1. What is the primary goal of social engineering attacks?
A) To exploit vulnerabilities in hardware
B) To manipulate individuals into divulging confidential information
C) To gain access to network devices via brute force
D) To test software security through penetration testing
β
Answer: B) To manipulate individuals into divulging confidential information
π‘ Explanation: Social engineering attacks rely on psychological manipulation to trick individuals into providing sensitive data, such as login credentials or financial information, rather than exploiting technical vulnerabilities.
2. Which of the following is NOT a common type of social engineering attack?
A) Phishing
B) Baiting
C) Spear Phishing
D) Buffer Overflow
β
Answer: D) Buffer Overflow
π‘ Explanation: Buffer overflow is a technical attack targeting memory corruption, whereas social engineering attacks (phishing, baiting, and spear phishing) manipulate human psychology.
3. A hacker leaves a USB drive labeled “Confidential Salary Data” in the company parking lot, hoping an employee will plug it into their system. This is an example of:
A) Phishing
B) Baiting
C) Pretexting
D) Shoulder Surfing
β
Answer: B) Baiting
π‘ Explanation: Baiting lures victims into a trap by exploiting their curiosity, often using malicious USB drives or fake downloads.
4. Which social engineering technique involves an attacker pretending to be someone in authority to gain trust?
A) Spear Phishing
B) Pretexting
C) Tailgating
D) Vishing
β
Answer: B) Pretexting
π‘ Explanation: In pretexting, attackers fabricate scenarios to obtain personal or sensitive information by pretending to be a trusted authority figure.
5. What is vishing?
A) A phishing attack over the phone
B) A visual form of phishing using QR codes
C) A type of ransomware attack
D) A method of packet sniffing
β
Answer: A) A phishing attack over the phone
π‘ Explanation: Vishing (voice phishing) involves tricking individuals over the phone to obtain sensitive information by pretending to be a legitimate entity.
6. An attacker impersonates an IT technician and asks an employee for their password to perform maintenance. This is an example of:
A) Phishing
B) Pretexting
C) Tailgating
D) Dumpster Diving
β
Answer: B) Pretexting
π‘ Explanation: Pretexting involves an attacker creating a fabricated scenario to deceive a victim into providing confidential data.
7. What is tailgating in cybersecurity?
A) Gaining physical access to a restricted area by following an authorized person
B) Sending fraudulent emails to a victim
C) Social engineering through social media
D) Injecting malicious scripts into a website
β
Answer: A) Gaining physical access to a restricted area by following an authorized person
π‘ Explanation: Tailgating occurs when an attacker follows someone with access through a secured entry point, often by pretending to have forgotten their access card.
8. Which of the following is a targeted phishing attack against a specific individual or organization?
A) Whaling
B) Spear Phishing
C) Pharming
D) Baiting
β
Answer: B) Spear Phishing
π‘ Explanation: Spear phishing is a highly targeted phishing attack, often tailored to specific individuals or organizations.
9. What is whaling in cybersecurity?
A) A DDoS attack against large companies
B) A phishing attack targeting executives or high-ranking individuals
C) A brute force attack on corporate networks
D) A malware-based attack on cloud systems
β
Answer: B) A phishing attack targeting executives or high-ranking individuals
π‘ Explanation: Whaling is a form of spear phishing that specifically targets high-profile executives or decision-makers.
10. What is the best defense against phishing emails?
A) Installing the latest firewall updates
B) Verifying email sender authenticity and avoiding clicking unknown links
C) Using a VPN at all times
D) Avoiding social media usage
β
Answer: B) Verifying email sender authenticity and avoiding clicking unknown links
π‘ Explanation: Educating users to identify phishing attempts and verify sender authenticity is one of the most effective ways to prevent phishing attacks.
11. Which method helps prevent tailgating attacks?
A) Two-factor authentication
B) Security awareness training and access controls
C) Using encrypted storage devices
D) Implementing strong password policies
β
Answer: B) Security awareness training and access controls
π‘ Explanation: Employees should be trained to challenge unknown individuals and not allow unauthorized people to follow them into restricted areas.
12. A person digging through trash to find sensitive information is an example of:
A) Baiting
B) Phishing
C) Dumpster Diving
D) Smishing
β
Answer: C) Dumpster Diving
π‘ Explanation: Dumpster diving involves retrieving discarded documents, storage devices, or other materials to gain sensitive information.
13. Which of the following is NOT a social engineering attack?
A) Smishing
B) Pharming
C) Keylogging
D) Tailgating
β
Answer: C) Keylogging
π‘ Explanation: Keylogging is a technical attack that records keystrokes, while social engineering techniques manipulate human behavior.
14. What is smishing?
A) SMS-based phishing attacks
B) A type of brute force attack
C) Social engineering via voice calls
D) A SQL injection attack
β
Answer: A) SMS-based phishing attacks
π‘ Explanation: Smishing (SMS phishing) tricks users into revealing sensitive information via fraudulent text messages.
15. What is a common indicator of a phishing email?
A) Urgent requests for sensitive information
B) Personalized messages from known senders
C) Well-structured corporate emails
D) Security updates from official sources
β
Answer: A) Urgent requests for sensitive information
π‘ Explanation: Phishing emails often create a sense of urgency to trick victims into disclosing sensitive data.
16. What is an effective countermeasure against social engineering attacks?
A) Regular penetration testing
B) Security awareness training for employees
C) Updating operating systems regularly
D) Using strong passwords
β
Answer: B) Security awareness training for employees
π‘ Explanation: User education is critical to recognizing and preventing social engineering attacks.
17. Social engineering often exploits which psychological principle?
A) Fear and urgency
B) Logical reasoning
C) Mathematical patterns
D) Physical strength
β
Answer: A) Fear and urgency
π‘ Explanation: Attackers create fear, urgency, or curiosity to pressure victims into making impulsive decisions.
18. Which type of attack is likely if someone is watching you type your password?
A) Keylogging
B) Shoulder Surfing
C) Tailgating
D) Phishing
β
Answer: B) Shoulder Surfing
π‘ Explanation: Shoulder surfing involves observing someoneβs screen or keystrokes to steal sensitive information.
19. How can companies minimize social engineering risks?
A) Implement AI-based detection tools
B) Conduct security awareness training
C) Hire ethical hackers
D) Enforce hardware-level security
β
Answer: B) Conduct security awareness training
π‘ Explanation: Employee training is the most effective way to prevent social engineering attacks.
20. What is a reverse social engineering attack?
A) When an attacker convinces a victim to contact them for help
B) A phishing attack using social media
C) When a hacker infiltrates a system through brute force
D) An attack exploiting outdated firewalls
β
Answer: A) When an attacker convinces a victim to contact them for help
π‘ Explanation: Reverse social engineering manipulates the victim into reaching out to the attacker, believing them to be a trustworthy entity.
21. What is the main difference between phishing and spear phishing?
A) Spear phishing targets a specific individual or organization, while phishing is more generic
B) Phishing is done via phone, while spear phishing is done via email
C) Phishing requires malware, while spear phishing does not
D) Spear phishing only works on executives
β
Answer: A) Spear phishing targets a specific individual or organization, while phishing is more generic
π‘ Explanation: Spear phishing is a highly targeted attack tailored to specific individuals, whereas phishing is more general and sent to many recipients.
22. Which social engineering attack relies on creating a fake website to steal credentials?
A) Pharming
B) Baiting
C) Tailgating
D) Shoulder Surfing
β
Answer: A) Pharming
π‘ Explanation: Pharming redirects users from legitimate websites to fake ones to steal credentials or install malware.
23. A hacker calls an employee pretending to be from the HR department and requests their login details for a payroll update. This is an example of:
A) Phishing
B) Vishing
C) Smishing
D) Baiting
β
Answer: B) Vishing
π‘ Explanation: Vishing (voice phishing) is a form of social engineering where attackers use phone calls to deceive victims.
24. What is a honeytrap attack in social engineering?
A) Using a honeypot server to attract attackers
B) A social engineering attack where an attacker pretends to be romantically interested in the victim
C) Trapping hackers using false credentials
D) Encrypting a victimβs data until they pay a ransom
β
Answer: B) A social engineering attack where an attacker pretends to be romantically interested in the victim
π‘ Explanation: Honeytrap attacks manipulate victims using romantic or personal relationships to extract sensitive information.
25. In social engineering, what is quid pro quo?
A) Offering something in exchange for information
B) Gaining access through a fake identity
C) Using brute force to gain access
D) Physically stealing information
β
Answer: A) Offering something in exchange for information
π‘ Explanation: In quid pro quo attacks, attackers promise a benefit (e.g., tech support, prize) to trick victims into revealing confidential data.
26. What is a key reason why social engineering attacks succeed?
A) People naturally trust others
B) Firewalls are not strong enough
C) Antivirus software is outdated
D) All emails are insecure
β
Answer: A) People naturally trust others
π‘ Explanation: Social engineering exploits human psychology, particularly trust, fear, urgency, and curiosity, rather than technical weaknesses.
27. Which of the following is NOT a preventive measure against social engineering?
A) Employee security awareness training
B) Implementing strict access controls
C) Using only Windows-based devices
D) Verifying sender authenticity before clicking links
β
Answer: C) Using only Windows-based devices
π‘ Explanation: Social engineering attacks target humans, not just systems, so using a specific OS does not prevent these attacks.
28. Which of the following is a real-life example of a social engineering attack?
A) A hacker using an SQL injection
B) A cybercriminal convincing a bank employee to disclose a customer’s account details
C) A firewall failing to block malware
D) A brute-force attack on a website
β
Answer: B) A cybercriminal convincing a bank employee to disclose a customer’s account details
π‘ Explanation: This example involves psychological manipulation to obtain confidential information.
29. What type of attack involves an attacker gaining unauthorized access to a building by pretending to be a delivery person?
A) Spear Phishing
B) Tailgating
C) Baiting
D) Pharming
β
Answer: B) Tailgating
π‘ Explanation: Tailgating happens when attackers follow authorized personnel into restricted areas by pretending to have legitimate business.
30. Why are social engineering attacks difficult to prevent?
A) They target hardware vulnerabilities
B) They exploit human behavior rather than software vulnerabilities
C) They rely on sophisticated hacking tools
D) They require physical access to systems
β
Answer: B) They exploit human behavior rather than software vulnerabilities
π‘ Explanation: Social engineering targets human psychology, making it difficult to detect and prevent with traditional security tools.
31. Which social engineering attack occurs when an attacker redirects victims from a legitimate website to a fraudulent one?
A) Pharming
B) Whaling
C) Smishing
D) Vishing
β
Answer: A) Pharming
π‘ Explanation: Pharming manipulates DNS settings or malware to direct victims to fraudulent websites.
32. What is the best way to verify an unknown caller claiming to be from IT support?
A) Provide them with your credentials to confirm their identity
B) Hang up and block the number
C) Call IT support directly using an official contact number
D) Assume they are legitimate if they know your name
β
Answer: C) Call IT support directly using an official contact number
π‘ Explanation: Always verify requests by contacting official support channels rather than trusting unknown callers.
33. An attacker posing as an internal employee to trick helpdesk staff into resetting a password is an example of:
A) Pretexting
B) Smishing
C) Baiting
D) Phishing
β
Answer: A) Pretexting
π‘ Explanation: Pretexting involves an attacker creating a false identity or scenario to gain information.
34. What should employees do if they receive an email from an unknown sender requesting sensitive information?
A) Reply to verify the request
B) Click the link and enter dummy data
C) Report it to the IT/security team
D) Ignore it and delete it
β
Answer: C) Report it to the IT/security team
π‘ Explanation: Reporting suspicious emails helps organizations identify and mitigate phishing attacks.
35. Which of these is NOT a social engineering technique?
A) Pharming
B) Ransomware
C) Shoulder Surfing
D) Tailgating
β
Answer: B) Ransomware
π‘ Explanation: Ransomware is malware-based, whereas social engineering techniques involve psychological manipulation.
36. What is a common red flag in phishing emails?
A) Personalized subject lines
B) Generic greetings like “Dear Customer”
C) Official company logos
D) Messages with proper grammar
β
Answer: B) Generic greetings like “Dear Customer”
π‘ Explanation: Phishing emails often use generic greetings instead of personalizing messages.
37. Which psychological principle is often used in social engineering attacks?
A) Reciprocity
B) Quantum Mechanics
C) Encryption Algorithms
D) Reverse Engineering
β
Answer: A) Reciprocity
π‘ Explanation: Attackers offer small favors (e.g., fake help or prizes) to make victims feel obligated to comply.
38. What is an effective strategy to avoid being a victim of phishing?
A) Clicking links only if they look legitimate
B) Regularly changing email passwords
C) Verifying suspicious emails with the sender
D) Using incognito mode in browsers
β
Answer: C) Verifying suspicious emails with the sender
π‘ Explanation: Contacting the sender through official channels prevents falling for phishing scams.
39. Which group is most vulnerable to social engineering attacks?
A) Only non-technical users
B) Only executives
C) Any individual, regardless of experience
D) Only employees in finance
β
Answer: C) Any individual, regardless of experience
π‘ Explanation: Everyone is vulnerable because social engineering exploits psychological traits, not just technical knowledge.
40. What role does urgency play in social engineering attacks?
A) It prevents victims from recognizing red flags
B) It makes attacks less effective
C) It slows down response times
D) It helps victims verify information
β
Answer: A) It prevents victims from recognizing red flags
π‘ Explanation: Attackers create a false sense of urgency to rush victims into making mistakes.
41. What is the primary reason why employees fall for social engineering attacks?
A) Lack of technical skills
B) Misconfigured firewalls
C) Human emotions like fear, trust, and urgency
D) Weak passwords
β
Answer: C) Human emotions like fear, trust, and urgency
π‘ Explanation: Social engineering exploits human psychology by creating a sense of urgency, fear, curiosity, or trust.
42. What is the main goal of a social engineer using impersonation?
A) To steal hardware devices
B) To exploit software vulnerabilities
C) To convince victims to disclose sensitive information
D) To bypass network firewalls
β
Answer: C) To convince victims to disclose sensitive information
π‘ Explanation: Impersonation is when an attacker pretends to be someone trusted to manipulate victims into revealing confidential data.
43. How does multi-factor authentication (MFA) help prevent social engineering attacks?
A) It eliminates phishing attempts
B) It provides an additional security layer even if credentials are compromised
C) It blocks all malicious websites
D) It prevents users from sharing sensitive data
β
Answer: B) It provides an additional security layer even if credentials are compromised
π‘ Explanation: MFA ensures that even if an attacker steals a password, they still need a second authentication factor (e.g., a mobile OTP or biometric verification) to gain access.
44. What is the main purpose of a pretexting attack?
A) To spread malware via phishing emails
B) To use fake scenarios to trick people into revealing sensitive data
C) To exploit software vulnerabilities
D) To inject malicious scripts into web applications
β
Answer: B) To use fake scenarios to trick people into revealing sensitive data
π‘ Explanation: Pretexting involves creating a false pretense or identity to deceive victims into giving out confidential information.
45. What is the best way to avoid falling victim to baiting attacks?
A) Avoid opening unexpected attachments
B) Never pick up or insert unknown USB drives
C) Use a strong password manager
D) Disable pop-ups in your web browser
β
Answer: B) Never pick up or insert unknown USB drives
π‘ Explanation: Baiting attacks often use infected USB drives left in public places to lure victims into plugging them into their computers.
46. Which social engineering attack involves tricking users into installing malicious software?
A) Pharming
B) Baiting
C) Vishing
D) Tailgating
β
Answer: B) Baiting
π‘ Explanation: Baiting entices victims to download malicious software by offering free items, fake updates, or tempting downloads.
47. How can companies test their employees’ vulnerability to social engineering attacks?
A) By blocking all emails from unknown senders
B) By running simulated phishing attacks
C) By installing antivirus software on every device
D) By requiring password changes every month
β
Answer: B) By running simulated phishing attacks
π‘ Explanation: Simulated phishing attacks help organizations train employees by testing their ability to recognize phishing attempts.
48. Which of the following is NOT a characteristic of social engineering?
A) Exploits trust and psychology
B) Requires no technical hacking skills
C) Relies on manipulating human behavior
D) Only works on large organizations
β
Answer: D) Only works on large organizations
π‘ Explanation: Social engineering attacks can target anyoneβindividuals, small businesses, and large corporations.
49. How does social media contribute to social engineering attacks?
A) It provides attackers with personal details that can be used in attacks
B) It prevents cybercriminals from finding personal information
C) It makes phishing emails more effective
D) It encrypts sensitive data
β
Answer: A) It provides attackers with personal details that can be used in attacks
π‘ Explanation: Attackers gather personal details from social media profiles to craft targeted phishing emails or impersonation attacks.
50. What is the best way to recognize a social engineering attack?
A) Trusting unknown contacts only if they seem professional
B) Checking for unusual requests that create urgency or fear
C) Clicking links from known senders
D) Ignoring security training
β
Answer: B) Checking for unusual requests that create urgency or fear
π‘ Explanation: Social engineers often use urgency, fear, or authority to pressure victims into quick action.
51. Why is tailgating a security risk?
A) It allows unauthorized people to gain access to restricted areas
B) It injects malware into computer systems
C) It spreads phishing emails within organizations
D) It installs spyware on mobile devices
β
Answer: A) It allows unauthorized people to gain access to restricted areas
π‘ Explanation: Tailgating is a physical security threat where attackers enter secure areas by following authorized personnel.
52. How can organizations protect against tailgating attacks?
A) By using two-factor authentication
B) By training employees to verify unknown individuals before granting access
C) By using anti-virus software
D) By encrypting emails
β
Answer: B) By training employees to verify unknown individuals before granting access
π‘ Explanation: Employees must be trained to challenge unauthorized individuals instead of letting them in without verification.
53. A victim receives an email that appears to be from their bank, asking them to verify their account details by clicking a link. What kind of attack is this?
A) Spear phishing
B) Whaling
C) Phishing
D) Shoulder Surfing
β
Answer: C) Phishing
π‘ Explanation: Phishing emails deceive users into providing personal information by pretending to be from trusted sources.
54. How can employees verify an emailβs legitimacy before responding?
A) Clicking the link and checking the webpage
B) Replying to the email to test its authenticity
C) Checking for spelling errors, sender details, and verifying with IT/security teams
D) Downloading attachments before making a decision
β
Answer: C) Checking for spelling errors, sender details, and verifying with IT/security teams
π‘ Explanation: Verifying details through official channels helps avoid phishing scams.
55. What does the principle of least privilege (PoLP) help prevent?
A) Unauthorized access due to social engineering attacks
B) Brute force attacks
C) Keylogging attacks
D) Man-in-the-middle attacks
β
Answer: A) Unauthorized access due to social engineering attacks
π‘ Explanation: PoLP ensures users have minimal access necessary for their tasks, reducing the risk of attackers misusing credentials.
56. A cybercriminal sets up a fake Wi-Fi hotspot labeled βFree Airport Wi-Fiβ to intercept users’ login credentials. What is this attack called?
A) Evil Twin Attack
B) DNS Spoofing
C) Social Engineering Pretexting
D) Vishing
β
Answer: A) Evil Twin Attack
π‘ Explanation: Evil Twin Attacks trick victims into connecting to rogue Wi-Fi networks, allowing attackers to steal credentials.
57. How do attackers use deepfakes in social engineering attacks?
A) By creating fake videos or audio to impersonate real people
B) By infecting computers with malware
C) By launching brute force attacks
D) By using AI to crack passwords
β
Answer: A) By creating fake videos or audio to impersonate real people
π‘ Explanation: Deepfakes can be used in scams, fraud, or impersonation to trick victims into revealing sensitive information.
58. How can companies protect against social engineering attacks?
A) Conducting frequent security awareness training
B) Installing firewalls on all computers
C) Using VPNs for all web browsing
D) Disabling two-factor authentication
β
Answer: A) Conducting frequent security awareness training
π‘ Explanation: Security awareness training helps employees recognize and avoid social engineering tactics.
59. What should you do if you suspect a social engineering attack?
A) Report it to the security team immediately
B) Ignore it and delete the message
C) Click the link to investigate
D) Provide false information to the attacker
β
Answer: A) Report it to the security team immediately
π‘ Explanation: Reporting social engineering attempts helps prevent further attacks.
60. Which department is most targeted by social engineering attacks?
A) IT Department
B) Human Resources (HR)
C) Finance & Accounting
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers target multiple departments to exploit different types of data.
61. What is the primary objective of a social engineering attack?
A) To exploit software vulnerabilities
B) To trick individuals into revealing confidential information
C) To hack into encrypted databases
D) To launch a denial-of-service (DoS) attack
β
Answer: B) To trick individuals into revealing confidential information
π‘ Explanation: Social engineering attacks manipulate human psychology to extract sensitive data rather than exploiting technical flaws.
62. Which of the following behaviors makes someone more vulnerable to social engineering?
A) Sharing personal details publicly on social media
B) Using a VPN while browsing
C) Encrypting all communications
D) Updating passwords regularly
β
Answer: A) Sharing personal details publicly on social media
π‘ Explanation: Attackers often use publicly available social media information to craft convincing attacks.
63. What is a common tactic used in pretexting attacks?
A) Impersonation
B) Brute force password attacks
C) Packet sniffing
D) Using ransomware
β
Answer: A) Impersonation
π‘ Explanation: In pretexting, attackers fabricate fake identities or scenarios to manipulate victims into revealing confidential data.
64. What should employees do if they receive a suspicious call requesting confidential data?
A) Provide the requested information if the caller sounds professional
B) Ask the caller to send an email before sharing any details
C) Verify the request with the relevant department before responding
D) Ignore all phone calls from unknown numbers
β
Answer: C) Verify the request with the relevant department before responding
π‘ Explanation: Always verify a request through official channels before disclosing any sensitive information.
65. An attacker follows an authorized employee into a secure building by holding a stack of papers and pretending to struggle. What type of attack is this?
A) Spear Phishing
B) Tailgating
C) Pharming
D) Whaling
β
Answer: B) Tailgating
π‘ Explanation: Tailgating is a physical security breach where an attacker gains access by exploiting human politeness.
66. Which psychological principle is most commonly exploited in phishing emails?
A) Curiosity and urgency
B) Logical reasoning
C) Mathematical complexity
D) Spatial awareness
β
Answer: A) Curiosity and urgency
π‘ Explanation: Phishing emails create urgency (e.g., βYour account will be locked!β) to trick victims into acting quickly.
67. How do attackers use LinkedIn for social engineering?
A) By sending phishing emails disguised as job offers
B) By searching for employees’ details to craft spear phishing attacks
C) By impersonating recruiters to gain trust
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers leverage LinkedIn for targeted phishing, gathering information, and impersonation.
68. What is the main difference between smishing and vishing?
A) Smishing uses text messages, while vishing uses phone calls
B) Vishing is an email-based attack, while smishing is web-based
C) Smishing only targets executives, while vishing targets regular users
D) Vishing is a type of ransomware
β
Answer: A) Smishing uses text messages, while vishing uses phone calls
π‘ Explanation: Smishing (SMS phishing) tricks victims via text messages, while vishing (voice phishing) is conducted over phone calls.
69. What should organizations implement to reduce the risk of social engineering?
A) A strict password change policy
B) Mandatory security awareness training
C) Disabling USB ports on all devices
D) Installing stronger firewalls
β
Answer: B) Mandatory security awareness training
π‘ Explanation: Employee education is key to recognizing and preventing social engineering attacks.
70. What should employees do if they click a suspicious link in an email?
A) Change their password immediately
B) Report the incident to IT security
C) Scan their device for malware
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Clicking a phishing link could lead to credential theft or malware infection, so reporting, scanning, and changing passwords are necessary.
71. What is piggybacking in cybersecurity?
A) A brute force attack
B) Gaining unauthorized access by following someone with their permission
C) Sending multiple phishing emails to an organization
D) A type of cryptographic attack
β
Answer: B) Gaining unauthorized access by following someone with their permission
π‘ Explanation: Unlike tailgating, where an attacker sneaks in unnoticed, piggybacking involves permission from an unaware employee.
72. Which role in an organization is most at risk of whaling attacks?
A) Software developers
B) Entry-level employees
C) Executives and high-ranking officials
D) IT support staff
β
Answer: C) Executives and high-ranking officials
π‘ Explanation: Whaling attacks specifically target high-level executives for financial fraud or corporate espionage.
73. What is a key indicator of a social engineering attack?
A) Requests for confidential information
B) Use of urgent language
C) Unexpected communication from unknown sources
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Social engineering attacks often involve urgent requests from unknown or disguised sources.
74. What is the purpose of a social engineering penetration test?
A) To test an organizationβs network security
B) To evaluate employees’ susceptibility to social engineering attacks
C) To detect malware on company devices
D) To analyze firewall effectiveness
β
Answer: B) To evaluate employees’ susceptibility to social engineering attacks
π‘ Explanation: Social engineering penetration testing assesses how well employees recognize and resist manipulative tactics.
75. What makes whaling attacks particularly dangerous?
A) They target high-value individuals with significant authority
B) They require advanced hacking tools
C) They rely on malware infections
D) They use brute force attacks
β
Answer: A) They target high-value individuals with significant authority
π‘ Explanation: Whaling attacks focus on executives who have access to critical business operations.
76. What is a key reason attackers use fake job offers in social engineering?
A) To collect resumes for identity theft
B) To trick victims into clicking malicious links
C) To impersonate recruiters for trust-building
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers pose as recruiters to steal sensitive data or install malware through fake job applications.
77. What type of malware is commonly used in social engineering attacks?
A) Ransomware
B) Keyloggers
C) Spyware
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers often use spyware, ransomware, and keyloggers to gather information after a successful attack.
78. How do deepfake videos contribute to social engineering?
A) By impersonating real individuals for fraud
B) By creating realistic phishing attacks
C) By manipulating victims into revealing data
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Deepfake technology enables attackers to mimic real people for fraudulent activities.
79. What is an effective defense against social engineering scams?
A) Multi-factor authentication (MFA)
B) Security awareness training
C) Verifying unknown requests before acting
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Combining MFA, security training, and verification procedures enhances protection against social engineering.
80. How do cybercriminals use fear in social engineering?
A) By warning victims of fake legal consequences
B) By claiming urgent security issues
C) By impersonating law enforcement
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Fear tactics create panic, making victims act quickly without verifying legitimacy.
81. Which of the following is NOT a common social engineering attack?
A) Business Email Compromise (BEC)
B) Phishing
C) Credential Stuffing
D) Baiting
β
Answer: C) Credential Stuffing
π‘ Explanation: Credential stuffing is a brute-force attack using leaked passwords, whereas social engineering relies on manipulating human behavior.
82. What is the primary target of Business Email Compromise (BEC) scams?
A) IT support teams
B) High-level executives and finance departments
C) Social media users
D) Software developers
β
Answer: B) High-level executives and finance departments
π‘ Explanation: BEC scams target executives and finance teams to trick them into authorizing fraudulent wire transfers.
83. An attacker sends an email disguised as an urgent invoice from a known vendor, requesting immediate payment. What type of attack is this?
A) Spear Phishing
B) Vishing
C) Pharming
D) Tailgating
β
Answer: A) Spear Phishing
π‘ Explanation: Spear phishing attacks are highly targeted and often involve forged invoices or fake payment requests.
84. Why do attackers use social engineering instead of hacking into systems directly?
A) It requires less effort and fewer technical skills
B) It bypasses traditional security measures
C) Humans are easier to manipulate than well-secured systems
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Social engineering attacks take advantage of human error, making them easier and more effective than technical exploits.
85. What is the main goal of a CEO fraud attack?
A) To steal an executiveβs personal information
B) To trick employees into wiring money to an attacker-controlled account
C) To hack into a company’s internal database
D) To spread misinformation about a company
β
Answer: B) To trick employees into wiring money to an attacker-controlled account
π‘ Explanation: CEO fraud involves impersonating a company executive to request fraudulent financial transactions.
86. Which factor makes employees most susceptible to social engineering attacks?
A) Overconfidence in their cybersecurity knowledge
B) Poor password management
C) Lack of security awareness training
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Overconfidence, poor security habits, and lack of training all increase vulnerability to social engineering attacks.
87. How do attackers use social proof in social engineering?
A) By claiming that many others have already complied with their request
B) By referencing well-known security policies
C) By using complex jargon to confuse victims
D) By pretending to be a law enforcement officer
β
Answer: A) By claiming that many others have already complied with their request
π‘ Explanation: Social proof exploits people’s tendency to follow the actions of others, making them more likely to comply with a fraudulent request.
88. What should organizations implement to detect social engineering attempts?
A) Firewalls and anti-malware tools
B) AI-powered email filtering and anomaly detection
C) Only allowing secure USB devices
D) Blocking social media sites at work
β
Answer: B) AI-powered email filtering and anomaly detection
π‘ Explanation: AI-based security tools can detect phishing emails and suspicious communications before they reach employees.
89. A hacker convinces an employee to reset an executiveβs password by pretending to be from IT support. This is an example of:
A) Whaling
B) Pretexting
C) Pharming
D) Smishing
β
Answer: B) Pretexting
π‘ Explanation: Pretexting involves using a fake scenario to gain trust and extract sensitive information.
90. Why do phishing emails often create a sense of urgency?
A) To make recipients act without thinking
B) To comply with cybersecurity regulations
C) To encourage critical thinking before responding
D) To improve email readability
β
Answer: A) To make recipients act without thinking
π‘ Explanation: Creating urgency tricks victims into responding quickly before they can analyze the situation properly.
91. Which of the following can help prevent unauthorized access via tailgating?
A) Enforcing strict physical access controls
B) Using multi-factor authentication
C) Encouraging employees to challenge unknown individuals
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Physical security, MFA, and employee awareness all help prevent tailgating attacks.
92. What is the primary risk of posting work-related details on social media?
A) It makes employees more likely to be targeted in social engineering attacks
B) It allows attackers to guess work passwords
C) It can lead to accidental malware infections
D) It helps companies improve public relations
β
Answer: A) It makes employees more likely to be targeted in social engineering attacks
π‘ Explanation: Attackers gather information from social media to craft highly targeted phishing or impersonation attacks.
93. How does MFA reduce the impact of social engineering?
A) It blocks phishing emails
B) It prevents attackers from logging in with stolen credentials
C) It encrypts sensitive information
D) It alerts users to phishing attempts
β
Answer: B) It prevents attackers from logging in with stolen credentials
π‘ Explanation: MFA adds an extra layer of security that prevents unauthorized access, even if an attacker has stolen a password.
94. A fraudulent website that looks exactly like a bankβs login page is used to steal credentials. This is an example of:
A) Pharming
B) Smishing
C) Baiting
D) Tailgating
β
Answer: A) Pharming
π‘ Explanation: Pharming redirects victims to fake websites to steal login credentials.
95. How do attackers use urgency in Business Email Compromise (BEC) scams?
A) By demanding immediate wire transfers
B) By impersonating executives under tight deadlines
C) By warning of severe consequences if action isnβt taken
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Urgency increases the success rate of BEC scams, as victims act without verifying legitimacy.
96. What is a telltale sign of a fake IT support call?
A) Asking for login credentials or passwords
B) Speaking with technical jargon
C) Using a professional tone
D) Being overly polite
β
Answer: A) Asking for login credentials or passwords
π‘ Explanation: Legitimate IT support teams never ask for passwords over the phone.
97. What is an effective countermeasure against smishing attacks?
A) Blocking all text messages
B) Avoiding clicking on links in text messages from unknown numbers
C) Encrypting mobile communications
D) Changing passwords frequently
β
Answer: B) Avoiding clicking on links in text messages from unknown numbers
π‘ Explanation: Smishing relies on fraudulent links that trick users into entering credentials or downloading malware.
98. What is the key difference between tailgating and piggybacking?
A) Tailgating involves deception, while piggybacking involves permission
B) Piggybacking is illegal, while tailgating is not
C) Tailgating happens in emails, while piggybacking happens in person
D) There is no difference
β
Answer: A) Tailgating involves deception, while piggybacking involves permission
π‘ Explanation: Tailgating occurs when an attacker sneaks in unnoticed, while piggybacking happens with unintentional permission.
99. Why are social engineers successful at tricking victims?
A) They exploit trust, authority, and urgency
B) They use high-tech hacking tools
C) They send malware to every employee
D) They avoid direct human contact
β
Answer: A) They exploit trust, authority, and urgency
π‘ Explanation: Social engineers rely on psychological manipulation rather than complex hacking.
100. What is the most effective way to prevent social engineering attacks?
A) Employee security awareness training
B) Stronger passwords
C) Firewalls
D) Data encryption
β
Answer: A) Employee security awareness training
π‘ Explanation: Training employees is the best defense against social engineering, as it reduces human error.
101. Why do social engineers often impersonate IT support staff?
A) IT personnel have access to sensitive systems and credentials
B) Employees naturally trust IT support requests
C) IT departments frequently ask for login details
D) Both A and B
β
Answer: D) Both A and B
π‘ Explanation: Attackers impersonate IT support because employees trust them, and IT teams often have access to critical systems.
102. What is an example of a “pretexting” attack?
A) Sending a phishing email
B) Creating a fake scenario to extract sensitive data
C) Deploying malware through an attachment
D) Exploiting a software vulnerability
β
Answer: B) Creating a fake scenario to extract sensitive data
π‘ Explanation: Pretexting is lying or creating a fabricated scenario to deceive a target into giving out information.
103. What is the best way to protect against vishing attacks?
A) Never answer phone calls from unknown numbers
B) Verify the callerβs identity through official channels
C) Block all international calls
D) Use a VPN
β
Answer: B) Verify the callerβs identity through official channels
π‘ Explanation: Always call back using an official phone number before providing any sensitive information.
104. Which cybersecurity principle helps prevent social engineering attacks?
A) Least Privilege Access
B) Open Access Policy
C) Default Password Sharing
D) Weak Authentication
β
Answer: A) Least Privilege Access
π‘ Explanation: Least Privilege Access ensures employees only have the permissions they need, reducing risks from compromised accounts.
105. Why are social engineers often successful in their attacks?
A) They use technical vulnerabilities
B) They exploit human emotions and psychology
C) They only target high-level executives
D) They use brute-force techniques
β
Answer: B) They exploit human emotions and psychology
π‘ Explanation: Social engineering attacks succeed because they manipulate human nature, such as trust, fear, or curiosity.
106. What is the main purpose of a watering hole attack?
A) To infect websites frequently visited by a target group
B) To intercept email communications
C) To manipulate users into transferring funds
D) To steal passwords through keyloggers
β
Answer: A) To infect websites frequently visited by a target group
π‘ Explanation: A watering hole attack involves compromising trusted websites to infect visitors with malware.
107. How can businesses protect against Business Email Compromise (BEC) scams?
A) Verifying financial transactions through multiple channels
B) Allowing employees to freely share company credentials
C) Disabling all email attachments
D) Encouraging the use of public Wi-Fi
β
Answer: A) Verifying financial transactions through multiple channels
π‘ Explanation: Multi-step verification for financial transactions can prevent fraudulent requests from attackers.
108. An attacker calls an employee pretending to be from their bank, asking for account verification. What is this attack called?
A) Smishing
B) Vishing
C) Pretexting
D) Phishing
β
Answer: B) Vishing
π‘ Explanation: Vishing (voice phishing) uses phone calls to trick victims into revealing sensitive data.
109. What is the biggest risk of using public Wi-Fi?
A) Slow internet speed
B) Being targeted by social engineering attacks like Evil Twin attacks
C) Getting too many advertisements
D) Having to enter a password to connect
β
Answer: B) Being targeted by social engineering attacks like Evil Twin attacks
π‘ Explanation: Attackers can set up fake Wi-Fi hotspots (Evil Twin attacks) to intercept user credentials.
110. Which technique do attackers use in CEO fraud scams?
A) Sending fraudulent emails impersonating an executive
B) Gaining physical access to a server room
C) Using brute force to crack passwords
D) Infecting systems with ransomware
β
Answer: A) Sending fraudulent emails impersonating an executive
π‘ Explanation: In CEO fraud, attackers spoof executive emails to request fraudulent financial transfers.
111. How can organizations minimize the impact of tailgating attacks?
A) Installing strong antivirus software
B) Training employees to challenge unknown individuals before granting access
C) Requiring employees to change passwords frequently
D) Blocking access to social media
β
Answer: B) Training employees to challenge unknown individuals before granting access
π‘ Explanation: Tailgating attacks exploit politenessβtraining employees to verify unknown visitors reduces this risk.
112. How does an attacker gain a victimβs trust in social engineering attacks?
A) By pretending to be a trusted individual
B) By offering fake incentives
C) By creating urgency or fear
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers build trust using deception, incentives, or urgency to manipulate victims.
113. What should employees do if they suspect they are being targeted by a phishing email?
A) Click the link to see if itβs real
B) Reply to the sender and ask for confirmation
C) Report it to IT/security immediately
D) Ignore it and delete it
β
Answer: C) Report it to IT/security immediately
π‘ Explanation: Reporting helps prevent phishing attacks from spreading across the organization.
114. Which red flag can indicate a phishing attempt?
A) Spelling and grammatical errors
B) Urgent requests for personal information
C) Unusual email addresses or domain names
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Phishing emails often contain spelling errors, urgency, and fake domain names.
115. Why do attackers use deepfake videos in social engineering?
A) To impersonate trusted figures and convince victims to transfer money
B) To spread ransomware
C) To bypass firewalls
D) To conduct network penetration tests
β
Answer: A) To impersonate trusted figures and convince victims to transfer money
π‘ Explanation: Deepfake videos make fake requests look real, tricking victims into transferring funds or sharing sensitive data.
116. What is the biggest risk of oversharing work-related details on LinkedIn?
A) Hackers might steal personal pictures
B) Attackers can use the information for targeted phishing attacks
C) Competitors can see job descriptions
D) Getting too many connection requests
β
Answer: B) Attackers can use the information for targeted phishing attacks
π‘ Explanation: Oversharing job details helps attackers craft realistic social engineering attacks.
117. What should employees do if they accidentally fall for a phishing attack?
A) Report the incident to IT/security immediately
B) Try to delete the email and forget about it
C) Change their password after a few days
D) Do nothing unless something bad happens
β
Answer: A) Report the incident to IT/security immediately
π‘ Explanation: Immediate reporting allows security teams to mitigate potential damage.
118. What is a social engineering reconnaissance technique?
A) Gathering information from public sources before launching an attack
B) Deploying ransomware to steal credentials
C) Cracking passwords using brute force
D) Encrypting a victimβs data
β
Answer: A) Gathering information from public sources before launching an attack
π‘ Explanation: Attackers research targets before launching phishing, vishing, or impersonation attacks.
119. Which factor increases the likelihood of a successful social engineering attack?
A) Employees lacking security training
B) Strong password policies
C) Using encrypted emails
D) Implementing multi-factor authentication
β
Answer: A) Employees lacking security training
π‘ Explanation: Lack of security awareness makes employees more susceptible to deception.
120. What is the key to preventing social engineering attacks?
A) Firewalls
B) Employee awareness and training
C) Frequent password changes
D) Strong encryption
β
Answer: B) Employee awareness and training
π‘ Explanation: Educating employees is the most effective way to prevent social engineering attacks.
121. What is a primary reason employees fall victim to social engineering attacks?
A) Lack of technical knowledge
B) Over-reliance on technology for security
C) Emotional manipulation techniques used by attackers
D) Weak Wi-Fi encryption
β
Answer: C) Emotional manipulation techniques used by attackers
π‘ Explanation: Social engineers exploit human emotions such as trust, urgency, and fear to manipulate victims.
122. What is the best way to verify an email request for sensitive information?
A) Reply to the email asking for confirmation
B) Call the sender using an official phone number
C) Click on the provided link and check the page
D) Forward the email to colleagues for opinions
β
Answer: B) Call the sender using an official phone number
π‘ Explanation: Always verify requests using official contact details, rather than trusting email responses.
123. What is the primary difference between phishing and pharming?
A) Phishing requires user interaction, while pharming redirects users automatically
B) Pharming is an advanced form of phishing
C) Phishing uses fake websites, while pharming uses phone calls
D) Pharming is only effective on mobile devices
β
Answer: A) Phishing requires user interaction, while pharming redirects users automatically
π‘ Explanation: Phishing relies on user action, while pharming manipulates DNS settings to redirect victims automatically.
124. What is a common trait of a successful social engineering attack?
A) The victim realizes they are being tricked immediately
B) The attacker uses psychological pressure and deception
C) The attacker needs access to internal systems first
D) The attack only works on new employees
β
Answer: B) The attacker uses psychological pressure and deception
π‘ Explanation: Social engineering relies on psychological manipulation rather than technical exploits.
125. How does social engineering differ from traditional hacking?
A) It targets hardware instead of people
B) It manipulates human behavior instead of exploiting software vulnerabilities
C) It requires advanced programming knowledge
D) It is only used in government-sponsored cyberattacks
β
Answer: B) It manipulates human behavior instead of exploiting software vulnerabilities
π‘ Explanation: Social engineering focuses on exploiting human psychology rather than system flaws.
126. How can companies prevent social engineering attacks on employees?
A) By implementing strict internet usage policies
B) By providing regular security awareness training
C) By hiring ethical hackers
D) By limiting employees’ use of email
β
Answer: B) By providing regular security awareness training
π‘ Explanation: Employee education is the most effective way to prevent social engineering attacks.
127. Which of the following is a common social engineering attack against help desks?
A) An attacker impersonating an employee to reset their password
B) Sending a malicious email attachment
C) Installing malware via an infected USB drive
D) Exploiting software vulnerabilities
β
Answer: A) An attacker impersonating an employee to reset their password
π‘ Explanation: Attackers often impersonate users to trick help desks into resetting passwords.
128. What is a honeytrap attack?
A) A social engineering attack using romantic manipulation
B) A fake login page designed to steal credentials
C) An email with a malicious attachment
D) A brute-force attack on a system
β
Answer: A) A social engineering attack using romantic manipulation
π‘ Explanation: Honeytrap attacks use fake romantic relationships to gain trust and extract sensitive information.
129. Which of the following is NOT a common pretexting scenario?
A) A fake IT support call requesting a password reset
B) A phishing email with a fake login page
C) A scammer posing as a law enforcement officer to demand payment
D) A fraudster pretending to be a bank representative
β
Answer: B) A phishing email with a fake login page
π‘ Explanation: Pretexting involves direct interaction with the victim, while phishing relies on deceptive emails or websites.
130. What is a “fake job offer” scam in social engineering?
A) A phishing attack disguised as a recruiter email
B) A brute-force attack targeting HR databases
C) A malware attack using an infected resume
D) A network scanning technique used for reconnaissance
β
Answer: A) A phishing attack disguised as a recruiter email
π‘ Explanation: Attackers pretend to be recruiters to trick victims into sharing personal information.
131. What is a key characteristic of a spear phishing attack?
A) It is random and sent to thousands of people
B) It is highly personalized and targets specific individuals
C) It only works on mobile devices
D) It requires sophisticated hacking tools
β
Answer: B) It is highly personalized and targets specific individuals
π‘ Explanation: Spear phishing is customized to its target, making it more convincing than generic phishing.
132. Why are finance and HR departments often targeted in social engineering attacks?
A) They control financial transactions and employee records
B) They lack cybersecurity awareness
C) Their workstations are less secure
D) They have access to encrypted storage
β
Answer: A) They control financial transactions and employee records
π‘ Explanation: Finance and HR handle sensitive financial and personal data, making them attractive targets.
133. What is a deepfake video attack in social engineering?
A) A phishing scam using video messages
B) A method of spoofing video calls with AI-generated content
C) A brute-force attack using AI
D) A type of ransomware attack
β
Answer: B) A method of spoofing video calls with AI-generated content
π‘ Explanation: Deepfake technology can create fake video or audio messages impersonating trusted individuals.
134. What should an employee do if they receive a suspicious SMS with a payment link?
A) Click the link to see if itβs legitimate
B) Reply to verify the sender
C) Report it to IT/security and avoid clicking any links
D) Forward it to a friend for advice
β
Answer: C) Report it to IT/security and avoid clicking any links
π‘ Explanation: Smishing attacks use text messages with malicious linksβnever click on them.
135. How do attackers use urgency in smishing attacks?
A) By claiming a bank account is locked
B) By pretending an invoice needs immediate payment
C) By warning of legal action
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Smishing attacks create urgency to pressure victims into acting without verifying legitimacy.
136. What is an example of reverse social engineering?
A) An attacker convinces a victim to seek help from them
B) An attacker sends an email with a fake invoice
C) A hacker uses malware to spy on a company
D) A scammer pretends to be a lost employee
β
Answer: A) An attacker convinces a victim to seek help from them
π‘ Explanation: Reverse social engineering tricks the victim into initiating contact with the attacker.
137. What is a sign of a fraudulent customer support scam?
A) Asking for remote access to your computer
B) Requesting payment in cryptocurrency
C) Demanding login credentials over the phone
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Scammers impersonate support agents and demand remote access, payments, or credentials.
138. What is a major risk of QR code phishing (Quishing)?
A) Scanning redirects users to malicious websites
B) QR codes can contain embedded malware
C) They often mimic trusted organizations
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Quishing uses fake QR codes to lead victims to malicious sites or malware downloads.
139. How can organizations detect social engineering attacks early?
A) AI-driven email monitoring and anomaly detection
B) Installing firewalls on all computers
C) Limiting internet access
D) Encrypting all communications
β
Answer: A) AI-driven email monitoring and anomaly detection
π‘ Explanation: AI-based anomaly detection helps identify fraudulent or suspicious behavior early.
140. What should be the first response to a suspected social engineering attack?
A) Report it immediately to IT/security
B) Ignore it and hope it stops
C) Investigate on your own
D) Respond to test the attacker’s knowledge
β
Answer: A) Report it immediately to IT/security
π‘ Explanation: Quick reporting helps security teams prevent further damage.
141. Which social engineering attack involves an attacker setting up a fake Wi-Fi hotspot to capture sensitive information?
A) Evil Twin Attack
B) Pretexting
C) Pharming
D) Baiting
β
Answer: A) Evil Twin Attack
π‘ Explanation: An Evil Twin Attack occurs when an attacker sets up a fraudulent Wi-Fi network that mimics a legitimate one to intercept user data.
142. What is the main objective of a “pretexting” attack?
A) To infect a system with malware
B) To create a fabricated story to trick the victim into revealing sensitive data
C) To launch a brute-force attack on a password database
D) To perform a denial-of-service attack
β
Answer: B) To create a fabricated story to trick the victim into revealing sensitive data
π‘ Explanation: Pretexting involves an attacker creating a false identity or scenario to manipulate victims into sharing confidential information.
143. What is the key difference between spear phishing and whaling?
A) Spear phishing targets specific individuals, while whaling targets high-ranking executives
B) Whaling attacks use malware, while spear phishing does not
C) Spear phishing only works on mobile devices
D) Whaling requires physical access to the victimβs computer
β
Answer: A) Spear phishing targets specific individuals, while whaling targets high-ranking executives
π‘ Explanation: Whaling is a form of spear phishing that targets CEOs, executives, and high-value individuals.
144. What is an example of a quid pro quo attack?
A) A scammer offering free IT support in exchange for login credentials
B) A fake antivirus alert urging users to click a link
C) A phishing email with a fake invoice
D) An attacker sending a malicious file disguised as a document
β
Answer: A) A scammer offering free IT support in exchange for login credentials
π‘ Explanation: Quid pro quo (Latin for “something for something”) attacks offer a service or benefit in exchange for sensitive information.
145. What is the best method to detect a fraudulent website designed for phishing?
A) Checking for HTTPS and verifying the domain
B) Clicking on the link and reviewing the page
C) Downloading a file from the site to test security
D) Calling the sender of the phishing email for confirmation
β
Answer: A) Checking for HTTPS and verifying the domain
π‘ Explanation: Legitimate sites use HTTPS and have authentic domains, while phishing sites often use misspelled URLs or unfamiliar domains.
146. What is a common social engineering attack against customer service representatives?
A) Tailgating
B) Pretexting
C) Phishing
D) Keylogging
β
Answer: B) Pretexting
π‘ Explanation: Pretexting is commonly used against customer service staff, where attackers pretend to be customers or employees to gain access to sensitive data.
147. What should you do if you receive an unexpected email attachment from an unknown sender?
A) Open it to verify its content
B) Delete it immediately
C) Report it to IT/security and avoid opening it
D) Reply to the sender to ask for confirmation
β
Answer: C) Report it to IT/security and avoid opening it
π‘ Explanation: Unknown attachments may contain malwareβalways report and avoid opening them.
148. Which of the following is a characteristic of a tailgating attack?
A) The attacker follows an authorized individual into a restricted area
B) The attacker uses software vulnerabilities to gain access
C) The attacker intercepts network traffic
D) The attacker sends phishing emails
β
Answer: A) The attacker follows an authorized individual into a restricted area
π‘ Explanation: Tailgating involves physically entering a restricted area by following someone with legitimate access.
149. How can businesses protect against impersonation attacks?
A) Implementing strict identity verification procedures
B) Blocking all external emails
C) Allowing employees to use personal devices for work
D) Relying on antivirus software alone
β
Answer: A) Implementing strict identity verification procedures
π‘ Explanation: Verifying identities through multi-step authentication and security protocols can help prevent impersonation attacks.
150. Which tactic is commonly used in CEO fraud scams?
A) Using email spoofing to impersonate an executive
B) Brute-force password attacks
C) Exploiting software vulnerabilities
D) Keylogging
β
Answer: A) Using email spoofing to impersonate an executive
π‘ Explanation: CEO fraud scams rely on email spoofing to impersonate high-level executives and request fraudulent payments.
151. Why do attackers use urgency in phishing emails?
A) To pressure victims into acting quickly without verifying the request
B) To give victims time to think about their actions
C) To comply with legal requirements
D) To make emails appear more professional
β
Answer: A) To pressure victims into acting quickly without verifying the request
π‘ Explanation: Creating urgency forces victims to act impulsively, increasing the success rate of the attack.
152. What is a key indicator of a social engineering attack?
A) Requests for sensitive information via email or phone
B) High-quality email formatting and branding
C) An email coming from a companyβs official domain
D) A request from someone the recipient knows personally
β
Answer: A) Requests for sensitive information via email or phone
π‘ Explanation: Legitimate organizations do not ask for sensitive information over email or phone.
153. What is the best way to prevent employees from falling for social engineering scams?
A) Conducting regular security awareness training
B) Blocking all external emails
C) Using only encrypted messaging platforms
D) Encouraging employees to change passwords weekly
β
Answer: A) Conducting regular security awareness training
π‘ Explanation: Educating employees about social engineering tactics helps them recognize and avoid scams.
154. What is the primary risk of clicking on a malicious email link?
A) Immediate deletion of system files
B) Redirection to a fraudulent website designed to steal credentials
C) Instant overheating of the computer
D) Slowing down the internet connection
β
Answer: B) Redirection to a fraudulent website designed to steal credentials
π‘ Explanation: Malicious links in phishing emails typically lead to fake login pages designed to steal usernames and passwords.
155. How do attackers use fake surveys in social engineering?
A) To collect personal and financial information
B) To gather user credentials
C) To install malware on the victimβs device
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Fake surveys trick users into providing personal data, login credentials, or installing malware.
156. What should employees do if they receive an unexpected password reset request?
A) Click the reset link and change their password
B) Ignore the request completely
C) Contact IT/security to verify the request
D) Reply to the email asking if it’s real
β
Answer: C) Contact IT/security to verify the request
π‘ Explanation: Always verify unexpected password reset requests with IT/security before taking action.
157. What is a social engineering tactic used in gift card scams?
A) Asking victims to purchase gift cards and send the codes
B) Sending phishing emails with fake discounts
C) Calling victims pretending to be customer support
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Gift card scams often involve phishing, fake discounts, and impersonation tactics.
158. How do attackers use fake charity scams in social engineering?
A) They exploit people’s willingness to donate to a good cause
B) They provide real charity names but fake payment links
C) They create urgency for donations after disasters
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Fake charity scams manipulate emotions and urgency to trick people into donating money.
159. What is the purpose of a social engineering penetration test?
A) To evaluate employees’ vulnerability to manipulation
B) To hack into secure databases
C) To install malware on systems
D) To conduct denial-of-service attacks
β
Answer: A) To evaluate employees’ vulnerability to manipulation
π‘ Explanation: Social engineering penetration tests assess how well employees recognize and resist manipulation tactics.
160. What is the best defense against social engineering?
A) Employee education and awareness
B) Firewalls and anti-virus software
C) Using long passwords
D) Encrypting all data
β
Answer: A) Employee education and awareness
π‘ Explanation: Educating employees is the most effective defense against social engineering attacks.
161. How do attackers use fake tech support scams in social engineering?
A) They call victims pretending to be from a trusted company and request remote access
B) They send phishing emails offering free security scans
C) They create fake pop-ups warning about a virus infection
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Fake tech support scams involve calls, phishing emails, and pop-ups to trick victims into giving remote access or paying for unnecessary services.
162. What makes Business Email Compromise (BEC) attacks so effective?
A) They target employees who handle financial transactions
B) They use social engineering to impersonate executives
C) They involve urgent requests that pressure victims into quick action
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: BEC attacks are effective because they target financial personnel, impersonate executives, and create urgency.
163. How does an attacker use a “scareware” attack?
A) By tricking victims into thinking their system is infected and pushing them to download fake antivirus software
B) By sending mass phishing emails
C) By using ransomware to lock victims out of their devices
D) By manipulating victims into calling a fake help desk
β
Answer: A) By tricking victims into thinking their system is infected and pushing them to download fake antivirus software
π‘ Explanation: Scareware uses fake security warnings to trick victims into installing malware or buying fake software.
164. What should an employee do if they receive an email from their CEO requesting an urgent wire transfer?
A) Approve the transaction immediately
B) Verify the request through an official communication channel
C) Reply to the email asking for confirmation
D) Ignore the email
β
Answer: B) Verify the request through an official communication channel
π‘ Explanation: CEO fraud scams rely on urgent, high-pressure emailsβalways verify directly through a trusted channel.
165. What is a key sign of an impersonation attack?
A) Unexpected requests for sensitive information
B) A sender email that closely resembles a legitimate one but contains slight differences
C) High-pressure language creating urgency
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Impersonation attacks use email spoofing, urgency, and unexpected requests to trick victims.
166. What is a “trust-based” social engineering attack?
A) An attack where the victim is tricked into trusting the attacker before revealing sensitive information
B) An attack that exploits a software vulnerability
C) A malware attack that infects a system
D) An attack that relies only on technical hacking skills
β
Answer: A) An attack where the victim is tricked into trusting the attacker before revealing sensitive information
π‘ Explanation: Trust-based attacks rely on building a relationship with the victim before manipulating them into sharing data.
167. How do attackers use social engineering on social media platforms?
A) By impersonating friends or colleagues to gain trust
B) By sending phishing links through direct messages
C) By gathering personal information for spear phishing attacks
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Attackers exploit social media for impersonation, phishing, and intelligence gathering.
168. Which department in a company is most vulnerable to social engineering?
A) HR and Finance
B) IT Security
C) Marketing and Sales
D) Only executive-level employees
β
Answer: A) HR and Finance
π‘ Explanation: HR and Finance handle sensitive employee and financial data, making them prime targets for social engineering.
169. Why are employees targeted for insider threats through social engineering?
A) They have access to internal systems and data
B) Attackers can manipulate them into unintentionally assisting in cybercrime
C) They can be bribed or blackmailed into sharing information
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Insider threats occur when attackers manipulate employees into leaking sensitive information or aiding cybercriminals.
170. What is a “shoulder surfing” attack?
A) Watching someone enter their credentials or sensitive information
B) Remotely hacking into a system
C) Sending a phishing email
D) Exploiting a web application vulnerability
β
Answer: A) Watching someone enter their credentials or sensitive information
π‘ Explanation: Shoulder surfing involves spying on a victimβs screen or keyboard to steal information.
171. How can organizations prevent social engineering attacks over email?
A) Implementing email filtering and phishing detection systems
B) Training employees to recognize and report suspicious emails
C) Using multi-factor authentication for email logins
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: A combination of email security tools, employee awareness, and MFA can help prevent email-based social engineering attacks.
172. What should an employee do if they suspect they are speaking to a fraudster on the phone?
A) Provide minimal information and verify the caller through official means
B) Hang up immediately and block the number
C) Report the call to IT/security
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Minimizing information sharing, verifying identity, and reporting the incident are key steps in handling phone-based social engineering.
173. What is the main reason phishing attacks still succeed despite security advancements?
A) They exploit human behavior rather than technical vulnerabilities
B) Cybersecurity tools are ineffective
C) They use highly sophisticated hacking techniques
D) Firewalls cannot block phishing emails
β
Answer: A) They exploit human behavior rather than technical vulnerabilities
π‘ Explanation: Phishing preys on human psychologyβfear, urgency, and trustβmaking it difficult to stop entirely.
174. What is the best way to verify the legitimacy of a suspicious link?
A) Hover over the link to preview the URL
B) Click on it and check the website content
C) Forward it to a friend for advice
D) Open it in incognito mode
β
Answer: A) Hover over the link to preview the URL
π‘ Explanation: Hovering over a link without clicking reveals the true URL, helping identify suspicious links.
175. Why are social engineering attacks often combined with malware?
A) To trick victims into downloading malicious files
B) To steal login credentials and compromise systems
C) To install spyware or ransomware
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Social engineering helps spread malware by tricking users into downloading infected files or clicking malicious links.
176. Which action helps protect against tailgating attacks?
A) Training employees to challenge unauthorized individuals entering secure areas
B) Using anti-virus software
C) Changing passwords frequently
D) Using a VPN
β
Answer: A) Training employees to challenge unauthorized individuals entering secure areas
π‘ Explanation: Tailgating relies on unauthorized entryβemployees must be trained to deny access to strangers.
177. What is a “social engineerβs toolkit” typically composed of?
A) Psychological manipulation techniques
B) Phishing emails and phone calls
C) Impersonation and pretexting strategies
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Social engineers use a variety of tactics including psychological manipulation, phishing, impersonation, and pretexting.
178. Why do attackers target public Wi-Fi networks?
A) To intercept user data via man-in-the-middle attacks
B) To deploy ransomware
C) To conduct denial-of-service attacks
D) To monitor social media activity
β
Answer: A) To intercept user data via man-in-the-middle attacks
π‘ Explanation: Public Wi-Fi networks are often unsecured, making them vulnerable to man-in-the-middle attacks.
179. What is a “rogue employee” in social engineering?
A) An insider who intentionally aids cybercriminals
B) A person who unknowingly spreads malware
C) A security researcher testing social engineering tactics
D) A victim of phishing
β
Answer: A) An insider who intentionally aids cybercriminals
π‘ Explanation: Rogue employees assist attackers by leaking information or sabotaging security from within.
180. How do deepfake scams enhance social engineering attacks?
A) By creating realistic impersonations of trusted individuals
B) By modifying website content
C) By encrypting user data
D) By spreading phishing emails
β
Answer: A) By creating realistic impersonations of trusted individuals
π‘ Explanation: Deepfake scams use AI-generated voices or videos to impersonate trusted figures for fraud.
181. What makes a social engineering attack successful?
A) Exploiting human emotions like fear, urgency, and curiosity
B) Using sophisticated malware
C) Cracking encrypted files
D) Brute-forcing login credentials
β
Answer: A) Exploiting human emotions like fear, urgency, and curiosity
π‘ Explanation: Social engineers manipulate emotions to bypass critical thinking and trick victims into revealing sensitive information.
182. Why do attackers prefer social engineering over traditional hacking techniques?
A) It is easier to manipulate people than to break through security systems
B) It requires expensive hacking tools
C) It works only on high-profile targets
D) It is only useful in corporate environments
β
Answer: A) It is easier to manipulate people than to break through security systems
π‘ Explanation: Humans are often the weakest link in security, making social engineering attacks easier than technical exploits.
183. How can organizations prevent gift card scams targeting employees?
A) Train employees to recognize fake urgent requests for gift card purchases
B) Ban all use of gift cards
C) Block external emails
D) Restrict access to e-commerce websites
β
Answer: A) Train employees to recognize fake urgent requests for gift card purchases
π‘ Explanation: Fraudsters often impersonate executives and request gift card purchases. Training helps employees spot these scams.
184. Which of the following is an example of a social engineering attack targeting mobile users?
A) Smishing (SMS phishing)
B) Man-in-the-middle attacks
C) Ransomware infections
D) SQL injection
β
Answer: A) Smishing (SMS phishing)
π‘ Explanation: Smishing is a form of phishing via text messages, tricking users into clicking malicious links or providing credentials.
185. What makes an email phishing attack more convincing?
A) Personalization with the victimβs name and job title
B) Generic greetings like “Dear Customer”
C) Poor grammar and misspellings
D) Lack of branding or company logos
β
Answer: A) Personalization with the victimβs name and job title
π‘ Explanation: Spear phishing attacks are more effective when they include personalized details to appear authentic.
186. What is a “fake invoice” scam?
A) A phishing attack where attackers send fraudulent invoices requesting payment
B) A ransomware attack that encrypts invoices
C) A fake payment request from a real vendor
D) A technical exploit targeting accounting software
β
Answer: A) A phishing attack where attackers send fraudulent invoices requesting payment
π‘ Explanation: Fake invoice scams trick victims into paying fraudulent invoices, often impersonating real vendors.
187. How do attackers use QR codes for phishing (Quishing)?
A) By embedding malicious links in QR codes to steal user credentials
B) By using QR codes to access company networks
C) By replacing barcodes on products
D) By installing malware on mobile devices through QR scans
β
Answer: A) By embedding malicious links in QR codes to steal user credentials
π‘ Explanation: Quishing tricks users into scanning malicious QR codes, redirecting them to phishing sites.
188. How does multi-factor authentication (MFA) help defend against social engineering attacks?
A) It prevents phishing emails
B) It requires an extra verification step, making stolen credentials useless
C) It blocks all fake phone calls
D) It encrypts all sensitive emails
β
Answer: B) It requires an extra verification step, making stolen credentials useless
π‘ Explanation: MFA adds an extra layer of security, ensuring that even if an attacker steals a password, they still need another factor to gain access.
189. How do attackers use LinkedIn for social engineering?
A) By impersonating recruiters and sending fake job offers
B) By gathering information about employees for spear phishing
C) By sending malicious links through direct messages
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: LinkedIn is often exploited for phishing, reconnaissance, and impersonation scams.
190. What should you do if you receive an unsolicited email asking for confidential information?
A) Reply asking for more details
B) Click the link to verify if it is real
C) Report it to IT/security and do not respond
D) Forward it to a friend for advice
β
Answer: C) Report it to IT/security and do not respond
π‘ Explanation: Reporting phishing emails helps organizations take action and prevent attacks.
191. What is a “rogue insider” in a social engineering attack?
A) An employee who intentionally assists cybercriminals
B) A hacker who gains access through brute force
C) A fake job applicant
D) A victim of phishing
β
Answer: A) An employee who intentionally assists cybercriminals
π‘ Explanation: Rogue insiders work within an organization to steal data, manipulate employees, or assist attackers.
192. How do attackers use voicemail for social engineering?
A) By leaving urgent voicemails pretending to be from IT support
B) By sending ransomware through voicemail systems
C) By exploiting voicemail servers
D) By hacking into corporate conference calls
β
Answer: A) By leaving urgent voicemails pretending to be from IT support
π‘ Explanation: Attackers use voicemail phishing (Vishing) to convince victims to call back and reveal information.
193. How do social engineers use deepfake audio?
A) To impersonate executives and request wire transfers
B) To encrypt data and demand ransom
C) To disable security software
D) To gain access to corporate Wi-Fi
β
Answer: A) To impersonate executives and request wire transfers
π‘ Explanation: Deepfake audio allows attackers to mimic voices, tricking victims into transferring funds.
194. Why is open-source intelligence (OSINT) useful for social engineering attacks?
A) It helps attackers gather personal and professional details about a target
B) It allows attackers to brute-force passwords
C) It enables direct access to corporate networks
D) It encrypts phishing emails
β
Answer: A) It helps attackers gather personal and professional details about a target
π‘ Explanation: OSINT allows attackers to research targets, making phishing and impersonation attacks more convincing.
195. What is the purpose of “fake news” in social engineering attacks?
A) To spread misinformation and manipulate public perception
B) To launch denial-of-service attacks
C) To inject malicious code into websites
D) To disable antivirus software
β
Answer: A) To spread misinformation and manipulate public perception
π‘ Explanation: Fake news is used to manipulate opinions, create panic, or spread propaganda.
196. How do attackers use fake online surveys?
A) To collect personal information
B) To steal login credentials
C) To distribute malware
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Fake surveys can be used to harvest data, steal credentials, or distribute malware.
197. What is a major red flag in a phishing email?
A) Requests for personal or financial information
B) Links to a website with a slightly misspelled domain
C) Emails with urgent or threatening language
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Phishing emails use urgency, misleading URLs, and requests for sensitive data to deceive victims.
198. What should you do if you accidentally click a phishing link?
A) Change your password immediately
B) Report the incident to IT/security
C) Scan your device for malware
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Responding quickly by changing passwords, reporting the incident, and scanning for malware helps mitigate damage.
199. How do attackers use fake “security alerts” in social engineering?
A) To trick users into clicking malicious links
B) To install keyloggers on devices
C) To steal login credentials
D) All of the above
β
Answer: D) All of the above
π‘ Explanation: Fake security alerts trick victims into giving up credentials or downloading malware.
200. What is the best way to prevent social engineering attacks?
A) Continuous security awareness training
B) Blocking all external emails
C) Only using encrypted messaging
D) Frequently changing Wi-Fi passwords
β
Answer: A) Continuous security awareness training
π‘ Explanation: Regular training helps employees recognize and respond to social engineering tactics.