Social Engineering and How Attackers Trick People to Obtain Info
Why is social engineering often more effective than "hard-core" technical hacking?
It exploits human psychology (trust, fear, or urgency) rather than software vulnerabilities.
If you receive an email with subtle misspellings in the sender’s address, it is a major warning sign of what?
A phishing attempt.
What security system requires more than one form of verification, such as a password and a fingerprint?
Multi-Factor Authentication (MFA).
This general term describes a type of attack that tricks users into compromising their own security by appearing legitimate.
Phishing.
Scenario: You get an email from "Support@NetfIix.com" (with a capital 'I' instead of an 'l') saying your billing failed. Real or Phish?
Phish (Suspicious sender address/misspelling).
This technique involves an attacker creating a fabricated scenario and adopting a fake persona (like an IT worker) to manipulate a victim.
What is pretexting?
Phishing emails often use a specific "tone" to force a victim to take immediate action. What is this tone?
A sense of urgency or crisis.
Where do stolen credentials usually end up after a successful phishing attack?
On the "Dark Web" or "Internet Black Markets."
This is the specific goal of many phishing attacks: the gathering of protected info to bypass security or MFA.
Credential Harvesting.
Scenario: You receive a text message from your "boss" asking you to buy gift cards for a client immediately. What specific type of phishing is this likely to be?
Spear Phishing (it is personalized and targeted).
How does pretexting primarily differ from a standard phishing email in terms of its goal?
Pretexting focuses on building trust and setting up a scenario, whereas phishing usually focuses on creating immediate urgency.
What is a common danger hidden inside "Suspicious Links" or attachments in a phishing email?
They can redirect to fake login pages or install malware on the device.
How does MFA notify a user that someone might be trying to hack their account?
It usually sends a notification to the account’s email or a verification code to a mobile device.
This specific variation of phishing is highly personalized and targets specific individuals or organizations.
Spear Phishing.
Scenario: A caller claiming to be from "IT" asks for your password to "update your security certificate." What technique is this?
Pretexting (Social Engineering).
True or False: Social engineering attacks are designed to exploit technical systems.
False. They are designed to exploit human/psychological weaknesses.
Beyond the sender's address and links, what is the third major warning sign mentioned in the research?
Language or tone (the use of a false sense of alarm/crisis).
Name the specific group of people who validate and prepare stolen data for sale before it reaches high-end brokers.
Mid-Tier Brokers.
According to Norton research, what percentage of all breaches are caused by spear phishing?
66 percent.
Scenario: You log in to a site and it asks for your password. Then, your phone pings with a 6-digit code. Is this a phishing attempt or a security feature?
Security feature (Multi-Factor Authentication).
In pretexting, an attacker might adopt a "fake persona." Name two common examples of personas used.
Bank employee, IT worker, or Government official (e.g., IRS).
Why might an attacker use a sender address that looks almost identical to a well-known brand?
To trick people into overlooking subtle differences so they believe the source is legitimate.
Who are the final "buyers" of stolen credentials on the dark web? (Name two).
Cybercriminals, ransomware gangs, or APT (Advanced Persistent Threat) groups.
While spear phishing only makes up 0.1% of emails, why is its success rate so much higher than general phishing?
Because it is highly personalized and focuses on quality/nuance rather than quantity.
Scenario: An email says "Your account will be DELETED in 2 hours if you don't click here." Which warning sign is being used?
Sense of urgency/crisis.