)

True or false: Tailgating involves an unauthorized person convincing an authorized employee to let them into the facility by getting the authorized employee to swipe their own access badge?

False (B)

True or false: Piggybacking involves an attacker attempting to follow an employee through an access control point without their knowledge?

True (A)

Social engineering involves exploiting human psychology for unauthorized access to systems, data, or physical spaces.

True (A)

Impersonation is a social engineering technique that involves pretending to be someone else, including brand impersonation, typo-squatting, and watering hole attacks.

True (A)

Vishing, Smishing, and Spear Phishing are all types of Influence Campaigns used in social engineering attacks.

False (B)

Diversion Theft, Hoaxes, and Shoulder Surfing are examples of Other Social Engineering Attacks.

True (A)

Phishing is a form of cyber attack that involves sending fraudulent emails to convince individuals to reveal personal information

True (A)

Whaling is a form of phishing that targets high-profile individuals like CEOs or CFOs

True (A)

Typosquatting is also known as URL hijacking or cybersquatting

True (A)

Watering hole attacks involve compromising a specific website or service that a target is known to use

True (A)

Pretexting involves giving some amount of true information to the victim to elicit more information from them

True (A)

Brand impersonation is a less specific form of impersonation compared to impersonation attacks

False (B)

Social engineers use scarcity as a motivational trigger by creating a sense of urgency or time-sensitivity

False (B)

Urgency is a motivational trigger that drives individuals to act swiftly or prioritize certain actions

True (A)

Spear phishing is a less targeted form of phishing compared to whaling

False (B)

Most people are willing to comply with requests if they believe it is coming from someone in a position of authority

True (A)

Fear-based attacks are generally focused on convincing the victim that something bad will happen if they don't comply

True (A)

To protect against brand impersonation, organizations should regularly monitor their brand's online presence to detect fraudulent activities

True (A)

Business Email Compromise (BEC) involves attackers tricking victims into sharing personal or financial information over the phone.

False (B)

Vishing is a voice phishing technique.

True (A)

Smishing involves the use of emails to deceive individuals into providing their personal information.

False (B)

Regular user security awareness training is not considered an effective prevention measure for phishing attacks.

False (B)

Identity fraud and identity theft involve the unauthorized use of another person's personal information for financial gain.

True (A)

Influence campaigns are coordinated efforts to shape public perception or behavior towards a cause, individual, or group.

True (A)

Diversion theft involves searching through trash for valuable information.

False (B)

Shoulder surfing is a social engineering attack that involves creating distractions to steal valuable items or information.

False (B)

Fact checking and critical thinking skills are important prevention measures against misinformation and disinformation spreading.

True (A)

Dumpster diving is a technique used in diversion theft.

False (B)

Hoaxes are often paired with phishing attacks.

True (A)

Clean desk and clean desktop policies are considered effective prevention measures against social engineering attacks.

True (A)

Flashcards

Business Email Compromise (BEC)

A sophisticated phishing attack where attackers use compromised company email accounts to steal funds, redirect payments or gain sensitive information.

Vishing

A type of phishing attack where attackers use phone calls to trick victims into revealing personal or financial information.

Smishing

Phishing attacks that use text messages to deceive individuals into providing personal information.

User Security Awareness Training

Training employees to recognize and report phishing attempts, emphasizing critical thinking and suspicious activity.

Anti-Phishing Tools

Software designed to identify and block phishing attempts, such as suspicious URLs or malicious emails.

Fraud

Fraudulent actions designed to deceive individuals or businesses for financial gain.

Identity Fraud

Unauthorized use of a person's personal information for deceitful activities or financial gain.

Identity Theft

Assuming someone else's identity to commit financial crimes or other illegal activities.

Influence Campaign

A series of actions designed to influence public perception or behavior towards a cause, individual, or group.

Misinformation and Disinformation

False or misleading information spread intentionally, often to harm institutions, fuel divisions or sway opinions.

Diversion Theft

A technique where attackers distract their victims to steal valuables or gain access to sensitive information.

Hoaxes

False information spread through communication channels, often used in conjunction with phishing attacks to gain trust or spread fear.

Shoulder Surfing

The act of looking over someone's shoulder to steal passwords, credit card numbers or other sensitive information.

Dumpster Diving

Searching through garbage for discarded documents or personal information that can be used for malicious purposes.

Awareness of Surroundings

Being aware of surroundings when entering personal information, such as at ATMs or public computers.

Clean Desk Policy

A policy requiring employees to keep their workspace clear of sensitive information when not in use, minimizing risk of theft.

Clean Desktop Policy

A policy requiring employees to keep their computer screens clear of sensitive information when not in use, minimizing risk of theft.

Fact Checking and Critical Thinking

Evaluating information sources critically, considering their reputation and potential bias to avoid being misled.

Sense of Urgency and Trust

The potential for a phishing attack to succeed depends on the attacker's ability to create a sense of urgency and trust in the victim.

Authenticity of Phishing Attacks

Phishing attacks often use convincing techniques to make the attack appear authentic, like mirroring legitimate websites

Reporting Phishing Attempts

The ability to effectively identify and report phishing attempts reduces the risk of successful attacks.

Types of Phishing Attacks

Understanding the different types of phishing attacks, including BEC, vishing and smishing, helps identify and respond to potential threats.

Building Trust in Social Engineering

The effectiveness of social engineering attacks depends on the attacker's ability to build trust with the victim.

Objectives of Social Engineering Attacks

Social engineering attacks can be used to gain access to sensitive information, financial resources or even physical assets.

Protecting Against Phishing

The ability to recognize and avoid phishing attempts allows individuals and businesses to protect themselves from cyberattacks.

Impact of Social Engineering

Understanding the potential consequences of social engineering attacks helps individuals and organizations develop protective measures.

Combating Phishing Attacks

The use of anti-phishing tools, security awareness training and critical thinking skills helps provide a robust defense against phishing attacks.

Staying Informed about Social Engineering

Staying informed about new social engineering tactics and emerging threats is crucial for effective protection.

Study Notes

• Business Email Compromise (BEC) is a sophisticated phishing attack targeting businesses, utilizing one of their internal email accounts to facilitate unauthorized fund transfers, payment redirection, or sensitive information theft.
• Vishing is a voice phishing technique where attackers trick victims into sharing personal or financial information over the phone.
• Smishing involves the use of text messages to deceive individuals into providing their personal information.
• Preventing phishing attacks:
  • Regular user security awareness training
  • Education on various phishing techniques
  • Use of anti-phishing tools
  • Suspicion towards urgent requests
  • Examination of URLs and email addresses
  • Reporting and investigation of suspicious emails
• Fraud and scams:
  • Fraud is criminal deception intended for financial or personal gain.
  • Identity fraud and identity theft involve the unauthorized use of another person's personal information for deception or financial gain.
  • Differences between identity fraud and identity theft:
    • Identity fraud: attacker charges items to the victim's card
    • Identity theft: attacker assumes the victim's identity
• Influence campaigns:
  • Coordinated efforts to shape public perception or behavior towards a cause, individual, or group.
  • Misinformation and disinformation spreading can harm institutions, fuel social divisions, and influence election outcomes.
• Other social engineering attacks:
  • Diversion theft: manipulating situations or creating distractions to steal valuable items or information.
  • Hoaxes: malicious deception spread through communication channels, often paired with phishing attacks.
  • Shoulder surfing: looking over someone's shoulder to steal information.
  • Dumpster diving: searching through trash for valuable information.
• Prevention measures:
  • Being aware of surroundings when providing sensitive information.
  • Use of clean desk and clean desktop policies.
  • Fact checking and critical thinking skills when encountering potential hoaxes.

Description

Learn about Business Email Compromise (BEC), a sophisticated type of phishing attack targeting businesses. This study note covers how attackers take over legitimate email accounts to conduct unauthorized fund transfers, redirect payments, or steal sensitive information.