Chapter 25 Β· Quiz

Other Social Attacks Quiz

Test your knowledge. Select answers, then grade all at once.

Question 1: An employee receives a Microsoft Teams message from a colleague's real account saying "Heads up β€” HR is sending out salary cut notices today. Check this PDF before your name shows up." The PDF link installs malware. Investigation reveals the colleague's account was compromised two days earlier. What attack type is this?

Correct answer: B. This is SPIM β€” the attack is delivered via Microsoft Teams (an instant messaging platform), not email (eliminating A). The message uses the colleague's real, compromised account β€” making it technically legitimate and harder to detect than a spoofed message. The goal is malware delivery via IM, which is the definition of SPIM. Elicitation (C) involves drawing out information through conversation without deception β€” no malware delivery. Disinformation (D) is false information spread to shape opinion or behavior at scale β€” this is a targeted malware delivery attack, not a disinformation campaign.

Question 2: A company receives a $47,000 invoice from a regular vendor they have worked with for three years. The invoice format is identical to all previous invoices. However, the bank account routing number has changed by several digits. The payment is processed. Two weeks later the real vendor asks where their payment is. What attack occurred, and what single control would have prevented it?

Correct answer: C. Invoice fraud (vendor email compromise) β€” the attacker substituted their banking details on a fake but otherwise realistic invoice. The key indicator is the changed routing/account number on an otherwise identical invoice. Whaling (A) targets high-level executives specifically by name and role β€” this was an accounts payable process attack, not a targeted executive attack. Elicitation (B) involves gathering information through conversation, not financial fraud. Credential stuffing (D) is automated password-guessing β€” unrelated to invoice substitution. The single preventive control: a callback verification policy requiring a phone call to the vendor's known phone number (from the original contract, not the invoice) before processing any invoice with changed payment details.

Question 3: Security researchers discover thousands of social media accounts, all created within a 48-hour window, all sharing the same fabricated news article claiming a pharmaceutical company's vaccine caused adverse events. The accounts have similar naming patterns and post at identical intervals. What type of attack is this?

Correct answer: A. The indicators of coordination β€” accounts created in a short window, similar naming patterns, synchronized posting intervals β€” are hallmarks of a coordinated disinformation / influence operation, not organic user behavior. The deliberate fabrication of the news article and the organized amplification infrastructure confirm this is disinformation (deliberately false, created with intent to deceive) rather than misinformation (spread by believers). A hoax (B) would typically spread through human sharing and would not show bot-like synchronized posting patterns. SPIM (C) refers to IM platform spam, not coordinated social media account networks. Phishing (D) involves attempting to steal credentials or deliver malware, not spreading false health information.

Question 4: An employee finds a USB drive labeled "Performance Reviews Q4 β€” Do Not Share" in the company break room. What is the correct action?

Correct answer: D. Never plug in a found USB device β€” turn it in to IT security without plugging it in to any device. A: plugging into a personal device exposes the personal device to the same attack β€” a HID device types commands regardless of which machine it is connected to. B: leaving it allows another employee to find and plug it in β€” collecting and reporting it prevents further risk. C: airplane mode does not protect against HID attacks. A USB Rubber Ducky or similar device types commands (opens PowerShell, executes local scripts, creates accounts) entirely without network connectivity β€” airplane mode is irrelevant. The compelling label is specifically designed to maximize the urge to plug the drive in and look. The correct training response is: the more compelling the label, the more suspicious the drive.

Question 5: A security awareness trainer presents a case where an attacker gains detailed information about a target company's new product by attending a trade show and engaging company engineers in friendly, enthusiastic conversation β€” with no false identity and no deception. What social engineering technique was used?

Correct answer: B. Elicitation is specifically defined as drawing out sensitive information through natural-seeming conversation, without direct interrogative questions that would raise suspicion, and crucially without the deception that characterizes pretexting. The scenario explicitly states no false identity and no deception β€” eliminating pretexting (A), which requires a fabricated false identity or scenario. Vishing (C) is voice phishing β€” it involves deception and typically involves impersonating a trusted institution. SPIM (D) is instant messaging spam β€” no in-person conversation. Elicitation is the only technique that describes non-deceptive information gathering through professional conversation.

Matching: Attack Types

Match each attack term to its correct definition.

ATTACK TYPE

Hoax
Elicitation
USB Drop Attack
Disinformation

DEFINITION

Deliberately false information spread with intent to deceive, often in coordinated campaigns
Leaving malicious physical media in locations where targets will find and use it
Drawing out sensitive information through normal-seeming conversation without direct interrogative questions
False information spread β€” often by well-meaning people β€” to manipulate behavior through urgency or fear

Analysis Question

A CISO argues that since all their employees have completed phishing awareness training, the social engineering risk is significantly reduced. Critique this argument.

Model Answer:

Partially correct but significantly incomplete. Phishing training addresses one delivery vector β€” email phishing β€” and does nothing to address the broader social engineering landscape.

What phishing training does not cover:

(1) SPIM via collaboration platforms: Teams and Slack messages, especially from compromised accounts, require different vigilance than email. Employees trained to hover over email links will not apply the same behavior to a Teams direct message from a known colleague.

(2) Elicitation at conferences and social events: No phishing indicators to recognize. The attack looks like a normal professional conversation. Phishing training provides no framework for protecting information in conversational contexts.

(3) USB drop attacks: No email involved. Physical media requires physical security awareness, not email vigilance. A trained phishing-spotter may still pick up a labeled USB drive without hesitation.

(4) Invoice fraud: Often bypasses security-suspicious employees because the invoice looks completely legitimate β€” it is the payment details, not the communication, that are fraudulent. Process controls (callback verification) are more relevant than phishing training.

(5) Vishing and phone-based social engineering: Different channel, different psychological triggers, different defensive responses needed.

(6) Physical social engineering: Tailgating, impersonation, diversion theft β€” none of these are addressed by email phishing training.

(7) Disinformation targeting employees: Employee perception of company leadership, product safety, and organizational stability can all be manipulated through disinformation β€” phishing training provides no defense here.

Conclusion: A comprehensive social engineering defense requires: training across all attack vectors (not just email phishing), strong process controls (verification procedures, dual authorization for financial transactions), technical controls (MFA, endpoint USB scanning, collaboration platform security), and a security culture where skeptical verification is normalized rather than treated as a sign of distrust.

Performance Task

Design a comprehensive social engineering awareness program for a 500-person financial services company that covers the full spectrum β€” not just phishing, but the complete range of attack types covered in this chapter.

Model Answer:

Phase 1 β€” Assessment (before any training begins):
Conduct a baseline social engineering assessment across all vectors: simulated phishing (email), simulated vishing calls, simulated USB drops in parking areas and lobby, simulated tailgating attempts at secure entrances. Measure baseline performance across each vector before training begins β€” you cannot demonstrate improvement without a baseline.

Phase 2 β€” Training Curriculum (annual, role-based):

All employees: Phishing and SPIM recognition (email and IM platforms). Hoax recognition and verification procedures β€” official communication channels. USB drop policy: found drives turned in to IT security, never plugged in. Reporting procedures: one-click report button, who to call, no penalty for reporting.

Finance and accounting staff: Invoice fraud specifics and BEC patterns. Wire transfer verification procedures β€” callback policy for any changed payment details. Dual-authorization requirements for transactions above threshold.

Front desk and reception: Tailgating and physical impersonation. Visitor verification and escort requirements. Diversion theft awareness for incoming shipments.

Executives and executive assistants: Whaling and personalized executive targeting. Deepfake voice and video awareness β€” verify unusual requests from executives via out-of-band callback. Personal OSINT hygiene β€” what they post on LinkedIn about the organization enables targeted attacks.

Engineers and R&D staff: Elicitation awareness specifically β€” conference and trade show information security. What constitutes confidential information in a conversational context. The need-to-know principle in social situations.

IT and helpdesk staff: Vishing from fake users requesting password resets or access changes. Helpdesk social engineering β€” social engineering attacks targeting the helpdesk are a primary initial access vector. Verification procedures for identity before any credential change.

Phase 3 β€” Simulations (quarterly, not just annual):
Phishing simulations for all staff. Vishing calls targeting helpdesk and finance staff. USB drop tests in parking areas and lobby. Tailgating attempts at secure entrances. Zero punishment β€” immediate in-the-moment micro-training for those who do not catch it. Publish aggregate results (not individual names) to leadership quarterly.

Phase 4 β€” Process Controls (training-independent backstops):
Dual authorization required for all wire transfers and payment changes above a defined threshold. Callback verification policy formally documented, signed by finance staff, enforced by management. USB found-device policy posted at workstations. MFA on all systems including collaboration platforms β€” critical for SPIM and BEC defense.

Phase 5 β€” Reporting Culture:
One-click "Report Suspicious" button in email. Easy reporting path for all other channels (Teams bot, security hotline). Public recognition for employees who correctly identify and report attacks. Reported near-misses treated as wins β€” not as evidence the employee did something wrong.

Metrics tracked quarterly: Phishing click rate and report rate. Vishing success rate. USB plug-in rate vs. correct report rate. Tailgating success rate. Time-to-report for incidents. All trended and reported to leadership as a security posture indicator.