2.4 – Social Engineering - Social Engineering

Questions and Answers

An attacker posing as an angry customer yelling over the phone is an example of what type of social engineering tactic?

• Whaling
• Spear Phishing
• Dumpster Diving
• Intimidation (correct)

An attacker sends an email asking for donations after learning about an employee's passing. What makes this social engineering technique particularly effective?

• The email requests immediate financial information
• The email contains a spoofed domain name
• The attacker is using jargon to confuse the recipient
• The attacker is preying on emotions and trust (correct)

What is the primary characteristic of a phishing attack?

• Physical observation of a computer screen
• Impersonating a known or trusted entity to deceive victims (correct)
• Exploiting vulnerabilities in wireless networks
• Gaining unauthorized physical access to a building

What is 'vishing'?

Phishing performed through voice calls (B)

What is a key indication that you are dealing with a phishing attempt on a website?

The website displays a slightly altered logo (A)

What is the term for observing someone's screen to gather sensitive information?

Shoulder Surfing (C)

Which of the following is NOT a recommended countermeasure against shoulder surfing?

Increasing your screen brightness to maximum. (D)

What is the term for a highly targeted phishing attack aimed at high-profile individuals, such as executives?

Whaling (D)

Which role within an organization is most likely to be targeted by spear phishing?

Finance Manager (C)

What term describes someone entering a secured area by following an authorized person without using their own credentials?

Tailgating (C)

What is the difference between tailgating and piggybacking?

Tailgating is without the knowledge of the authorized person, while piggybacking is with their knowledge. (B)

What is the most important action an employee should take if they see someone without a visible badge in a secure area?

Ask the person who they are and what they are doing. (B)

What is the term for gathering information about a company by searching through its trash?

Dumpster Diving (D)

Why is it important to shred documents containing sensitive information before discarding them?

To prevent dumpster diving. (A)

An attacker sets up a fake Wi-Fi access point that mimics a legitimate one. What is this attack called?

Evil Twin attack (A)

What security measure can best protect your data when using public Wi-Fi networks against evil twin attacks?

Using a VPN. (B)

Which of the following scenarios is an example of impersonation in social engineering?

An attacker pretends to be a help desk employee to gain access to a user's credentials. (C)

Why do social engineers commonly use jargon or technical terms during an attack?

To confuse the target and make them more likely to comply. (B)

An attacker finds a discarded project proposal in the trash. How could this information be used in a social engineering attack?

To create a convincing phishing email targeting employees involved in the project. (D)

Which of the following is the MOST effective way to protect against evil twin attacks?

Using a VPN to encrypt your internet traffic. (C)

An attacker calls an employee, claiming to be from the IT department, and asks for their password to fix a system error. What social engineering principle is the attacker exploiting?

Authority (C)

What is the BEST way to prevent tailgating in a secure office building?

All of the above (D)

Which of these methods is LEAST likely to protect against shoulder surfing?

Typing faster to minimize viewing time. (C)

Why is 'pretexting' a crucial element in many social engineering attacks?

It provides the attacker with a credible scenario to trick the victim. (B)

What is the PRIMARY goal of an attacker performing reconnaissance before a social engineering attack?

To gather information about the target to make the attack more convincing. (D)

Which activity poses the GREATEST risk of exposing sensitive information to shoulder surfing?

Entering your credit card details on a website in a crowded coffee shop. (C)

Why is it crucial to keep your work computer screen locked when you step away from your desk?

To prevent unauthorized access to your files and data. (D)

Which of the following is the MOST critical step in mitigating the risk of social engineering attacks?

Employee awareness training. (C)

An attacker sends a personalized email to a company's CFO, posing as the CEO and requesting an urgent wire transfer to an offshore account. What type of attack is this?

Spear Phishing and Whaling (C)

How can an organization BEST protect itself from dumpster diving attacks?

By implementing a strict shredding policy for sensitive documents. (C)

Flashcards

Social Engineering

Manipulating people to bypass security controls to gain unauthorized access.

Phishing

Tricking individuals into revealing sensitive information by pretending to be someone trustworthy.

Vishing

Phishing attacks conducted via phone calls. Attackers might spoof numbers and request info.

Shoulder Surfing

Gaining access to private information by directly observing someone's screen.

Spear Phishing

Highly targeted phishing attacks aimed at specific individuals within an organization.

Whaling

Spear phishing attacks specifically targeting high-level executives.

Tailgating

Following closely behind someone who has authorized access to enter a restricted area.

Piggybacking

An authorized person knowingly allowing someone else to enter a secured area with them.

Impersonation

Pretending to be someone else to gain unauthorized access to information or resources.

Dumpster Diving

Extracting information from discarded materials to gather sensitive details.

Evil Twin Attack

A rogue wireless access point set up to mimic a legitimate one to steal information.

Study Notes

• Social engineering attacks are constantly evolving to bypass security controls.
• Attackers use multiple communication methods and identities to gain trust and unauthorized access.
• Posing as an angry customer to intimidate someone over the phone is a social engineering technique.
• Some social engineering attacks exploit tragic events (e.g., a death in the organization) to solicit donations with malicious links.

Phishing

• Phishing involves spoofing, where attackers imitate trusted entities to steal information.
• A link may appear to direct to your email system, but is a third party website designed to steal your credentials.
• Attackers can be careless and create phishing attempts with visual cues that indicate a scam.
• Phishing can occur through various media, including phone calls, known as voice phishing or vishing.
• Attackers spoof phone numbers to appear local and request sensitive information under false pretenses (e.g., fake security checks or pretending to be from your bank).

Shoulder Surfing

• Shoulder surfing involves observing someone's screen to obtain private information.
• This can occur in public places like airports or coffee shops.
• It's possible to view someone's screen from a distance using binoculars or telescopes.
• Malware can capture screen information and send it to the attacker.
• Preventative measures include:
  • Being aware of your surroundings.
  • Positioning yourself with your back to the wall.
  • Using privacy filters on your screen.
  • Re-positioning your computer on your desk.
  • Avoiding displaying sensitive information in areas where others can see your screen.

Spear Phishing and Whaling

• Attackers research their targets to identify individuals with access to valuable information.
• Spear phishing is a targeted attack on specific individuals, such as the person in charge of finances.
• Whaling is a type of spear phishing that targets executives with access to extensive private information and company finances.

Tailgating and Piggybacking

• Tailgating is entering a secured area by following someone who has authorized access without proper authorization.
• Piggybacking is when someone requests an authorized person to hold the door open for them.
• Organizations should have policies in place for dealing with visitors and ensuring unauthorized individuals are challenged.
• Security measures like single-person entry doors can prevent tailgating.

Impersonation

• Attackers impersonate individuals to gain access to information.
• Attackers may gather information from the internet, third parties, or even through dumpster diving.
• Impersonators use language and jargon to appear credible or friendly to manipulate the victim into providing information.

Dumpster Diving

• Dumpster diving involves searching through a company's trash to find valuable information.
• Discarded items may include telephone directories, financial details, or project information.
• Organizations should be careful about the information they discard and consider shredding sensitive documents.
• Trash should be disposed of immediately.

Evil Twin

• An evil twin is a rogue wireless access point that mimics a legitimate one.
• Attackers use the same SSIDs and logos as the legitimate network to deceive users.
• A powerful evil twin can overwhelm the legitimate access point, causing users to connect to the malicious network.
• Encryption is important to protect data transmitted over wireless networks, using a VPN encrypts everything that’s being sent, not just HTTPS to a website.