CompTIA Security+ (SY0-701) S5 Social Engineering H

Questions and Answers

Match the following social engineering technique with its description:

Impersonation = Pretending to be someone else, including brand impersonation, typo-squatting, and watering hole attacks Pretexting = Creating a fabricated scenario to manipulate targets, impersonating trusted figures to gain trust Phishing = Frauds and scams that deceive people into parting with money or valuable information Influence Campaigns = Spreading misinformation and disinformation, impacting politics, economics, etc.

Match the following social engineering attack with its description:

Diversion Theft = A type of social engineering attack Hoaxes = A deceptive practice to deceive people into parting with money or valuable information Shoulder Surfing = A social engineering attack involving stealing information by looking over someone's shoulder Baiting = A fabricated scenario to manipulate targets, impersonating trusted figures to gain trust

Match the following phishing attack type with its description:

Vishing = A type of phishing attack Smishing = A deceptive practice to deceive people into parting with money or valuable information Spear Phishing = Focused phishing attack targeting a specific individual or organization Whaling = Phishing attacks targeting high-profile individuals or executives

Match the following motivational trigger with its description:

Familiarity and Likability = Motivational trigger used by social engineers Consensus and Social Proof = Motivational trigger used by social engineers Authority and Intimidation = Motivational trigger used by social engineers Scarcity and Urgency = Motivational trigger used by social engineers

Match the following motivational triggers with their descriptions:

Authority = Most people are willing to comply and do what you tell them if they believe it is coming from somebody in a position of authority Urgency = Compelling sense of immediacy or time-sensitivity that drives individuals to act swiftly or prioritize certain actions Social Proof = Psychological phenomenon where individuals look to the behaviors of others to determine their own decisions or actions Scarcity = Psychological pressure people feel when they believe a product, opportunity, or resource is limited or in short supply

Match the following forms of impersonation with their descriptions:

Impersonation Attack = Adversary assumes the identity of another person to gain unauthorized access or steal sensitive data Brand Impersonation = Attacker pretends to represent a legitimate company or brand using logos, language, and information to create deceptive communications or website Typosquatting = Attacker registers a domain name similar to a popular website with common typographical errors Pretexting = Gives some amount of information that seems true so that the victim will give more information

Match the following phishing attack types with their descriptions:

Phishing = Sending fraudulent emails that appear to be from reputable sources with the aim of convincing individuals to reveal personal information Spear Phishing = More targeted form of phishing used by cybercriminals who are tightly focused on a specific group of individuals or organizations, with a higher success rate Whaling = Form of spear phishing that targets high-profile individuals like CEOs or CFOs for potentially greater rewards, often as an initial step to compromise an executive’s account for subsequent attacks within their organization Watering Hole Attacks = Targeted cyber attack where attackers compromise a specific website or service known to be used by their target

Match the following phishing prevention measures with their descriptions:

Regular user security awareness training = Providing education on various phishing techniques Use of anti-phishing tools = Tools to aid in identifying and preventing phishing attacks Examination of URLs and email addresses = Verifying the authenticity of web links and sender addresses Fact checking and critical thinking skills when encountering potential hoaxes = Critical evaluation of information to identify deceptive content

Match the following social engineering attacks with their descriptions:

Diversion theft = Manipulating situations to steal valuable items or information Shoulder surfing = Stealing information by looking over someone's shoulder Dumpster diving = Searching through trash for valuable information Hoaxes = Malicious deception spread through communication channels, often paired with phishing attacks

Match the following fraud and scams terms with their descriptions:

Fraud = Criminal deception intended for financial or personal gain Identity fraud = Unauthorized use of another person's personal information for deception or financial gain Identity theft = Assuming the victim's identity for fraudulent activities Influence campaigns = Coordinated efforts to shape public perception or behavior towards a cause, individual, or group

Match the following security threats with their descriptions:

Eavesdropping = Secretly listening to private conversations Baiting = Leaving a malware-infected physical device to be found by a victim Piggybacking = Unauthorized person following an authorized person into a secure area Tailgating = Unauthorized person attempts to follow an employee through an access control point

Match the following prevention techniques with the corresponding security threat:

Encrypting data in transit = Prevent eavesdropping Training users to not use devices they find = Prevent baiting Access control vestibule or access control point = Prevent tailgating Convincing an authorized employee to swipe their own access badge = Prevent piggybacking

Match the following actions with their descriptions:

Eavesdropping = Intercepting communication without knowledge Baiting = Leaving a malware-infected physical device to install malware unknowingly Piggybacking = Convincing an authorized employee to swipe their own access badge Tailgating = Following an employee into a secure area without authorization

Match the following security threats with their prevention techniques:

Eavesdropping = Encrypting data in transit Baiting = Training users to not use devices they find Piggybacking = Preventing unauthorized entry at access control points Tailgating = Training employees on access control procedures

Study Notes

• Business Email Compromise (BEC) is a sophisticated phishing attack targeting businesses, utilizing one of their internal email accounts to facilitate unauthorized fund transfers, payment redirection, or sensitive information theft.
• Vishing is a voice phishing technique where attackers trick victims into sharing personal or financial information over the phone.
• Smishing involves the use of text messages to deceive individuals into providing their personal information.
• Preventing phishing attacks:
  • Regular user security awareness training
  • Education on various phishing techniques
  • Use of anti-phishing tools
  • Suspicion towards urgent requests
  • Examination of URLs and email addresses
  • Reporting and investigation of suspicious emails
• Fraud and scams:
  • Fraud is criminal deception intended for financial or personal gain.
  • Identity fraud and identity theft involve the unauthorized use of another person's personal information for deception or financial gain.
  • Differences between identity fraud and identity theft:
    • Identity fraud: attacker charges items to the victim's card
    • Identity theft: attacker assumes the victim's identity
• Influence campaigns:
  • Coordinated efforts to shape public perception or behavior towards a cause, individual, or group.
  • Misinformation and disinformation spreading can harm institutions, fuel social divisions, and influence election outcomes.
• Other social engineering attacks:
  • Diversion theft: manipulating situations or creating distractions to steal valuable items or information.
  • Hoaxes: malicious deception spread through communication channels, often paired with phishing attacks.
  • Shoulder surfing: looking over someone's shoulder to steal information.
  • Dumpster diving: searching through trash for valuable information.
• Prevention measures:
  • Being aware of surroundings when providing sensitive information.
  • Use of clean desk and clean desktop policies.
  • Fact checking and critical thinking skills when encountering potential hoaxes.

Description

Test your knowledge about Business Email Compromise (BEC), a sophisticated type of phishing attack that targets business by using internal email accounts to manipulate employees into committing malicious actions. Learn about taking over legitimate business email accounts and conducting unauthorized fund transfers, redirecting payments, or stealing sensitive information.