Chapter 20 Β· Flashcards

Social Engineering Flashcards

Click each card to reveal the answer.

0 / 16 flipped
What is social engineering?
Manipulating people into performing actions or revealing information that compromises security. Exploits psychological principles β€” authority, urgency, scarcity, social proof, familiarity, intimidation β€” rather than technical vulnerabilities. The human is the attack surface.
What is pretexting?
Creating a fabricated scenario to gain a target's trust. The attacker invents a plausible context β€” posing as IT support, an auditor, a vendor, or a colleague β€” to justify their request. All BEC attacks involve pretexting. The more believable and researched the pretext, the higher the success rate.
What distinguishes spear phishing from regular phishing?
Spear phishing uses personal information about the specific victim to increase credibility β€” their name, employer, role, manager, recent activities. Regular phishing is mass, generic, untargeted. Spear phishing has far higher success rates because the email appears to come from someone who knows the victim. Email filters catch less of it because the content is plausible.
What is whaling?
Spear phishing targeting C-suite executives (CEO, CFO, CTO, board members). Higher research investment justified by higher target value β€” executives can authorize wire transfers, access the most sensitive systems, and sign contracts. Often the impersonation side of a BEC attack β€” impersonating the CEO to authorize fraudulent wire transfers. The "big fish."
What is Business Email Compromise (BEC)?
Impersonating executives or trusted business contacts to authorize fraudulent financial transactions. Typically: attacker impersonates CEO, targets CFO or accounting staff, creates urgency around a wire transfer. Annual losses exceed $2 billion globally. Hallmarks: Authority + Urgency + Secrecy in a single request. Combines pretexting, impersonation, and psychological manipulation.
What is vishing?
Voice phishing β€” phone calls impersonating legitimate organizations (IT support, IRS, bank fraud departments) to extract credentials or information. Caller ID spoofing makes the number appear legitimate. Defense: callback verification to a known number β€” never provide credentials or perform resets based on an incoming call. Hang up; call back at a known number from an independent source.
What is smishing?
SMS phishing β€” text messages containing malicious links or urgent requests impersonating banks, package carriers, or government agencies. Short URL masking hides the true destination. The mobile context and abbreviated message format reduce scrutiny. Often triggers credential harvesting pages or malware downloads. Principles: urgency, scarcity ("your account is being closed").
What is tailgating (piggybacking)?
Gaining unauthorized physical access by following an authorized person through a secured door. Exploits social courtesy β€” people naturally hold doors and do not challenge confident-looking strangers. Defense: mantraps (two-door security vestibule β€” both doors cannot open simultaneously), strict badge challenge policy, security culture where everyone is required to badge in individually with no exceptions.
What is a watering hole attack?
Compromising a website frequently visited by the target group, then waiting for them to visit. The attacker infects the destination instead of sending malicious content to the target. Bypasses email filters completely β€” no malicious email is ever sent. The attack occurs at the website layer when the victim visits a site they already trust. Named after predators waiting at watering holes for prey.
What is quid pro quo in social engineering?
Offering a service or benefit in exchange for information. Classic: fake IT support calls offering to fix a (nonexistent) computer problem in exchange for login credentials. The target receives apparent value (help) and provides access in return. Exploits the reciprocity principle β€” humans feel obligated to give back when they receive help, even from strangers.
What is shoulder surfing?
Observing someone's screen, keyboard, or documents to capture sensitive information β€” passwords, PINs, credit card numbers, confidential data. Common in public spaces: airports, cafes, open-plan offices, public transit. Defense: screen privacy filters (polarizing film that limits viewing angle), positioning screens away from public sightlines, locking screens when stepping away.
What is dumpster diving?
Searching through discarded materials (trash, recycling bins) for useful information β€” org charts, printed credentials, system documentation, financial documents, network diagrams. Provides reconnaissance data for constructing convincing spear phishing with apparent insider knowledge. Defense: cross-cut shredding of all sensitive documents before disposal, clean desk policy, locked disposal bins.
What psychological principle does urgency exploit in social engineering?
Urgency disables critical thinking by creating time pressure. When people are rushed, they skip verification steps, bypass procedures, and comply without questioning. Security maxim: any request that requires bypassing normal security procedures "because of urgency" should trigger MORE scrutiny, not less. Urgency is the attacker's most reliable tool β€” and recognizing it as a manipulation tactic is the primary defense.
What is out-of-band verification and why is it the primary defense against BEC?
Verifying a request through a completely separate communication channel from the one that delivered the suspicious request. Not replying to the email. Not calling a number in the email. Using a contact method already on file (known phone number from the corporate directory). If the CEO emails a wire request, call the CEO's known number independently. A real CEO will understand. An impersonator cannot intercept a call to the real CEO's known number.
What is the primary defense against social engineering?
Security awareness training combined with process controls. Training: employees recognize attack patterns (urgency + authority + secrecy = red flag), know how to verify, and know how to report without shame. Process: dual authorization for financial transactions, callback verification for credential resets, clear escalation procedures. Neither alone is sufficient β€” trained employees still need process backstops when training fails.
What makes physical social engineering (tailgating, impersonation) particularly effective?
Human social norms work against security. We are taught to be helpful, not to challenge people, to hold doors for those with full hands, and to assume colleagues' visitors are legitimate. An attacker who looks the part (uniform, badge, confident demeanor) exploits these norms. The defense requires building a security culture where challenging unknown visitors is normalized and rewarded β€” not seen as rude. This is a culture problem as much as a security problem.