CompTIA Security+ (SY0-701) S5 Social Engineering E

Questions and Answers

What is the primary objective of social engineering?

Exploiting human psychology for unauthorized access to systems and data

Which technique involves impersonating trusted figures to gain trust?

Pretexting

What is the purpose of influence campaigns in the context of social engineering?

Impacting politics and economics

Which social engineering attack involves eavesdropping?

Shoulder Surfing

What is eavesdropping in the context of security?

Secretly listening to private conversations

How can baiting be prevented?

Training users to not use devices they find

What is tailgating in the context of security?

Attacker attempting to follow an employee through an access control point without their knowledge

What is piggybacking in the context of security?

Involves an attacker convincing an authorized employee to swipe their own access badge and allow the attacker inside the facility

What is Business Email Compromise (BEC)?

A sophisticated phishing attack targeting businesses using internal email accounts

What is vishing?

A voice phishing technique over the phone

What is smishing?

The use of text messages to deceive individuals into providing personal information

What is one recommended prevention measure for phishing attacks?

Regular user security awareness training

What is fraud?

Criminal deception intended for financial or personal gain

How does identity fraud differ from identity theft?

Attacker charges items to the victim's card in identity theft

What are influence campaigns?

Coordinated efforts to shape public perception or behavior towards a cause, individual, or group

What is diversion theft?

Manipulating situations or creating distractions to steal valuable items or information

What is shoulder surfing?

Looking over someone's shoulder to steal information

What are prevention measures for social engineering attacks?

Being aware of surroundings when providing sensitive information

What does smishing involve?

The use of text messages to deceive individuals into providing personal information

What are clean desk and clean desktop policies used for?

Preventing social engineering attacks

What is the main psychological phenomenon that social engineers exploit when individuals look to the behaviors and actions of others to determine their own decisions or actions?

Social Proof

Which form of impersonation involves an attacker pretending to represent a legitimate company or brand by using the brand’s logos, language, and information to create deceptive communications or website?

Brand Impersonation

What is typosquatting also known as?

URL Hijacking

What form of cyber attack involves compromising a specific website or service that their target is known to use, often a trusted website or online service?

Watering Hole Attacks

Which type of phishing is a more targeted form used by cybercriminals who are more tightly focused on a specific group of individuals or organizations?

Spear Phishing

Which form of phishing targets high-profile individuals, like CEOs or CFOs, with the aim of catching one of the executives, board members, or higher level managers in the company?

Whaling

Which motivational trigger involves a compelling sense of immediacy or time-sensitivity that drives individuals to act swiftly or prioritize certain actions?

Urgency

What are the consequences of impersonation attacks?

All of the above

What can organizations do to protect against brand impersonation?

All of the above

How do organizations combat typosquatting attacks?

All of the above

What should organizations do to mitigate watering hole attacks?

All of the above

What does pretexting involve?

Gives some amount of information that seems true so that the victim will give more information

Study Notes

• Business Email Compromise (BEC) is a sophisticated phishing attack targeting businesses, utilizing one of their internal email accounts to facilitate unauthorized fund transfers, payment redirection, or sensitive information theft.
• Vishing is a voice phishing technique where attackers trick victims into sharing personal or financial information over the phone.
• Smishing involves the use of text messages to deceive individuals into providing their personal information.
• Preventing phishing attacks:
  • Regular user security awareness training
  • Education on various phishing techniques
  • Use of anti-phishing tools
  • Suspicion towards urgent requests
  • Examination of URLs and email addresses
  • Reporting and investigation of suspicious emails
• Fraud and scams:
  • Fraud is criminal deception intended for financial or personal gain.
  • Identity fraud and identity theft involve the unauthorized use of another person's personal information for deception or financial gain.
  • Differences between identity fraud and identity theft:
    • Identity fraud: attacker charges items to the victim's card
    • Identity theft: attacker assumes the victim's identity
• Influence campaigns:
  • Coordinated efforts to shape public perception or behavior towards a cause, individual, or group.
  • Misinformation and disinformation spreading can harm institutions, fuel social divisions, and influence election outcomes.
• Other social engineering attacks:
  • Diversion theft: manipulating situations or creating distractions to steal valuable items or information.
  • Hoaxes: malicious deception spread through communication channels, often paired with phishing attacks.
  • Shoulder surfing: looking over someone's shoulder to steal information.
  • Dumpster diving: searching through trash for valuable information.
• Prevention measures:
  • Being aware of surroundings when providing sensitive information.
  • Use of clean desk and clean desktop policies.
  • Fact checking and critical thinking skills when encountering potential hoaxes.

Description

Test your knowledge on Business Email Compromise (BEC), a sophisticated type of phishing attack that targets businesses by using internal email accounts to trick employees into performing malicious actions. This quiz covers topics like social engineering, cyber intrusion, unauthorized fund transfers, and stealing sensitive information.