Chapter 25 Quiz: Social Engineering¶

B — Business Email Compromise (BEC) — CEO fraud via a look-alike domain designed to pass email authentication checks while deceiving the sender's identity

BEC (FBI's largest cybercrime loss category) uses impersonation rather than malware. Look-alike domain attacks register domains like ceo-company.com or cornpany.com (replacing 'n' with 'm') that have their own valid SPF/DKIM records. These pass technical email authentication while deceiving the human reader. DMARC alignment checking (ensuring the From: header domain matches the authenticated domain) is the primary technical defense.

B — It prevents spoofing of the exact organizational domain in the From: header; it does NOT prevent look-alike domain attacks (where the attacker uses a different but similar domain) or display name spoofing

DMARC p=reject causes receiving mail servers to reject emails that claim to be from company.com but fail DMARC alignment. This blocks direct domain spoofing. However, it cannot protect against: (1) look-alike domains like c0mpany.com or company-vendor.com that have their own valid DMARC records; (2) display name attacks where the From header shows "CEO Name" but the address is ceo@gmail.com.

C — Scarcity/urgency — triggering loss aversion and reducing deliberate critical thinking

Cialdini's principle of scarcity/urgency creates a perceived time constraint that triggers loss aversion (people are more motivated to avoid loss than to achieve gain). The psychological effect is to suppress deliberate System 2 thinking and push the victim into reactive System 1 behavior — clicking without verifying. Phishing simulations and awareness training specifically target this bias by teaching employees to recognize urgency as a manipulation signal.

C — Real-time phishing relay / vishing-based MFA bypass

This technique uses a vishing (voice phishing) call as a real-time MFA relay: the attacker has already entered the victim's username and password on the real site (triggering an MFA code), then calls the victim under a helpdesk pretext to socially engineer them into reading back the OTP. This bypasses TOTP-based MFA entirely. Hardware security keys (FIDO2/WebAuthn) are phishing-resistant because they bind to the originating domain and cannot be relayed.

B — Badge-access turnstiles or mantrap (airlock) systems that enforce one-person-per-authentication events, combined with security guard presence and an enforced policy that employees never hold doors for unverified individuals

Tailgating exploits social norms around politeness (people feel awkward refusing to hold a door). Technical controls — mantraps that only allow one person per badge swipe, turnstiles — remove the social pressure by making the physics impossible. The procedural component (policy + culture) is equally important because employees must feel empowered to challenge and report tailgating attempts without social consequences.

B — Awareness training significantly reduces click rates short-term but shows decay — click rates rise without repeated reinforcement; training is necessary but insufficient as a standalone control and must be combined with technical controls (email filtering, MFA, FIDO2)

Research consistently shows that phishing simulation training reduces click rates but the effect decays within 4-6 months without reinforcement. Even well-trained organizations maintain residual click rates — the human is not a perfectly reliable control. The security architecture must assume clicks will happen and layer technical controls (sandboxing, MFA, FIDO2 keys, endpoint isolation) to limit the blast radius when training fails.

B — Spear-phishing is personalized to a specific individual or organization using researched details (name, role, recent activities, relationships, projects) that make the lure appear legitimate to that specific target

Spear-phishing's effectiveness stems from contextual legitimacy: an email referencing the target's recent conference attendance, their manager's name, or a specific project they're working on bypasses the mental heuristic of "this looks generic/suspicious." APT initial access consistently relies on spear-phishing because the personalization investment yields significantly higher compromise rates than bulk phishing campaigns.

B — LinkedIn — revealing the executive's career history, connections, recent posts, public engagements, direct reports, and organizational structure

LinkedIn is the primary OSINT source for social engineering reconnaissance: it reveals the exact organizational hierarchy (who reports to whom), the target's professional background (enabling impersonation of former colleagues), recent posts (providing timely lure topics), and public speaking/travel schedule. Combined with job postings (revealing technology stack), LinkedIn enables construction of highly convincing personalized phishing lures.

B — Human curiosity and the desire to identify the owner of a found item overrides security awareness training — studies show 45-98% of dropped USB drives are plugged in, often within minutes of being found

USB drop studies (including a notable University of Illinois study) consistently find high plug-in rates. Labeling USB drives with enticing labels ("Q4 Salary Review," "Confidential — HR") significantly increases plug-in rates. This attack exploits curiosity and the social norm of returning lost items — instincts that security training has difficulty overriding. Technical controls (USB port blocking via GPO, endpoint AutoRun disabled) are the reliable mitigation.

B — Vishing exploits the human authentication process — helpdesk agents must make real-time identity verification judgments under social pressure, where the attacker can adaptively respond to challenge questions using OSINT-sourced personal information

Unlike phishing emails where a filter can analyze content before delivery, vishing occurs in real time with a human in the loop. An attacker can research the target's personal details, departmental context, and current events on LinkedIn/social media before calling, then adapt their story dynamically based on the agent's responses. The Scattered Spider casino breaches demonstrated this: attackers knew enough about target employees to convincingly answer standard knowledge-based authentication questions.