Example 1: BEC Attack β FBI IC3 Real Pattern
An accounts payable clerk receives an email from CEO@company-inc.com (note: company-inc versus the real domain company β a hyphenated lookalike domain the attacker registered the previous week). The email references a real ongoing acquisition discussed in the company's last quarterly press release. It states the CEO is at an industry conference (confirmed via the CEO's LinkedIn posts from that morning) and requests that a $250,000 wire transfer be completed before market close. The tone matches the CEO's writing style, which the attacker studied from publicly available interviews.
The urgency and authority cause the clerk to skip the normal dual-authorization procedure β "the CEO himself asked me, it seems disrespectful to make him wait for a second approval on something this time-sensitive." The transfer goes through at 3:47 PM. At 9:15 AM the next morning, the real CEO returns the accounts payable team's voicemail and the fraud is discovered.
Key indicators that were missed:
- Slightly wrong email domain β
company-inc.comversuscompany.com. Easy to miss when reading quickly. - Explicit instruction to bypass normal dual-authorization β legitimate urgent processes do not require skipping security controls.
- Explicit "don't tell anyone" instruction β confidentiality in a financial transaction request is a manipulation, not a legitimate business requirement.
- No prior established process for this type of request β real acquisitions have legal, finance, and executive involvement through known channels.
Example 2: Vishing β IT Help Desk Impersonation
At 4:45 PM on a Friday, the corporate help desk receives a call. The caller identifies himself as James Chen, VP of Sales. "I'm stuck in an airport trying to close a critical deal with our biggest client β I've been locked out of my VPN and my flight boards in 20 minutes. If I can't get on the client portal tonight, we lose this contract. I need a password reset immediately."
The urgency is genuine-sounding. The authority is clear (VP of Sales). The sympathy is real (stuck in an airport, flight boarding). The help desk technician β covering for two colleagues who called in sick β is stressed and behind on tickets. She wants to help. The caller provides James Chen's employee ID number (found on the company website in a press release listing conference speakers).
The technician resets the password without performing a callback verification to the number on file for James Chen. The attacker has VPN access. The real James Chen, working at his desk three floors up, notices nothing until Monday morning when he can't log in.
What should have happened: Strict callback verification β hang up, call the employee's known number on file in the HR/IT system, verify the request came from the actual employee. No exceptions. The real James Chen would have answered his desk phone immediately. A caller who cannot be reached at their registered number does not get a password reset over the phone. The 20-minute deadline is irrelevant to this policy.
Example 3: Tailgating at a Data Center
A man in a contractor vest with a local HVAC company's logo arrives at the secured data center entrance carrying a large cardboard server box. He does not have a visitor badge or an appointment on the system. When a network engineer badges through the door, he steps forward with the box tilted awkwardly. "Thanks β they said someone would meet me at the door but I've been waiting 20 minutes. My hands are obviously full." The engineer holds the door.
The attacker was inside for eleven minutes before anyone thought to ask who he was. In that time, he planted a small network tap behind a secondary rack β a device that would quietly exfiltrate traffic for the next six weeks before a routine audit discovered it.
The box was empty. The vest cost $18 from a uniform supply website. The logo was printed on an iron-on patch.
Technical control that would have prevented this: A mantrap (security vestibule) β a two-door airlock chamber where the first door must fully close before the second opens, with individual badge validation required for each person. In a mantrap, there is no "hold the door" option. Each person enters and exits alone. The social courtesy exploit is physically impossible.
Cultural control: A challenge policy that is genuinely enforced and normalized β every person without a visible, valid badge is questioned, every time, with zero tolerance for social pressure to "just let it go." Employees who correctly challenge unauthorized visitors are recognized, not reprimanded for being difficult.
Example 4: Watering Hole Attack β APT28 (Fancy Bear), 2014
APT28 β the threat actor attributed to Russian military intelligence (GRU), also known as Fancy Bear β compromised the website of the Polish government's Financial Supervision Authority (KNF). The site was a routine destination for financial regulators, banking officials, and policy staff across multiple countries who visited it for compliance guidance and regulatory updates.
Visitors to the site received drive-by malware downloads β the compromise required no user interaction beyond visiting the page in a vulnerable browser. No phishing emails were sent. No suspicious attachments were opened. The attack happened at the trusted destination.
Key insight for the exam: A watering hole attack bypasses email filters entirely because no malicious email is ever sent. The attack chain starts at the website layer. Victims visit a site they have visited dozens of times before β it appears normal, their browser has no prior warning about it, and the infection is silent. This is the defining characteristic that distinguishes watering holes from phishing: the attacker never contacts the victim. The attacker waits at the victim's trusted destination.
Example 5: Dumpster Diving and OSINT as Reconnaissance
A penetration tester hired to assess an organization's security posture takes a walk around the building on the first morning. In the unlocked recycling bins outside the office (not even in a secured waste area), she finds: a printed org chart from the previous quarter with names, titles, and reporting lines; a network diagram showing internal IP ranges and segment names; a sticky note with what appears to be a server hostname and a temporary password; and a printed email thread discussing an upcoming migration from the company's legacy ERP system to a new platform, with the go-live date, the project manager's name, and the vendor's name all visible.
With this material, she constructs a spear phishing email targeting the project manager β referencing the ERP migration by name, the go-live date, the vendor, and a plausible "urgent credential issue" with the new system. The email appears to come from the vendor's support team (whose domain she registered a lookalike for that afternoon). The project manager clicks. The pen test is over in 36 hours.
Defense: Cross-cut shredding of all sensitive printed materials before disposal (not just tearing), clean desk policy (documents are not left unattended), locked waste bins or shredding bins in all work areas, information classification training so employees understand what counts as sensitive.
Exam Scenario 1
Question: An attacker calls a hospital's IT helpdesk claiming to be Dr. Johnson, who states he is with a patient and cannot remember his password. He provides the correct employee ID number (found on the hospital's public website in a press release). The helpdesk resets the password without further verification. What social engineering technique was used and what control would have prevented it?
Answer: This is vishing using pretexting β the attacker impersonated a doctor with a plausible and urgent medical scenario. Principles in play: Authority (medical doctor with a patient), Urgency (patient waiting), and Sympathy (the social pressure not to delay patient care). The employee ID was obtained via OSINT from a public source β it is not a reliable verification factor.
Prevention: Callback verification β regardless of what information the caller provides (employee IDs may be semi-public), the policy must be to hang up and call the employee's number on file before any credential reset. A real doctor attending a patient who genuinely needs system access can have a colleague initiate the callback, or can wait for the verification call. Patient care emergencies do not require overriding security procedures for IT systems.
Exam Scenario 2
Question: An employee receives an email from payroll@hr-company.com (the actual internal domain is hr.company.com) stating that their bank details are needed immediately for the new payroll system migration. The email includes the company logo and references their actual manager by name. What type of attack is this, and what are two indicators that it is fraudulent?
Answer: This is spear phishing β it uses personal details (the actual manager's name) and impersonates an internal department with specific context (the payroll migration). The use of personal information makes it more convincing than generic phishing.
Indicator 1: Wrong email domain β hr-company.com versus hr.company.com. The hyphenated variant is easy to miss when reading quickly, but is a completely different domain registered by the attacker.
Indicator 2: Unsolicited request for sensitive financial information via email. Legitimate HR processes for banking detail updates do not use email links β they use authenticated portals with MFA, in-person verification, or known established processes. "Immediately" in a request involving banking details is an urgency trigger.
Indicator 3 (bonus): The manager's name was likely obtained from OSINT β LinkedIn, the company website, or a prior breach. The appearance of insider knowledge does not verify the sender's identity.
Exam Scenario 3
Question: A company's competitor keeps launching products that closely match their unreleased roadmap. Investigation finds no evidence of a technical breach. Interviews reveal that product managers have been attending a monthly industry meetup where they openly discuss upcoming features β and competitors also attend the same events. What attack category is this closest to, and what should the company implement?
Answer: This is social engineering through elicitation β extracting valuable information through normal social interaction. No deception was needed. The product managers voluntarily shared confidential information in an informal setting, not recognizing it as sensitive or recognizing that competitors were present and listening.
Controls to implement: Information classification training β employees need to know what is confidential and that classification applies in informal settings, not just in the office. Clear policy on what can be discussed externally, with specific guidance for industry events and networking. Awareness that competitors attend the same industry groups. Pre-event briefings for staff attending external events β "here is what you can discuss and here is what is off-limits." The risk is not malicious employees β it is well-intentioned employees who do not understand what constitutes proprietary information.