Chapter 22 Β· Quiz

Phishing Quiz

Select your answer, then click Reveal Answer to check immediately β€” or grade all at once at the bottom.

Question 1: An attacker registers the domain "professormessor.com" (wrong spelling) and hosts a credential-harvesting page. Users who mistype the legitimate URL land on the attacker's site. What technique is this?

Correct answer: B. Typosquatting is a type of URL hijacking where the attacker registers a domain name that is a common misspelling of a legitimate site β€” for example, "professormessor.com" vs. the real "professormesser.com." Users who mistype the URL land on the fake page. The difference can be very subtle, which is what makes it effective. Pretexting (A) is lying to get information. Smishing (C) uses SMS. Vishing (D) uses voice calls.

Question 2: An employee receives a phone call. The caller ID displays the company's bank name and number. The caller says: "This is your bank's fraud department β€” we detected suspicious activity and need to verify your account number and PIN immediately." What type of attack is this?

Correct answer: C. Vishing (voice phishing) is phishing done over the phone or voicemail. Caller ID spoofing is a core technique β€” the attacker makes their call appear to come from a legitimate number (the bank's real phone number in this case) to create trust. Fake security checks and fake bank updates are classic vishing lures. Smishing (A) uses SMS text messages, not phone calls. BEC (B) uses email. This attack never involved a website or email β€” only a phone call.

Question 3: An attacker calls a company's accounting department and says: "Hi, this is calling from Visa regarding an automated payment to your utility service that didn't go through β€” I'll need to verify your payment details." The accountant provides the information. What technique did the attacker use?

Correct answer: C. Pretexting is lying to get information β€” the attacker is a character in a situation they create. In this example (drawn directly from the notes), the attacker pretends to be from Visa calling about an automated payment problem. In reality, there's no payment issue β€” the attacker is using a fabricated story to get the victim to voluntarily hand over credit card or payment details. No malware, no links, no fake website β€” just social engineering through a believable pretext. The attacker is "the character" in a drama of their own creation.

Question 4: An employee receives an email with a button labeled "Confirm Email Now." Before clicking, they look at the sender address and notice it is from an icloud.com address, even though the email claims to be from their corporate mail provider. What is the correct takeaway?

Correct answer: C. Phishing messages usually have something not quite right β€” in this case, a corporate mail service email supposedly arriving from an icloud.com address. The information in the message doesn't ring true. Always check the URL before clicking, and never click a link in an email when something feels off. Urgency cues ("will be blocked if not confirmed") and mismatched sender details are classic phishing indicators. Spam filters (D) do not catch all phishing β€” many sophisticated phishing emails reach inboxes successfully.

Question 5: A company finance manager receives an email appearing to be from the CEO: "I need you to process an urgent wire transfer of $75,000 to a new vendor today. Keep this confidential." The sender address is ceo@company-payments.com instead of the real ceo@company.com. What type of attack is this?

Correct answer: D. Business Email Compromise (BEC) exploits the trust that people place in email from executives. The attacker uses a spoofed or lookalike email address (company-payments.com instead of company.com) to impersonate the CEO. The goal is financial fraud β€” redirecting wire transfers or updating bank account details. The "keep this confidential" instruction is a social engineering pressure tactic to prevent the target from verifying the request through other channels. BEC caused billions in losses globally. The correct defense: always verify financial requests via a separate channel (phone call to a known number) regardless of how legitimate the email appears.

Matching: Phishing Variants

Match each term to its correct description.

TERM

Vishing
Smishing
Pretexting
Typosquatting

DESCRIPTION

Voice phishing using caller ID spoofing to impersonate banks or security teams over the phone
Registering a lookalike domain (e.g. professormessor.com) to capture users who mistype a URL
SMS text messages forwarding malicious links or requesting personal information
Attacker fabricates a believable scenario and assumes a false role to extract sensitive information

Performance Task

A mid-size company has experienced three incidents this quarter: (1) an employee wired $45,000 to a fake vendor after receiving a CEO email from a lookalike domain, (2) three employees clicked a link in a text message claiming to be from HR asking them to update their payroll details, (3) an employee gave IT credentials over the phone to someone claiming to be from the help desk. Name the attack type for each incident and design one specific defense for each.

Model Answer:

Incident 1 β€” CEO email from lookalike domain β†’ BEC (Business Email Compromise)
Attack: The attacker spoofed or registered a domain similar to the company's to impersonate the CEO and trigger a fraudulent wire transfer. The "urgency + confidentiality" social engineering prevented the employee from verifying through another channel.
Defense: Implement a mandatory call-back verification policy for all wire transfers above a defined threshold. The callback number must come from the company's internal directory β€” not from the email requesting the transfer. No exceptions. Additionally, configure email banners flagging external senders to alert employees when email claims to be from internal staff but arrives from an external domain.

Incident 2 β€” HR text message requesting payroll update β†’ Smishing
Attack: SMS phishing (smishing) using HR impersonation as the lure. Employees were directed to click a link β€” likely leading to a credential-harvesting page mimicking the payroll portal.
Defense: Send a company-wide communication: HR will never request payroll updates via text message. Employees should go directly to the official HR portal by typing the URL themselves β€” never through a link in a text or email. Enable MFA on the payroll/HR system so that even if credentials are harvested, the attacker cannot log in without the second factor.

Incident 3 β€” IT credentials given over the phone β†’ Pretexting (Vishing)
Attack: The attacker fabricated a help desk scenario (pretexting) delivered over the phone (vishing). The employee trusted the caller's claimed role and gave up credentials they should never share with anyone β€” including real IT staff.
Defense: Establish and communicate a clear policy: IT will never ask for your password β€” ever. During onboarding and annual security training, employees should practice recognizing this type of call. IT staff should have a verification code system so employees can confirm a caller is legitimate IT staff before sharing any information. Implement a "pause and verify" step: hang up and call the IT help desk back at the official number from the internal directory.