Question 1: An executive assistant receives an email that appears to come from the CEO's address. It requests an urgent wire transfer, states that it's confidential and she shouldn't discuss it with anyone, and says the CEO can't be reached by phone because they're in back-to-back meetings. What type of attack is this?
Question 2: A penetration tester calls the IT helpdesk claiming to be a new employee who forgot their temporary password on their first day. They give a plausible name, a fake employee ID, and mention their manager's name (found on LinkedIn). Which principles of social engineering are primarily being exploited?
Question 3: An attacker discovers that a target organization's security team regularly reads a specific cybersecurity blog. The attacker compromises that blog and embeds malware in an article. When security team members visit the site, their browsers are exploited. What attack type is this?
Question 4: A company implements a policy that ALL wire transfers over $10,000 require a secondary voice confirmation to a phone number already registered in the system, separate from any contact information provided in the transfer request. Which attack does this MOST effectively prevent?
Question 5: Which combination of psychological principles is MOST commonly used in BEC attacks?
Matching: Social Engineering Techniques
Match each term to its correct description.
TECHNIQUE
DESCRIPTION
Analysis Question
A regional bank is experiencing a surge in BEC attacks targeting its accounts payable staff. Three attacks in six months, totaling $420,000 in fraudulent transfers. Management wants to purchase a $50,000 AI-based email filtering system. A security analyst argues that technical controls alone won't solve this. Is the analyst correct? What should the complete defense strategy include?
BEC attacks frequently use legitimate email services β compromised accounts at real organizations, legitimate domains with slight variations (company-inc.com vs company.com), or entirely valid email infrastructure. AI email filters catch obvious spoofing patterns but often miss well-crafted BEC because: the email may originate from a legitimately compromised account with a clean sending reputation; the content contains no malicious links or attachments β just a social request; and the domain may be a legitimate lookalike that has never been flagged.
Complete defense strategy:
1. Process controls (highest impact): Mandatory dual authorization for all transfers over a defined threshold β two separate approvals from two separate people in two separate channels. Any change to a vendor's payment details triggers an automatic hold and manual re-verification callback to the vendor's known contact number (not the number provided with the change request).
2. Out-of-band verification: Any wire transfer request received via email β regardless of apparent source β requires a callback verification to a known phone number on file before execution. The callback number comes from the corporate directory or existing vendor records, never from the email.
3. Security awareness training: Specific training for AP staff on BEC patterns. "Authority + Urgency + Secrecy = Red Flag" must be a recognized and practiced pattern. Simulated BEC attacks quarterly β zero punishment, learning debriefs only. Employees rewarded for reporting suspicious requests, not penalized for delaying a transfer pending verification.
4. Technical controls (supplementary, not sufficient alone): DMARC enforcement on the bank's own domain (prevents spoofing of the bank's domain in external communications). External email banners prominently displayed on all inbound messages. Display-name vs. email-address mismatch auto-flagging. Rules flagging emails from external domains containing "wire transfer," "urgent payment," or "confidential" to a finance inbox.
5. Culture: Reward employees who refuse suspicious requests and escalate for verification. A culture where "I held the transfer for verification" is praised, not criticized for slowing down business. The $420,000 in losses exceeded the cost of the proposed email filter β and the email filter alone would not have caught these attacks.
Performance Task
A hospital's security team discovers that three doctors have had their credentials stolen in the past month. Investigation reveals all three received vishing calls from someone claiming to be from the hospital's IT department running a "mandatory security upgrade." All three provided their credentials over the phone. Design a comprehensive prevention program.
Immediate response:
Force password resets for all three affected accounts immediately β assume credentials are compromised. Review access logs for all three accounts for the past 30 days β identify any unauthorized access, data downloads, or anomalous activity. Enroll all three doctors in MFA immediately. Notify the incident response team and conduct a scope assessment β were other staff targeted?
Process controls:
Publish and enforce an absolute policy: IT will NEVER ask for passwords by phone, email, or any other channel β ever. Any caller requesting credentials should be refused immediately and reported. Post this policy visibly in clinical areas, waiting rooms, break rooms, and at login terminals. Make it a known, expected behavior to refuse password requests.
Verification protocol:
Any IT interaction requesting action from clinical staff (password reset, account change, software installation) requires the staff member to hang up and call back the IT help desk at the known internal extension. The callback number must come from the hospital's internal directory β printed on badge holders, posted at workstations β not from the caller. The IT department will never object to being called back at the known number; only an impersonator will object.
Training program:
Short, scenario-based training modules (5-10 minutes, not hour-long seminars) specifically on vishing. Use roleplay scenarios where clinical staff practice saying: "I need to call you back at the IT help desk number. What is your name and ticket number?" Quarterly simulated vishing calls to test and reinforce training β no punishment for failing, structured debriefs for learning. Track improvement over time.
Technical controls:
Require MFA for all clinical systems β this is the most important technical control. Even if credentials are stolen via vishing, the attacker cannot access systems without the second factor. The MFA enrollment must be done through a verified in-person or secure digital process, not over the phone. Session timeout policies to limit exposure from unattended terminals.
Culture:
Frame refusing credential requests as the correct, professional, patient-safety-protecting behavior. Reframe the security refusal as a clinical competency β just as clinical staff follow protocols that protect patients, security protocols protect patient data. Recognition for staff who correctly identify and report social engineering attempts. The goal: a culture where "I refused to give my password and called IT back" is seen as doing the right thing.