0 / 16 flipped
What is Spam?
Unsolicited bulk email; used for advertising, phishing, or malware distribution. Succeeds through volume β a fraction of a percent click rate across millions of messages produces thousands of compromises. Defense: spam filters, email authentication protocols (SPF, DKIM, DMARC), user awareness training.
What is SPIM?
Spam over Instant Messaging β unsolicited bulk messages sent via Teams, Slack, SMS, social media DMs. Same risks as email spam but employees often have lower vigilance on IM platforms. Especially dangerous when delivered from compromised accounts of known contacts. Defense: platform security controls, MFA on all collaboration accounts, user awareness that IM carries the same risks as email.
What is a Hoax?
A false warning or alert designed to cause recipients to take harmful actions β disabling security tools, forwarding sensitive files, spreading the message further. Spreads virally because well-meaning people forward it believing they are being helpful. Can cause real harm: if employees disable security controls based on a fake warning, the organization is genuinely vulnerable. Defense: any "urgent security warning" should be verified with IT before acting, not followed.
What is Disinformation?
False information deliberately created and spread with intent to deceive. Intent to deceive distinguishes it from misinformation. Used in influence operations, brand attacks, and market manipulation. Example from Olusegun's casebook: fabricated CEO resignation post caused a 4% stock drop before trading was halted. Defense: brand monitoring, crisis communications plan, rapid response through official channels, platform reporting.
What is Misinformation?
False information spread without malicious intent β the sharer believes it to be true. Spreads through well-meaning people who are themselves deceived. The same false claim can be disinformation (spread by someone who knows it's false) or misinformation (spread by someone who believes it's true). Intent matters for attribution and legal response. Defense is the same as for disinformation: verify before acting, official channels, correct the record.
What is Elicitation?
The skillful extraction of sensitive information through seemingly normal conversation. Used by intelligence agencies, competitive intelligence firms, and social engineers doing recon. No deception required β the target volunteers information willingly. Techniques: flattery, feigned ignorance, deliberate false statements, provocative questions, bracketing, volunteering false information. Defense: need-to-know culture, training on what NOT to discuss with strangers, pre-conference briefings.
What is a USB drop attack?
Found USB drives containing malicious payloads left in locations where targets will find and plug them in. Curiosity drives victims to plug them in β labels like "Q3 Salary Review - Confidential" maximize plug-in rates. Stuxnet used this to reach air-gapped Iranian nuclear facilities in 2010. Defense: disable USB ports via Group Policy, device control software, training that "found USB = call security, never plug in."
What is a HID attack device?
A device β USB drive or cable β that masquerades as a keyboard or mouse (Human Interface Device) and injects keystrokes to execute commands. The OS trusts it automatically as a keyboard. Types attack commands at 1,000 characters/second. Examples: Rubber Ducky, O.MG Cable. Cannot be stopped by AV β no malicious file to scan, only "keyboard input." Must be addressed at the physical/policy layer.
What is the Rubber Ducky (Hak5)?
A USB HID attack device by Hak5 that appears as a flash drive but acts as a pre-programmed keyboard, injecting keystrokes at high speed. The attacker writes a DuckyScript payload β keystrokes that open PowerShell, download malware, create accounts, cover tracks. Completely indistinguishable from a legitimate USB drive. First-generation device that established the HID attack category and inspired many successors.
What is the O.MG Cable?
A USB charging or data cable containing a hidden microcontroller embedded in the connector housing. Can act as a HID keyboard or provide remote WiFi-connected command execution. When plugged in "just to charge," it executes a PowerShell download cradle to establish a reverse shell. Physically indistinguishable from a legitimate Apple or USB-C cable. Represents the evolution of HID attacks into everyday accessories.
What is Invoice / Vendor Fraud?
Impersonating a vendor to redirect payments to attacker-controlled accounts, typically via a fake "banking detail change" email. The email matches real vendor formatting exactly; only the payment details change. From Olusegun's casebook: $280K diverted over 3 months. Key defense: out-of-band verification β call the vendor on a number from the original contract (not the email, not a number the "vendor" provides) before updating any payment details.
What is OSINT?
Open Source Intelligence: intelligence gathered from publicly available sources to profile targets before attacks. Sources: LinkedIn (roles, colleagues, projects), company websites (org charts), social media (personal details, travel), press releases, conference talks, job postings, public records. The foundation of most social engineering reconnaissance. Attackers use OSINT to build realistic pretexts, identify high-value targets, and craft personalized attacks.
What is an Influence Operation?
Coordinated use of fake accounts, bots, disinformation, and fabricated content to manipulate public opinion or organizational decisions. Often state-sponsored. Characteristics: fake account creation in coordinated windows, fabricated evidence, coordinated amplification, seeding to real media. Used against elections, corporate brands, and financial markets. Any organization with brand value is a potential target. Defense: brand monitoring, rapid response, platform reporting, legal action.
What is Malinformation?
True information spread with malicious intent to cause harm. The information is factually accurate but the intent is to damage. Examples: leaking private executive communications out of context; publishing accurate but private personal information; releasing true internal documents timed to cause maximum reputational harm. Distinguished from disinformation (false content) and misinformation (spread without malicious intent). Truth is not a defense for the intent to harm.
Elicitation technique: deliberate false statement
State something plausibly incorrect: "I heard your company is migrating to AWS next year." If the target corrects you β "Actually, we went with Azure" β they have provided the accurate answer. People feel compelled to correct factual errors about their own organization. The correction IS the information the attacker wanted. Works for technology stacks, timelines, team sizes, partner relationships, and security practices.
What is Security Culture?
The collective organizational attitudes and behaviors around security. A strong security culture means employees think critically about unusual requests, report suspicious activity without fear, and verify before acting β even under pressure. Training measurably reduces successful social engineering: 60β70% reduction at organizations that train regularly. Building it requires leadership commitment, normalized reporting, celebrated verification behavior, and treating incidents as learning opportunities rather than punishable failures.