Chapter 20 Β· Tricks & Performance

Trick Questions & Performance Tasks

The social engineering exam traps that catch the most students. Think before you reveal.

Trick 1: "Spear phishing is just a more targeted version of regular phishing β€” the defense is the same." True or False?
FALSE β€” the defense has important and distinct differences.

Regular phishing defense: Email filters catch most mass phishing because it uses known-bad domains, recycled URL patterns, generic templates, and obvious spoofing. User training to recognize generic red flags ("Dear Customer," unexpected sender, suspicious links) works reasonably well because the attack is impersonal and formulaic.

Spear phishing defense: Email filters often miss it entirely. The email may originate from a legitimately compromised account with a clean sending reputation. It may reference real internal information, real names, real projects β€” with no malicious links or attachments at all, just a social request. Generic "check the sender domain" training is insufficient when the email comes from the real domain of a compromised colleague.

The defense for spear phishing must be process-based: verify sensitive requests through an independent channel regardless of how legitimate the email appears. A well-researched spear phishing email can deceive even security-aware, well-trained employees β€” because the content is plausible, personalized, and references real context. The process control (callback verification, dual authorization) must hold even when the training fails.

Exam trap: Questions that ask which defense is appropriate will have different correct answers for phishing (email filters + user awareness) versus spear phishing (process controls + out-of-band verification).
Trick 2: "The best defense against social engineering is making employees feel bad when they fall for attacks, to reinforce vigilance." True or False?
FALSE β€” shame-based security culture is actively counterproductive.

When employees fear punishment or humiliation for falling for a simulated phishing attack or reporting a suspicious interaction, they stop reporting. The unreported click is far more dangerous than the reported one β€” a reported incident gets investigated and contained; an unreported one silently progresses.

Punitive security cultures create specific measurable harms: employees who clicked a phishing link hide it rather than reporting it, preventing incident response. Employees who are unsure about a request avoid escalating for fear of seeming foolish. The security team loses visibility into real attacks because employees self-censor.

Best practice from both NIST and security culture research: treat social engineering simulations as learning opportunities, not gotcha tests. Zero punishment for failing a simulated phishing test β€” structured debrief and education instead. Actively celebrate and reward employees who correctly identify and report social engineering attempts. Publicize the catches: "an AP staff member correctly escalated a suspicious wire request last month, preventing a potential $200K fraud." This creates positive reinforcement for the right behavior.

The security goal is maximum detection speed and reporting volume, not zero incidents. Humans will always be fallible β€” the goal is to catch the attempt before it completes, which requires employees who report quickly without fear.
Trick 3: "Tailgating can be completely prevented by placing a security guard at every door." True or False?
FALSE β€” human guards can also be socially engineered.

A confident person in a maintenance uniform with a large cart will often be waved through by a guard who does not want to create a confrontation, delay what looks like a scheduled maintenance job, or challenge someone who appears to belong there. Guards are subject to exactly the same social engineering principles as any other employee β€” authority (uniformed worker with a work order), urgency (the system cooling needs immediate attention), familiarity (the contractor seems to know the facility).

The most reliable physical control against tailgating is a mantrap (also called a security vestibule or airlock): a two-door chamber where the first door must fully close before the second opens, with individual badge validation required for each person entering. In a mantrap, there is no physical mechanism to "hold the door" β€” each person enters alone, badges in, and the doors operate on a single-occupancy principle. The social courtesy exploit is physically impossible.

Combined with a badge challenge culture β€” every person without a visible, valid badge is questioned every single time, with zero tolerance for social pressure, and this behavior is explicitly rewarded β€” a mantrap is far more reliable than a human guard making real-time social judgments about whether someone looks like they belong.

Exam note: Mantrap = the technical control. Badge challenge culture = the administrative/cultural control. Guards alone = insufficient because they are also social engineering targets.
Trick 4: "Vishing attacks are less effective today because of caller ID." True or False?
FALSE β€” caller ID spoofing is trivially easy, free, and widely used.

Caller ID was designed in an era when phone numbers were geographically fixed and difficult to fake. Modern VoIP technology allows instant, free caller ID spoofing β€” attackers can make calls appear to originate from any number they choose, including: the company's actual IT help desk direct line, a hospital's main switchboard number, the IRS's published phone number, or your bank's fraud department number.

A call appearing to come from your bank's main branch number is not verification that the bank is calling. Caller ID is an assertion made by the originating system β€” and in VoIP, that assertion is trivially manipulated.

This means caller ID is not a reliable verification mechanism and should never be treated as one. Seeing a familiar number on the caller ID is actually a social engineering vector: it increases the target's trust before the conversation begins.

Defense: Callback verification β€” regardless of what number appeared on caller ID, if you receive an unexpected call requesting sensitive action, hang up and call the institution back at their known, published number from an independent source (company directory, official website, the back of your bank card). The callback number must never come from the caller.

Exam trap: Questions implying that caller ID provides identity assurance are incorrect. Caller ID is an indicator, not verification. Only independent callback provides verification.
Trick 5: "A watering hole attack is a type of phishing." True or False?
FALSE β€” a watering hole attack is fundamentally distinct from phishing.

The defining difference is delivery direction:

Phishing: The attacker initiates contact with the victim β€” sends an email, makes a phone call, sends an SMS. Something is delivered to the victim. The attacker reaches out to the target. This means the attack must pass through the victim's email client, spam filters, and training to recognize suspicious inbound communications.

Watering hole: The attacker never contacts the victim at all. The attacker compromises a third-party website that the victim is known to visit, then waits. When the victim navigates to that trusted site β€” a site they visit regularly, a site their browser has no prior warnings about, a site their security tools consider benign β€” the attack occurs. The victim was not contacted; they initiated the connection themselves.

Practical consequences for the exam: watering hole attacks bypass email filters entirely (no email is sent), bypass phishing awareness training entirely (no suspicious email to recognize), and exploit the trust the victim already has in a legitimate site.

The analogy is exact: a predator who goes to the prey (phishing) versus a predator who waits where prey must come (watering hole). Different tactics, different defenses, different exam answers.

Defense against watering holes: Browser isolation, web content filtering that checks reputation in real time, patch management (drive-by malware typically exploits unpatched browser vulnerabilities), endpoint detection and response to catch the malware payload even if the delivery succeeds.
Performance Task: Your organization processes $15M in wire transfers monthly across 45 accounts payable staff. There have been two BEC incidents in the past year ($180,000 total losses). The CFO asks you to design a complete BEC prevention framework that balances security with operational efficiency β€” payments must still be processed quickly.
Model Answer: BEC Prevention Framework

Authorization tiers (balancing security with efficiency):
Transfers under $5,000: current single-approval process β€” low-value, high-volume transactions do not need additional friction.
Transfers $5,000–$50,000: dual authorization within the AP department β€” two separate staff members approve independently via the financial system.
Transfers over $50,000: dual authorization + CFO or Controller confirmation via registered callback to their known phone number on file β€” high-value transfers justify the additional step.

Vendor banking detail changes (highest risk point):
ANY change to an existing vendor's banking details triggers an automatic hold and manual re-verification: callback to the vendor's phone number already on file (not the number provided with the change request), confirmed by a named individual at the vendor. This control addresses the most common BEC variant: fraudulent vendor invoice redirect attacks.

Email controls:
DMARC enforcement on your own domain β€” prevents attackers from spoofing your exact domain in communications to your vendors. External email banners prominently labeled on all inbound messages from outside the organization. Automated flagging of display name mismatches (email display says "Jane Smith, CFO" but domain is cfo-company.net). Keyword rules flagging external emails containing "wire transfer," "urgent payment," "confidential," or "bypass" to a monitored queue.

Security awareness training:
Monthly 5-minute scenario drills for all 45 AP staff β€” specific to BEC patterns, not generic phishing awareness. Simulated BEC attacks quarterly targeting the AP team β€” zero punishment, structured learning debriefs showing exactly what indicators were present. Physical reminder posted at payment terminals: "Authority + Urgency + Secrecy = Stop and Verify." Annual refresher on vendor payment fraud patterns as threats evolve.

Technical controls:
MFA required for all financial systems β€” even with stolen credentials, attackers cannot access the payment system without the second factor. Session timeout after inactivity on all financial system terminals. Anomaly alerting: automated flag for any single-day transfer volume significantly above historical baseline for a given AP staff member.

Incident response:
Any suspicious request is immediately reported to the security team without executing the transaction β€” zero "I'll do it and tell security later." Clear escalation path on a laminated card at each workstation: who to call, what information to capture, what not to do. All suspicious incidents logged regardless of whether fraud was completed β€” near-misses are intelligence.

Operational efficiency maintained:
The security controls apply primarily to new payees, unusual amounts, and changes to existing payment details β€” the highest-risk scenarios. Pre-approved regular vendor payments up to threshold flow through the standard process with minimal friction. The framework is designed to add steps only where BEC risk is demonstrably highest, not across all transactions uniformly. Staff buy-in is achieved by framing the controls as protecting both the organization and the individual staff member from being the one whose action resulted in an unrecoverable loss.