Question 1: A person receives this voicemail: "This is an enforcement action executed by the US Treasury intending your serious attention. Failure to respond may result in your arrest." They panic and call back immediately. What should they have recognized first?
Question 2: An attacker calls an IT helpdesk employee and says: "I need access reset urgently β there's a catastrophic feedback due to the depolarization of the differential magnetometer on the server rack." The helpdesk employee is confused but assumes the caller must know what they're talking about and resets the access. What impersonation technique was used?
Question 3: A security awareness trainer explains: "The attacker wasn't really trying to steal your password β they were just asking you friendly questions about your weekend, your job title, and which systems you use." A week later, the company suffered a breach using exactly that information. What technique was the attacker using during those casual conversations?
Question 4: An attacker uses personal information stolen through impersonation attacks to apply for three credit cards, take out a car loan, and claim government disability benefits β all in the victim's name. What is the umbrella term for this category of crime?
Question 5: An employee receives a phone call from someone claiming to be from the company's IT helpdesk asking to verify their login credentials for a "security audit." What is the BEST response?
Matching: Identity Fraud Types
Match each identity fraud type to its correct description.
FRAUD TYPE
DESCRIPTION
Performance Task
Your organization's receptionist receives a call: "Hello, this is Wendy from Microsoft Windows. This is an urgent check-up call β we've detected several critical problems with your company's computers. I'll need to be connected to someone in IT who can give me remote access to fix this immediately." Identify: (1) what attack this is, (2) what techniques are being used, (3) what the receptionist should do, and (4) what controls the organization should put in place.
(1) Attack type: Impersonation / pretexting β a classic "Microsoft Windows support" scam. Microsoft does not proactively call organizations to report computer problems. This is a fabricated pretext designed to gain unauthorized remote access to internal systems.
(2) Techniques being used:
β Pretexting: The attacker has prepared a believable story (Microsoft finding problems) and assumed a specific role (Wendy from Microsoft Windows) before making the call.
β Urgency: "Urgent check-up" and "critical problems" are designed to pressure the target into acting quickly without verifying.
β Authority impersonation: Claiming to be from a large, trusted technology vendor (Microsoft) lends false legitimacy to the request.
β Elicitation setup: Requesting to be connected to IT staff is the next step β once connected, elicitation and technical jargon will be used to manipulate the IT contact into granting remote access.
(3) What the receptionist should do:
β Do not transfer the call to IT. Do not volunteer any information about the company's systems or personnel.
β Politely end the call: "I'm not able to connect external callers to our IT team. If this is a legitimate matter, please contact us in writing through our official channels."
β Report the call immediately to the IT or security team β this is a potential targeted attack attempt that the security team should be aware of.
β Never call back any number the caller provides β if the call were somehow legitimate (it isn't), Microsoft support tickets are initiated by the customer, not cold-called by Microsoft.
(4) Organizational controls:
β Security awareness training covering impersonation scenarios β specifically the "Microsoft calling about your computer" scam, which is among the most common. Receptionists and customer-facing staff are high-value social engineering targets.
β Verification policy: Establish a written policy that no external caller is transferred to IT without prior written authorization or a verified callback. Post this policy physically at reception desks.
β Reporting culture: Train staff that reporting suspicious calls is encouraged and valued β employees should feel safe escalating without fear of being wrong. A false positive report has no cost; a missed impersonation attempt can cost the organization significantly.
β Principle of never volunteering information: Include in onboarding that no employee should provide personal details, system information, credentials, or internal contact names to unverified callers, regardless of who the caller claims to be.