Chapter 25 Β· Tricks & Performance

Trick Questions & Performance Tasks

The social engineering exam traps that catch students off guard β€” and the performance tasks that separate real understanding from memorization.

Trick 1: "As long as a message comes from a known contact's real account, it can be trusted." True or False?
FALSE β€” account compromise is one of the most effective attack vectors precisely because the message IS from the real account.

SPIM attacks from compromised Teams and Slack accounts, BEC from compromised executive email accounts, and invoice fraud from compromised vendor email accounts all succeed because the authentication is technically legitimate. The message appears to come from a trusted person β€” and it does, from their compromised account.

Standard phishing defenses are entirely bypassed: the sender address passes SPF, DKIM, and DMARC checks because the message really did originate from that account. Email filtering does not flag it as suspicious. The recipient's own skepticism is suppressed because the sender is someone they know and trust.

The compromised-account attack is more dangerous than a spoofed message precisely because it is real. A spoofed message can be caught by authentication checks. A message from a compromised legitimate account passes every technical check.

The defense: Apply the same critical thinking to messages from known contacts that you would apply to anyone. Does this request make sense coming from this person? Is this a link or request I would expect from them in this context? For anything sensitive, unusual, or that involves clicking a link in an unexpected message β€” verify through a separate channel. Call the person directly. Do not reply to the message asking if it is real: the compromised account will confirm it.

Exam tip: The question "a message that appears to come from a legitimate user account should be trusted" is FALSE. Account compromise makes the apparent legitimacy of the source irrelevant. Authentication of the account is not authentication of the human behind the account in that moment.
Trick 2: "Security awareness training eliminates the risk of social engineering." True or False?
FALSE β€” security awareness training significantly reduces risk but cannot eliminate it.

Five reasons training alone is insufficient:

(1) Even trained employees get fooled. Sophisticated, personalized social engineering attacks succeed against security professionals, penetration testers, and executives who have received extensive training. Highly-targeted attacks are specifically designed to overcome the awareness of security-educated individuals β€” they use personal details, correct context, and psychological pressure points that generic training cannot fully prepare targets for.

(2) Training rarely covers every attack type. Most security awareness programs focus heavily on email phishing. They provide inadequate coverage of SPIM, elicitation, USB drop attacks, physical impersonation, vishing, and disinformation. An employee who would never click a suspicious email link may still plug in a labeled USB drive they found in the parking lot or freely discuss technical details at a conference.

(3) Training degrades over time without reinforcement. Knowledge and vigilance decline without regular reinforcement. An employee who completed phishing training eighteen months ago and has not been tested since is not meaningfully protected by that training today.

(4) New attack techniques emerge continuously. Training covers known patterns. Emerging techniques β€” deepfake voice impersonation, AI-generated spear phishing, new platform-specific SPIM vectors β€” may not be reflected in current training content.

(5) One weak link undermines organization-wide training. A single untrained, undertrained, or momentarily inattentive employee in a critical role (accounts payable, IT helpdesk, reception) can enable an attack that organization-wide training was designed to prevent.

The correct framing: The goal of security awareness training is to raise the cost and difficulty of social engineering attacks, detect them faster when they occur, and ensure rapid reporting β€” not to achieve zero social engineering incidents. Process controls (verification procedures, dual authorization, callback policies) are the essential backstop when training fails β€” and training will sometimes fail.
Trick 3: "Disinformation campaigns primarily target elections β€” they are not a significant business risk." True or False?
FALSE β€” corporate disinformation is a documented, significant business risk.

While disinformation campaigns against elections receive the most media coverage, corporate targeting is well-documented and financially damaging:

Financial market impact: Short-and-distort attacks β€” where an attacker takes a short position in a stock, then publishes fabricated negative information to drive the price down β€” are a real market manipulation technique. False reports of accounting fraud, safety failures, or regulatory violations can cause immediate, significant stock price drops. The attacker profits; the company spends months recovering credibility.

Operational damage: False product safety claims cause customer cancellations, retailer de-shelving, and regulatory investigations even before the claims are debunked. The timeline of a disinformation attack is often faster than the timeline of a credible investigation and correction.

Competitive targeting: Fabricated scandals timed to affect partnerships, acquisition discussions, or product launches can cause real business harm. A competitor who spreads false information about your product reliability shortly before a major procurement decision does not need the information to be believed permanently β€” only long enough to influence the decision.

Reputational damage: False allegations amplified on social media, and potentially picked up by legitimate journalists who cover the story without full verification, can persist in search results and public perception long after official debunking.

Exam tip: Any organization with brand value, publicly traded stock, significant customer relationships, or public presence is a potential disinformation target. This is not solely a government or political problem β€” it is a corporate security risk that requires brand monitoring, crisis communications planning, and rapid response infrastructure.
Trick 4: "USB drives are safe to plug in if you scan them with antivirus first before opening any files." True or False?
FALSE β€” antivirus scanning before opening files does NOT protect against HID (Human Interface Device) attack devices.

The assumption behind "scan before opening" is that the threat is a malicious file on the drive. This assumption is wrong for HID attack devices.

A USB Rubber Ducky, Bash Bunny, or similar device does not store malware files. It presents to the operating system as a keyboard (a HID β€” Human Interface Device). The OS trusts it immediately as a keyboard β€” operating systems have no mechanism to verify whether a keyboard is "legitimate." The device begins typing commands the instant it is plugged in.

Timeline of a HID attack after plug-in:
0ms: Device presents as keyboard. OS driver loads.
500ms: Device starts "typing." Opens Run dialog or PowerShell.
2-3 seconds: Command downloads a payload from an attacker-controlled URL.
5 seconds: Payload executes. The attack is complete.

At no point does the user have an opportunity to run a scan. There is nothing to scan β€” no file was delivered via USB, only "keyboard input" that launched a download. Even if endpoint AV scanned the USB storage area (finding it empty or containing only decoy files), the HID payload has already executed.

The only defenses against HID attacks:
(1) Never plug in an unknown USB device β€” this is the only fully reliable defense.
(2) Group Policy or endpoint management configured to block enrollment of unknown HID devices.
(3) Physical USB port blockers in high-security areas.

Exam tip: Any answer that involves scanning a found USB drive before using it is wrong if the question involves potential HID devices. Scanning addresses malware-file threats, not HID attacks. The correct answer is always: do not plug in unknown USB devices under any circumstances.
Trick 5: "Elicitation is only possible in face-to-face conversations." True or False?
FALSE β€” elicitation works effectively across multiple channels, including fully asynchronous ones.

Elicitation exploits social norms of helpfulness, professional reciprocity, and conversational flow. These norms exist in every communication medium, not just in-person conversation:

Phone calls: A casual "industry check-in" call, a call from someone claiming to be a journalist writing about industry trends, or a call from a "recruiter wanting to understand the technical landscape" β€” all effective elicitation vectors over the phone. Voice communication carries social pressure similar to in-person interaction.

Video calls: Similar dynamics to in-person β€” eye contact, body language, and the social expectation of collegial conversation all operate in video calls.

LinkedIn and professional social media: This is elicitation at scale. People post constantly about their current projects, technical challenges, technologies they are exploring, partners they are working with, and product timelines β€” often without considering that competitors and intelligence analysts are reading everything. LinkedIn is an elicitation platform that never closes. A message framed as "I found your work on X fascinating and had a question about your approach to Y" is a targeted elicitation via asynchronous messaging.

Online forums and community platforms: Industry Slack communities, Reddit, Stack Overflow, GitHub β€” professionals share detailed technical information in these contexts that they would never include in a press release. Attackers participate in these communities specifically to gather intelligence through normal-seeming participation.

The principle: If information classification and the need-to-know principle matter in formal document contexts, they matter equally in every communication channel β€” including LinkedIn posts, conference conversations, phone calls, and online community participation. The channel does not determine whether the information is sensitive.
Performance Task: A financial institution runs its first comprehensive social engineering assessment. Results: 31% email phishing click rate, 18% credential entry on phishing pages, 4 of 10 vishing calls obtained credentials, 3 of 5 USB drops resulted in plug-in, 2 of 3 tailgating attempts succeeded. Design a 12-month improvement roadmap with specific targets and milestones.
Model Answer:

Months 1–2: Emergency Controls (stop the bleeding immediately)

The 18% credential entry rate means stolen credentials are immediately usable against the organization. The single highest-impact action: mandate MFA for all systems, starting with email, VPN, financial systems, and collaboration platforms. MFA makes stolen credentials dramatically less valuable β€” even if phishing and vishing continue to succeed in harvesting credentials, those credentials alone cannot produce account access.

Deploy USB port blockers in the highest-security areas immediately. Issue a company-wide communication β€” genuine, not a test β€” acknowledging that the organization conducted an assessment and is improving its security posture. Establish the reporting culture: report suspicious contacts immediately, no penalty for being targeted, report even if you clicked.

Post "Do Not Plug In Found USB Devices" signage in parking areas, lobby, and break rooms.

Months 3–4: Foundational Training

Phishing and SPIM awareness for all 500 staff β€” interactive session, not video-only. Focus: how to identify suspicious links, how to use the one-click report button (deploy this during this phase), verification procedures before clicking anything unexpected. Explicitly cover that IM messages carry the same risk as email links.

Vishing awareness: the specific scenario of "IT calling to verify credentials" or "HR requesting personal information to update records." How to verify a caller's identity through out-of-band means.

Physical security: tailgating and mantrap culture, visitor escort requirements, badge access policy review.

Months 5–6: Process Controls

Wire transfer and payment change verification procedures formally documented, communicated to all finance staff, and signed. Dual authorization required for all transactions above a defined threshold. Callback verification policy implemented and enforced: any changed vendor payment details require a callback to the vendor's known number before processing.

Physical access: badge access logs reviewed for tailgating indicators, mantrap or reception-controlled entry implemented or hardened at all secure entrances.

All new employee onboarding: social engineering awareness in day-1 onboarding, including USB policy, reporting procedures, and verification culture.

Months 7–8: Targeted Role-Based Training

Finance and accounting: invoice fraud deep-dive, BEC patterns, wire transfer control procedures specific to the organization.

Front desk and reception: physical impersonation, tailgating, visitor verification step-by-step.

IT helpdesk: social engineering specifically targeting helpdesk β€” identity verification before any credential reset, escalation procedures for suspicious requests.

Executives and EAs: whaling awareness, deepfake voice/video recognition, personal OSINT hygiene (what posting on LinkedIn reveals about the organization).

Month 9: Re-Assessment

Re-run the same assessment scenarios with the same methodology. Compare results against baseline. Targets at 9 months: phishing click rate below 15% (from 31%), credential entry below 8% (from 18%), vishing success below 30% (from 40%), USB plug-in zero or near-zero with full reporting compliance, tailgating zero.

Months 10–12: Continuous Program Establishment

Monthly phishing simulations with immediate micro-training for those who click. Quarterly vishing tests targeting helpdesk and finance specifically. Semi-annual USB drop tests in parking areas and lobby. Security newsletter with real-world social engineering examples relevant to financial services.

Incentive program: public recognition (team-level, not individual) for departments maintaining low click rates. Quarterly security metrics presented to leadership including click rate trends, report rate trends, and incidents-prevented-by-employee-action.

Year-end targets: Phishing click rate under 10%, credential entry under 3%, vishing success under 10%, USB plug-in zero with correct reporting 100%, tailgating zero. MFA covering 100% of systems. Callback verification policy signed and in force for all finance staff.