Question 1: An employee receives a Microsoft Teams message from a colleague's real account saying "Heads up β HR is sending out salary cut notices today. Check this PDF before your name shows up." The PDF link installs malware. Investigation reveals the colleague's account was compromised two days earlier. What attack type is this?
Question 2: A company receives a $47,000 invoice from a regular vendor they have worked with for three years. The invoice format is identical to all previous invoices. However, the bank account routing number has changed by several digits. The payment is processed. Two weeks later the real vendor asks where their payment is. What attack occurred, and what single control would have prevented it?
Question 3: Security researchers discover thousands of social media accounts, all created within a 48-hour window, all sharing the same fabricated news article claiming a pharmaceutical company's vaccine caused adverse events. The accounts have similar naming patterns and post at identical intervals. What type of attack is this?
Question 4: An employee finds a USB drive labeled "Performance Reviews Q4 β Do Not Share" in the company break room. What is the correct action?
Question 5: A security awareness trainer presents a case where an attacker gains detailed information about a target company's new product by attending a trade show and engaging company engineers in friendly, enthusiastic conversation β with no false identity and no deception. What social engineering technique was used?
Matching: Attack Types
Match each attack term to its correct definition.
ATTACK TYPE
DEFINITION
Analysis Question
A CISO argues that since all their employees have completed phishing awareness training, the social engineering risk is significantly reduced. Critique this argument.
Partially correct but significantly incomplete. Phishing training addresses one delivery vector β email phishing β and does nothing to address the broader social engineering landscape.
What phishing training does not cover:
(1) SPIM via collaboration platforms: Teams and Slack messages, especially from compromised accounts, require different vigilance than email. Employees trained to hover over email links will not apply the same behavior to a Teams direct message from a known colleague.
(2) Elicitation at conferences and social events: No phishing indicators to recognize. The attack looks like a normal professional conversation. Phishing training provides no framework for protecting information in conversational contexts.
(3) USB drop attacks: No email involved. Physical media requires physical security awareness, not email vigilance. A trained phishing-spotter may still pick up a labeled USB drive without hesitation.
(4) Invoice fraud: Often bypasses security-suspicious employees because the invoice looks completely legitimate β it is the payment details, not the communication, that are fraudulent. Process controls (callback verification) are more relevant than phishing training.
(5) Vishing and phone-based social engineering: Different channel, different psychological triggers, different defensive responses needed.
(6) Physical social engineering: Tailgating, impersonation, diversion theft β none of these are addressed by email phishing training.
(7) Disinformation targeting employees: Employee perception of company leadership, product safety, and organizational stability can all be manipulated through disinformation β phishing training provides no defense here.
Conclusion: A comprehensive social engineering defense requires: training across all attack vectors (not just email phishing), strong process controls (verification procedures, dual authorization for financial transactions), technical controls (MFA, endpoint USB scanning, collaboration platform security), and a security culture where skeptical verification is normalized rather than treated as a sign of distrust.
Performance Task
Design a comprehensive social engineering awareness program for a 500-person financial services company that covers the full spectrum β not just phishing, but the complete range of attack types covered in this chapter.
Phase 1 β Assessment (before any training begins):
Conduct a baseline social engineering assessment across all vectors: simulated phishing (email), simulated vishing calls, simulated USB drops in parking areas and lobby, simulated tailgating attempts at secure entrances. Measure baseline performance across each vector before training begins β you cannot demonstrate improvement without a baseline.
Phase 2 β Training Curriculum (annual, role-based):
All employees: Phishing and SPIM recognition (email and IM platforms). Hoax recognition and verification procedures β official communication channels. USB drop policy: found drives turned in to IT security, never plugged in. Reporting procedures: one-click report button, who to call, no penalty for reporting.
Finance and accounting staff: Invoice fraud specifics and BEC patterns. Wire transfer verification procedures β callback policy for any changed payment details. Dual-authorization requirements for transactions above threshold.
Front desk and reception: Tailgating and physical impersonation. Visitor verification and escort requirements. Diversion theft awareness for incoming shipments.
Executives and executive assistants: Whaling and personalized executive targeting. Deepfake voice and video awareness β verify unusual requests from executives via out-of-band callback. Personal OSINT hygiene β what they post on LinkedIn about the organization enables targeted attacks.
Engineers and R&D staff: Elicitation awareness specifically β conference and trade show information security. What constitutes confidential information in a conversational context. The need-to-know principle in social situations.
IT and helpdesk staff: Vishing from fake users requesting password resets or access changes. Helpdesk social engineering β social engineering attacks targeting the helpdesk are a primary initial access vector. Verification procedures for identity before any credential change.
Phase 3 β Simulations (quarterly, not just annual):
Phishing simulations for all staff. Vishing calls targeting helpdesk and finance staff. USB drop tests in parking areas and lobby. Tailgating attempts at secure entrances. Zero punishment β immediate in-the-moment micro-training for those who do not catch it. Publish aggregate results (not individual names) to leadership quarterly.
Phase 4 β Process Controls (training-independent backstops):
Dual authorization required for all wire transfers and payment changes above a defined threshold. Callback verification policy formally documented, signed by finance staff, enforced by management. USB found-device policy posted at workstations. MFA on all systems including collaboration platforms β critical for SPIM and BEC defense.
Phase 5 β Reporting Culture:
One-click "Report Suspicious" button in email. Easy reporting path for all other channels (Teams bot, security hotline). Public recognition for employees who correctly identify and report attacks. Reported near-misses treated as wins β not as evidence the employee did something wrong.
Metrics tracked quarterly: Phishing click rate and report rate. Vishing success rate. USB plug-in rate vs. correct report rate. Tailgating success rate. Time-to-report for incidents. All trended and reported to leadership as a security posture indicator.