Process Under Pressure
A caller impersonates a retiree to change direct deposit details. What type of attack is this?
A. Phishing
B. Social Engineering
C. Malware
D. Brute Force
What is Social Engineering (B)?
Attackers use passwords leaked from other websites to access accounts. What type of attack is this?
A. Credential Stuffing
B. Phishing
C. Insider Threat
D. Data Masking
What is Credential Stuffing (A)?
One employee can both initiate and approve sensitive transactions (e.g., direct deposit changes). What control is missing?
A. Strong Control
B. Vendor Oversight
C. Encryption
D. Segregation of Duties
What is Segregation of Duties (D)?
A vendor emails new banking instructions, and staff process the request without verification. What type of attack is this?
A. Vendor Phishing
B. Secure Transfer
C. Encryption
D. Logging
What is Vendor Phishing (A)?
An employee pastes member data into a public AI tool to help draft an email. What is the primary risk?
A. Faster Processing
B. Data Exposure
C. Encryption Failure
D. System Outage
What is Data Exposure (B)?
A staff member skips identity verification to help a caller faster. What is the primary risk?
A. Insider Threat
B. Data Masking
C. Encryption Failure
D. Control Bypass
What is Control Bypass (D)?
A retiree receives an email asking them to confirm login credentials. What type of attack is this?
A. Spoofing
B. Brute Force
C. Phishing
D. Logging
What is Phishing (C)?
An employee leaves the organization but still has system access. What is this called?
A. Access Creep
B. Orphaned Account
C. Encryption
D. Token Reuse
What is an Orphaned Account (B)?
A vendor with system access is breached, exposing pension data. What type of incident is this?
A. Internal Fraud
B. Patch Failure
C. Third-Party Breach
D. Tokenization
What is Third-Party Breach (C)?
A staff member uses an AI tool not approved by IT to complete work tasks. What is this called?
A. Trial Use
B. Bring Your Own AI (BYOAI)
C. Shadow AI
D. IT Workaround
What is Shadow AI (C)?
Fraudsters submit retirement applications using stolen identities. What type of fraud is this?
A. Credential Stuffing
B. Identity Theft Fraud
C. Denial of Service
D. Tokenization
What is Identify Theft Fraud (B)?
An attacker updates contact details, then resets the account password. What is this attack called?
A. Privilege Escalation
B. Account Takeover
C. Encryption Bypass
D. Patch Failure
What is Account Takeover (B)?
A staff member follows all procedures but still processes a fraudulent request. What failed?
A. The Employee
B. The System
C. The Process Design
D. The Firewall
What is The Process Design (C)?
A vendor sends sensitive files through unencrypted email. What is the primary risk?
A. Secure Transmission
B. Data Exposure
C. Encryption Success
D. Logging Control
What is Data Exposure (B)?
An employee relies on AI-generated info that turns out to be incorrect and takes action without verifying it. What is the BIGGEST issue?
A. Hallucination
B. Lack of Human Validation
C. Data Encryption
D. System Error
What is a Lack of Human Validation (B)?
A retiree passes all verification but requests a bank change to a new out-of-state account not previously on file. What is the primary risk?
A. Weak Authentication
B. Social Engineering
C. Payment Redirection
D. Data Breach
What is Payment Redirection (C)?
MFA is enabled, but an attacker still gains access to an account. What is the most likely cause?
A. MFA Failure
B. Weak Passwords
C. SIM Swap or Social Engineering
D. System Outage
What is SIM Swap or Social Engineering (C)?
No alerts exist for unusual payment changes. What is the issue?
A. Monitoring Gap
B. Encryption Issue
C. Backup Failure
D. Patch Delay
What is a Monitoring Gap (A)?
A vendor securely sends a file via SFTP, but the file contains fraudulent banking data. What is the real issue?
A. Transmission Security
B. Encryption Failure
C. Data Integrity
D. Network Issue
What is Data integrity (C)?
An employee removes names but pastes detailed member information into an AI tool. What is the real risk?
A. No Risk at All
B. Policy Violation
C. Encryption Failure
D. Data Exposure through Context
What is Data Exposure through Context (D)?
An employee gradually increases payments through small manual adjustments. What type of fraud is this?
A. Skimming
B. Ransomware
C. Encryption
D. Tokenization
What is Skimming (A)?
An attacker compromises an exec or vendor email account and sends instructions to change payment details. What type of attack is this?
A. Phishing
B. Business Email Compromise
C. Brute Force
D. Denial of Service
What is Business Email Compromise (B)?
Manual changes can be made without recording what changed, when, or by whom. What control is missing?
A. Data Redundancy
B. Audit Logging
C. Network Latency
D. Compression Issue
What is Audit Logging (B)?
A vendor has more system access than required for their role. What is the primary risk?
A. Least Privilege
B. Excessive Access
C. Encryption Failure
D. Logging Gap
What is Excessive Access (B)?
An attacker hides malicious instructions inside content processed by an AI tool. What type of attack is this?
A. PhisIhing
B. Prompt injection
C. Brute Force
D. Denial of Service
What is Prompt Injection (B)?