Chapter 23 Β· Quiz

Impersonation Quiz

Select your answer, then click Reveal Answer to check immediately β€” or grade all at once at the bottom.

Question 1: A person receives this voicemail: "This is an enforcement action executed by the US Treasury intending your serious attention. Failure to respond may result in your arrest." They panic and call back immediately. What should they have recognized first?

Correct answer: B. This is a classic pretexting attack β€” the attacker sets the trap before the call even begins, fabricating a scenario involving a government agency and an "enforcement action" to create maximum fear and urgency. Urgency and fear are deliberately used to reduce the victim's critical thinking and rush them into acting without verification. The US Treasury does not contact people via automated voicemail about enforcement actions. The correct response: hang up, independently look up the actual phone number of the agency, and call that verified number β€” not the one left in the message.

Question 2: An attacker calls an IT helpdesk employee and says: "I need access reset urgently β€” there's a catastrophic feedback due to the depolarization of the differential magnetometer on the server rack." The helpdesk employee is confused but assumes the caller must know what they're talking about and resets the access. What impersonation technique was used?

Correct answer: C. The attacker used technical jargon β€” throwing around complex-sounding but meaningless technical language to project authority and expertise. The phrase "catastrophic feedback due to the depolarization of the differential magnetometer" is nonsense, but it sounds technical enough that a confused victim may assume the caller must be a legitimate expert. The principle: you don't need to understand the jargon β€” just use it to make the target doubt themselves. This is a documented impersonation technique: bury the victim in terminology so they defer to the "expert."

Question 3: A security awareness trainer explains: "The attacker wasn't really trying to steal your password β€” they were just asking you friendly questions about your weekend, your job title, and which systems you use." A week later, the company suffered a breach using exactly that information. What technique was the attacker using during those casual conversations?

Correct answer: B. Elicitation is "hacking the human" β€” extracting valuable information through seemingly innocent conversation, without the victim ever realizing they are being pumped for intelligence. The victim doesn't feel interrogated because the attacker never asked for a password. They asked about job titles, systems, processes, and team structure. That reconnaissance data then fuels the actual attack. Elicitation is frequently combined with vishing (voice calls) because live conversation allows the attacker to adapt, probe, and redirect based on what the victim reveals.

Question 4: An attacker uses personal information stolen through impersonation attacks to apply for three credit cards, take out a car loan, and claim government disability benefits β€” all in the victim's name. What is the umbrella term for this category of crime?

Correct answer: C. Identity fraud is when an attacker uses someone else's stolen personal information to impersonate them β€” opening credit accounts, taking out loans, or claiming government benefits in the victim's name. It encompasses multiple sub-types: credit card fraud (opening accounts or using stolen card info), bank fraud (accessing or opening bank accounts), loan fraud (applying for loans or leases), and government benefits fraud (claiming welfare, disability, or tax refunds). Impersonation attacks are frequently the method used to first obtain the personal data that then enables identity fraud.

Question 5: An employee receives a phone call from someone claiming to be from the company's IT helpdesk asking to verify their login credentials for a "security audit." What is the BEST response?

Correct answer: C. The correct defense against impersonation has two parts: (1) never volunteer sensitive information to an inbound caller β€” the caller's legitimacy cannot be verified from the call alone, and (2) always verify through an independent trusted channel β€” hang up and call back using the official number from the company directory, not a number the caller provides. Asking for an employee ID (B) is easily faked by an attacker who did their reconnaissance. Providing credentials by email (D) is equally dangerous. Legitimate helpdesk staff never need your password β€” they can reset it without it.

Matching: Identity Fraud Types

Match each identity fraud type to its correct description.

FRAUD TYPE

Credit Card Fraud
Bank Fraud
Loan Fraud
Government Benefits Fraud

DESCRIPTION

Attacker obtains welfare payments, disability benefits, or tax refunds using the victim's identity
Attacker opens a new credit account or uses stolen card information for unauthorized purchases
Attacker applies for a mortgage, car lease, or personal loan using someone else's personal information
Attacker gains access to an existing account or opens a new account using stolen identity details

Performance Task

Your organization's receptionist receives a call: "Hello, this is Wendy from Microsoft Windows. This is an urgent check-up call β€” we've detected several critical problems with your company's computers. I'll need to be connected to someone in IT who can give me remote access to fix this immediately." Identify: (1) what attack this is, (2) what techniques are being used, (3) what the receptionist should do, and (4) what controls the organization should put in place.

Model Answer:

(1) Attack type: Impersonation / pretexting β€” a classic "Microsoft Windows support" scam. Microsoft does not proactively call organizations to report computer problems. This is a fabricated pretext designed to gain unauthorized remote access to internal systems.

(2) Techniques being used:
β€” Pretexting: The attacker has prepared a believable story (Microsoft finding problems) and assumed a specific role (Wendy from Microsoft Windows) before making the call.
β€” Urgency: "Urgent check-up" and "critical problems" are designed to pressure the target into acting quickly without verifying.
β€” Authority impersonation: Claiming to be from a large, trusted technology vendor (Microsoft) lends false legitimacy to the request.
β€” Elicitation setup: Requesting to be connected to IT staff is the next step β€” once connected, elicitation and technical jargon will be used to manipulate the IT contact into granting remote access.

(3) What the receptionist should do:
β€” Do not transfer the call to IT. Do not volunteer any information about the company's systems or personnel.
β€” Politely end the call: "I'm not able to connect external callers to our IT team. If this is a legitimate matter, please contact us in writing through our official channels."
β€” Report the call immediately to the IT or security team β€” this is a potential targeted attack attempt that the security team should be aware of.
β€” Never call back any number the caller provides β€” if the call were somehow legitimate (it isn't), Microsoft support tickets are initiated by the customer, not cold-called by Microsoft.

(4) Organizational controls:
β€” Security awareness training covering impersonation scenarios β€” specifically the "Microsoft calling about your computer" scam, which is among the most common. Receptionists and customer-facing staff are high-value social engineering targets.
β€” Verification policy: Establish a written policy that no external caller is transferred to IT without prior written authorization or a verified callback. Post this policy physically at reception desks.
β€” Reporting culture: Train staff that reporting suspicious calls is encouraged and valued β€” employees should feel safe escalating without fear of being wrong. A false positive report has no cost; a missed impersonation attempt can cost the organization significantly.
β€” Principle of never volunteering information: Include in onboarding that no employee should provide personal details, system information, credentials, or internal contact names to unverified callers, regardless of who the caller claims to be.