CompTIA Security+ (SY0-701) S5 Social Engineering E

Questions and Answers

What is the primary objective of social engineering?

• Exploiting human psychology for unauthorized access to systems and data (correct)
• Spreading misinformation and disinformation
• Gaining unauthorized access to physical spaces
• Creating fabricated scenarios to manipulate targets

Which technique involves impersonating trusted figures to gain trust?

• Baiting
• Vishing
• Pretexting (correct)
• Phishing

What is the purpose of influence campaigns in the context of social engineering?

• Impacting politics and economics (correct)
• Deceiving people into parting with money
• Gaining unauthorized access to systems
• Spreading misinformation about cybersecurity

Which social engineering attack involves eavesdropping?

Shoulder Surfing (A)

What is eavesdropping in the context of security?

Secretly listening to private conversations (C)

How can baiting be prevented?

Training users to not use devices they find (A)

What is tailgating in the context of security?

Attacker attempting to follow an employee through an access control point without their knowledge (C)

What is piggybacking in the context of security?

Involves an attacker convincing an authorized employee to swipe their own access badge and allow the attacker inside the facility (A)

What is Business Email Compromise (BEC)?

A sophisticated phishing attack targeting businesses using internal email accounts (B)

What is vishing?

A voice phishing technique over the phone (A)

What is smishing?

The use of text messages to deceive individuals into providing personal information (B)

What is one recommended prevention measure for phishing attacks?

Regular user security awareness training (B)

What is fraud?

Criminal deception intended for financial or personal gain (A)

How does identity fraud differ from identity theft?

Attacker charges items to the victim's card in identity theft (B)

What are influence campaigns?

Coordinated efforts to shape public perception or behavior towards a cause, individual, or group (D)

What is diversion theft?

Manipulating situations or creating distractions to steal valuable items or information (A)

What is shoulder surfing?

Looking over someone's shoulder to steal information (A)

What are prevention measures for social engineering attacks?

Being aware of surroundings when providing sensitive information (C)

What does smishing involve?

The use of text messages to deceive individuals into providing personal information (A)

What are clean desk and clean desktop policies used for?

Preventing social engineering attacks (D)

What is the main psychological phenomenon that social engineers exploit when individuals look to the behaviors and actions of others to determine their own decisions or actions?

Social Proof (C)

Which form of impersonation involves an attacker pretending to represent a legitimate company or brand by using the brand’s logos, language, and information to create deceptive communications or website?

Brand Impersonation (B)

What is typosquatting also known as?

URL Hijacking (C)

What form of cyber attack involves compromising a specific website or service that their target is known to use, often a trusted website or online service?

Watering Hole Attacks (B)

Which type of phishing is a more targeted form used by cybercriminals who are more tightly focused on a specific group of individuals or organizations?

Spear Phishing (C)

Which form of phishing targets high-profile individuals, like CEOs or CFOs, with the aim of catching one of the executives, board members, or higher level managers in the company?

Whaling (B)

Which motivational trigger involves a compelling sense of immediacy or time-sensitivity that drives individuals to act swiftly or prioritize certain actions?

Urgency (A)

What are the consequences of impersonation attacks?

All of the above (D)

What can organizations do to protect against brand impersonation?

All of the above (D)

How do organizations combat typosquatting attacks?

All of the above (D)

What should organizations do to mitigate watering hole attacks?

All of the above (D)

What does pretexting involve?

Gives some amount of information that seems true so that the victim will give more information (B)

Flashcards

Business Email Compromise (BEC)

A type of phishing attack where attackers impersonate a legitimate source, such as a bank, to trick victims into revealing sensitive information.

Vishing

A voice phishing technique where attackers use deception over the phone to trick victims into sharing sensitive information.

Smishing

A phishing attack where attackers use text messages to deceive individuals into revealing personal or financial information.

User Security Awareness Training

Regular training for users to help them identify and avoid phishing attempts.

Anti-phishing Tools

Tools designed to detect and block phishing emails.

Suspicion of Urgent Requests

Exercising caution when faced with urgent requests, especially those asking for sensitive information.

Examination of URLs and Email Addresses

Analyzing links and email addresses to determine their legitimacy and potential for phishing.

Reporting and Investigation

Reporting suspicious emails or activities to security teams or authorities for investigation.

Fraud

Criminal deception intended for financial or personal gain.

Identity Fraud/Identity Theft

The unauthorized use of another person's personal information for deception or financial gain.

Identity Fraud

Using someone else's credit card to make purchases without their permission.

Identity Theft

Assuming the identity of another person for illegal activities or to gain access to their resources.

Influence Campaigns

Coordinated efforts to influence public perception or behavior towards a cause, individual, or group.

Misinformation/Disinformation

Spreading false or misleading information to influence public opinion or achieve a specific agenda.

Diversion Theft

Manipulating situations or creating distractions to steal valuable items or information.

Hoaxes

Malicious deception spread through communication channels, often paired with phishing attacks.

Shoulder Surfing

Looking over someone's shoulder to steal personal or financial information.

Dumpster Diving

Searching through trash for discarded documents or information that can be used for fraudulent activities.

Awareness of Surroundings

Being mindful of your surroundings when providing sensitive information, such as PIN numbers or credit card details.

Clean Desk/Clean Desktop Policies

Policies that promote keeping workspaces clean and secure, limiting the visibility of sensitive information.

Fact Checking and Critical Thinking

Evaluating information critically and verifying its authenticity before believing or sharing it.

Spoofed Email

A type of phishing attack involving a fake email claiming to be from a trusted source, prompting users to click a malicious link or provide their personal information.

Phishing Link

A phishing link disguised as a legitimate website.

Credential Phishing

A fraudulent attempt to gain access to a user's accounts by tricking them into revealing their login credentials.

Social Engineering Phishing

A phishing attack that uses social engineering tactics to exploit vulnerabilities in user trust and behavior.

Spear Phishing

A phishing attack that targets a specific individual or group, often with personalized messages tailored to their interests or vulnerabilities.

Exploit Kit

An attack that exploits the weaknesses of a software system to gain unauthorized access and steal sensitive information.

Watering Hole Attack

A type of phishing attack that uses a compromised website to redirect users to malicious websites or download malware.

Social Media Phishing

A phishing attack that spreads malicious malware through social media platforms.

Pop-Up Phishing

A phishing attack that uses a fake pop-up message to deceive users into providing their personal information or downloading malware.

Mobile Phishing

A phishing attack that uses a fake mobile application to steal sensitive information from users.

Study Notes

• Business Email Compromise (BEC) is a sophisticated phishing attack targeting businesses, utilizing one of their internal email accounts to facilitate unauthorized fund transfers, payment redirection, or sensitive information theft.
• Vishing is a voice phishing technique where attackers trick victims into sharing personal or financial information over the phone.
• Smishing involves the use of text messages to deceive individuals into providing their personal information.
• Preventing phishing attacks:
  • Regular user security awareness training
  • Education on various phishing techniques
  • Use of anti-phishing tools
  • Suspicion towards urgent requests
  • Examination of URLs and email addresses
  • Reporting and investigation of suspicious emails
• Fraud and scams:
  • Fraud is criminal deception intended for financial or personal gain.
  • Identity fraud and identity theft involve the unauthorized use of another person's personal information for deception or financial gain.
  • Differences between identity fraud and identity theft:
    • Identity fraud: attacker charges items to the victim's card
    • Identity theft: attacker assumes the victim's identity
• Influence campaigns:
  • Coordinated efforts to shape public perception or behavior towards a cause, individual, or group.
  • Misinformation and disinformation spreading can harm institutions, fuel social divisions, and influence election outcomes.
• Other social engineering attacks:
  • Diversion theft: manipulating situations or creating distractions to steal valuable items or information.
  • Hoaxes: malicious deception spread through communication channels, often paired with phishing attacks.
  • Shoulder surfing: looking over someone's shoulder to steal information.
  • Dumpster diving: searching through trash for valuable information.
• Prevention measures:
  • Being aware of surroundings when providing sensitive information.
  • Use of clean desk and clean desktop policies.
  • Fact checking and critical thinking skills when encountering potential hoaxes.

Description

Test your knowledge on Business Email Compromise (BEC), a sophisticated type of phishing attack that targets businesses by using internal email accounts to trick employees into performing malicious actions. This quiz covers topics like social engineering, cyber intrusion, unauthorized fund transfers, and stealing sensitive information.