Phishing Social Engineering MCQ With Answers (2026)
PerfectNotes TeamUpdated: May 2026~15 min practice 60 Questions ยท 3 Levels 60 Questions ยท 3 Levels
Phishing & Social Engineering MCQ practice questions are essential for preparing for competitive exams, certifications, and technical interviews. This comprehensive MCQ platform provides 60 carefully curated practice questions covering every attack type from email phishing, spear phishing, and whaling through vishing, smishing, BEC fraud, pretexting, baiting, tailgating, and advanced techniques such as AiTM proxy attacks, SIM swapping, and consent phishing.
These questions are organized into three progressive difficulty levels of 20 questions each: Basics (covering phishing types, red flags, vishing vs. smishing, pretexting, tailgating, and email authentication fundamentals), Concepts (covering DMARC/DKIM/SPF, spear phishing with OSINT, BEC, typosquatting, pharming, and watering hole attacks), and Advanced (covering AiTM proxy attacks, SIM swapping, BitB attacks, IPFS phishing, HTML smuggling, consent phishing, and MFA bypass techniques). Each question includes a verified, in-depth explanation to reinforce learning.
Practice in Study Mode to reveal answers and detailed explanations instantly, or use Exam Mode for timed testing and real-time scoring to simulate CompTIA Security+, CEH, and CISSP exam conditions.
Contents
- 1.Basics (20 Questions)Phishing types ยท red flags ยท vishing vs. smishing ยท pretexting ยท tailgating
- 2.Concepts (20 Questions)DMARC/DKIM/SPF ยท spear phishing with OSINT ยท BEC ยท typosquatting ยท pharming
- 3.Advanced (20 Questions)AiTM proxy ยท SIM swapping ยท BitB attacks ยท IPFS phishing ยท HTML smuggling
- 4.Conclusionsummary ยท next steps ยท study tips
- 5.Key Takeawaysquick-fire bullet recap of essential facts
- 6.Quick Review Summaryconcept ยท definition ยท key fact table
- 7.FAQcommon questions answered
Phishing & Social Engineering โ Basics
1What is the core definition of Social Engineering in the context of cybersecurity?
CorrectC: Manipulating individuals into divulging confidential information or performing actions that compromise security
Social Engineering is the art of psychologically manipulating people into performing actions or divulging confidential information โ it targets the human element rather than technical vulnerabilities.
IncorrectC: Manipulating individuals into divulging confidential information or performing actions that compromise security
Social Engineering is the art of psychologically manipulating people into performing actions or divulging confidential information โ it targets the human element rather than technical vulnerabilities.
2What distinguishes "Spear Phishing" from standard phishing?
CorrectB: It is highly targeted, customized research directed at a specific individual or organization
Spear Phishing is a targeted variant of phishing where the attacker researches the specific victim โ using their name, role, colleagues, or recent activities โ to craft a highly convincing and personalized lure.
IncorrectB: It is highly targeted, customized research directed at a specific individual or organization
Spear Phishing is a targeted variant of phishing where the attacker researches the specific victim โ using their name, role, colleagues, or recent activities โ to craft a highly convincing and personalized lure.
3What is the specific social engineering attack vector known as "Vishing"?
CorrectA: Conducting phishing attempts over voice calls or VoIP networks
Vishing (Voice Phishing) involves using phone calls or VoIP to trick victims into revealing sensitive information, often by impersonating bank fraud departments, IRS agents, or IT support personnel.
IncorrectA: Conducting phishing attempts over voice calls or VoIP networks
Vishing (Voice Phishing) involves using phone calls or VoIP to trick victims into revealing sensitive information, often by impersonating bank fraud departments, IRS agents, or IT support personnel.
4What is "Smishing"?
CorrectD: A phishing attack carried out via SMS text messaging
Smishing (SMS Phishing) uses text messages to deceive victims into clicking malicious links or calling fraudulent numbers โ often impersonating delivery services, banks, or government agencies.
IncorrectD: A phishing attack carried out via SMS text messaging
Smishing (SMS Phishing) uses text messages to deceive victims into clicking malicious links or calling fraudulent numbers โ often impersonating delivery services, banks, or government agencies.
5Which term describes a highly targeted phishing attack aimed specifically at C-suite executives or high-ranking officials?
CorrectC: Whaling
Whaling targets high-value executives (CEOs, CFOs, board members) because their authority and access make them prime targets. A successful whaling attack against a CFO can authorize large fraudulent wire transfers.
IncorrectC: Whaling
Whaling targets high-value executives (CEOs, CFOs, board members) because their authority and access make them prime targets. A successful whaling attack against a CFO can authorize large fraudulent wire transfers.
6What physical social engineering attack involves an unauthorized person closely following an authorized employee through a secure door?
CorrectB: Tailgating
Tailgating is a physical security breach where an unauthorized person follows closely behind an authorized employee into a restricted area, exploiting politeness or inattentiveness to bypass access control.
IncorrectB: Tailgating
Tailgating is a physical security breach where an unauthorized person follows closely behind an authorized employee into a restricted area, exploiting politeness or inattentiveness to bypass access control.
7What does the social engineering technique of "Baiting" involve?
CorrectA: Leaving malware-infected physical media (like a USB drive) in a public place hoping a victim will plug it in
Baiting exploits human curiosity by leaving infected USB drives in parking lots, lobbies, or break rooms. Studies have shown that a high percentage of people will plug in found USB drives โ potentially deploying malware automatically.
IncorrectA: Leaving malware-infected physical media (like a USB drive) in a public place hoping a victim will plug it in
Baiting exploits human curiosity by leaving infected USB drives in parking lots, lobbies, or break rooms. Studies have shown that a high percentage of people will plug in found USB drives โ potentially deploying malware automatically.
8What does "Pretexting" involve in a social engineering attack?
CorrectD: Creating a fabricated, elaborate scenario to manipulate a target into providing sensitive information
Pretexting involves constructing a believable fictional scenario (the "pretext") โ such as posing as an auditor, a new vendor, or an IT technician โ to extract sensitive information or gain unauthorized access.
IncorrectD: Creating a fabricated, elaborate scenario to manipulate a target into providing sensitive information
Pretexting involves constructing a believable fictional scenario (the "pretext") โ such as posing as an auditor, a new vendor, or an IT technician โ to extract sensitive information or gain unauthorized access.
9What is the primary objective of "Dumpster Diving" in security reconnaissance?
CorrectA: Searching through physical trash for discarded sensitive documents, organizational charts, or hardware
Dumpster Diving involves physically searching through an organization's discarded trash to find sensitive documents like employee directories, network diagrams, printed passwords, or decommissioned hardware with residual data.
IncorrectA: Searching through physical trash for discarded sensitive documents, organizational charts, or hardware
Dumpster Diving involves physically searching through an organization's discarded trash to find sensitive documents like employee directories, network diagrams, printed passwords, or decommissioned hardware with residual data.
10What is a common psychological trigger exploited in mass-phishing emails?
CorrectB: Creating a false sense of urgency or impending consequence (e.g., "Account suspended in 24 hours")
Urgency is one of the most effective psychological triggers โ messages like "Your account will be locked in 24 hours" or "Immediate action required" bypass rational thinking and push victims to act quickly without scrutinizing the email.
IncorrectB: Creating a false sense of urgency or impending consequence (e.g., "Account suspended in 24 hours")
Urgency is one of the most effective psychological triggers โ messages like "Your account will be locked in 24 hours" or "Immediate action required" bypass rational thinking and push victims to act quickly without scrutinizing the email.
11What does the term "Shoulder Surfing" refer to?
CorrectC: Covertly observing someone typing a password or viewing sensitive data on their screen
Shoulder Surfing is the act of covertly watching someone enter a PIN, password, or view confidential data on their screen โ possible in crowded public spaces like coffee shops, airports, and ATMs.
IncorrectC: Covertly observing someone typing a password or viewing sensitive data on their screen
Shoulder Surfing is the act of covertly watching someone enter a PIN, password, or view confidential data on their screen โ possible in crowded public spaces like coffee shops, airports, and ATMs.
12Which of the following is a classic indicator of a mass-phishing email?
CorrectA: Generic greetings like "Dear Customer" instead of using the recipient's actual name
Generic salutations like "Dear Customer" or "Dear User" are a hallmark of mass phishing because attackers send bulk emails without knowing the recipients' names, unlike legitimate service providers who personalize communications.
IncorrectA: Generic greetings like "Dear Customer" instead of using the recipient's actual name
Generic salutations like "Dear Customer" or "Dear User" are a hallmark of mass phishing because attackers send bulk emails without knowing the recipients' names, unlike legitimate service providers who personalize communications.
13What is the primary goal of a "credential harvesting" phishing campaign?
CorrectD: To trick users into entering their usernames and passwords into a fraudulent portal
Credential harvesting aims to capture login credentials by directing victims to a convincing clone of a legitimate login page โ the stolen credentials are then used for account takeover, lateral movement, or resale on dark web markets.
IncorrectD: To trick users into entering their usernames and passwords into a fraudulent portal
Credential harvesting aims to capture login credentials by directing victims to a convincing clone of a legitimate login page โ the stolen credentials are then used for account takeover, lateral movement, or resale on dark web markets.
14In the psychology of social engineering, what does the principle of "Authority" refer to?
CorrectB: Impersonating a figure of power, like an IT admin or law enforcement officer, to compel compliance
The Authority principle (from Dr. Robert Cialdini's influence model) states that people tend to comply with requests from perceived authority figures โ attackers exploit this by impersonating executives, auditors, law enforcement, or IT administrators.
IncorrectB: Impersonating a figure of power, like an IT admin or law enforcement officer, to compel compliance
The Authority principle (from Dr. Robert Cialdini's influence model) states that people tend to comply with requests from perceived authority figures โ attackers exploit this by impersonating executives, auditors, law enforcement, or IT administrators.
15What does a "Quid Pro Quo" social engineering attack involve?
CorrectD: Offering a benefit or service in exchange for information or access, such as pretending to be IT support fixing a non-existent issue
Quid Pro Quo attacks offer something of value โ typically fake IT assistance โ in exchange for credentials or system access. An attacker might cold-call employees offering free technical support, eventually requesting login credentials to "diagnose" the problem.
IncorrectD: Offering a benefit or service in exchange for information or access, such as pretending to be IT support fixing a non-existent issue
Quid Pro Quo attacks offer something of value โ typically fake IT assistance โ in exchange for credentials or system access. An attacker might cold-call employees offering free technical support, eventually requesting login credentials to "diagnose" the problem.
16Why do attackers frequently utilize URL shorteners (like bit.ly or tinyurl) in phishing campaigns?
CorrectA: They conceal the actual destination URL from the victim and basic email filters
URL shorteners mask the true destination of a malicious link โ a victim sees a short benign-looking URL rather than something suspicious. This also helps bypass naive email filters that block known malicious domains by pattern matching.
IncorrectA: They conceal the actual destination URL from the victim and basic email filters
URL shorteners mask the true destination of a malicious link โ a victim sees a short benign-looking URL rather than something suspicious. This also helps bypass naive email filters that block known malicious domains by pattern matching.
17What is the easiest and safest way for a user to verify a suspicious hyperlink in an email without executing it?
CorrectC: Hovering the mouse cursor over the link to inspect the true destination address in the browser/email client status bar
Hovering over a hyperlink (without clicking) reveals the actual destination URL in the status bar of the browser or email client. This simple action can immediately expose mismatches between the displayed text and the true target.
IncorrectC: Hovering the mouse cursor over the link to inspect the true destination address in the browser/email client status bar
Hovering over a hyperlink (without clicking) reveals the actual destination URL in the status bar of the browser or email client. This simple action can immediately expose mismatches between the displayed text and the true target.
18What is the defining characteristic of a "Pharming" attack?
CorrectB: Redirecting users to a fraudulent website even if they typed the correct URL, often via DNS poisoning or local host file modification
Pharming is more insidious than phishing because users can be redirected to a fraudulent site even when they type the correct address. This is achieved by poisoning DNS caches or modifying the local hosts file, making it invisible to the naked eye.
IncorrectB: Redirecting users to a fraudulent website even if they typed the correct URL, often via DNS poisoning or local host file modification
Pharming is more insidious than phishing because users can be redirected to a fraudulent site even when they type the correct address. This is achieved by poisoning DNS caches or modifying the local hosts file, making it invisible to the naked eye.
19Why are social engineering attacks consistently successful despite heavy investments in technical perimeter defenses?
CorrectC: They exploit human psychology, curiosity, and trust rather than relying solely on software vulnerabilities
Technical defenses like firewalls, IDS, and antivirus protect against automated attacks, but social engineering bypasses all of them by targeting the human layer โ exploiting cognitive biases, emotions, and trust. Humans are consistently the weakest link in the security chain.
IncorrectC: They exploit human psychology, curiosity, and trust rather than relying solely on software vulnerabilities
Technical defenses like firewalls, IDS, and antivirus protect against automated attacks, but social engineering bypasses all of them by targeting the human layer โ exploiting cognitive biases, emotions, and trust. Humans are consistently the weakest link in the security chain.
20What defines an "Attachment-based" phishing attack?
CorrectD: Sending an email with a malicious payload disguised as an invoice, receipt, or resume
Attachment-based phishing delivers malware through email attachments โ typically disguised as business documents such as invoices (.pdf), resumes (.docx), or financial statements (.xls) โ which execute a payload when opened.
IncorrectD: Sending an email with a malicious payload disguised as an invoice, receipt, or resume
Attachment-based phishing delivers malware through email attachments โ typically disguised as business documents such as invoices (.pdf), resumes (.docx), or financial statements (.xls) โ which execute a payload when opened.
Phishing & Social Engineering โ Concepts
1What is "Typosquatting" (also known as URL Hijacking)?
CorrectB: Registering a domain name very similar to a legitimate one (e.g., gogle.com), hoping users make a typing error
Typosquatting registers domains that are one-character typos or misspellings of popular sites (e.g., "amazzon.com", "paypa1.com") โ users who mistype the URL land on a malicious or misleading page, often a clone of the legitimate site.
IncorrectB: Registering a domain name very similar to a legitimate one (e.g., gogle.com), hoping users make a typing error
Typosquatting registers domains that are one-character typos or misspellings of popular sites (e.g., "amazzon.com", "paypa1.com") โ users who mistype the URL land on a malicious or misleading page, often a clone of the legitimate site.
2How does a "Watering Hole" attack operate?
CorrectD: Compromising a specific, legitimate website that the targeted group frequently visits to infect them with malware
A Watering Hole attack compromises a website frequently visited by the intended victims (e.g., an industry forum, trade association site) and injects malware so that visitors from the target organization are automatically infected โ bypassing direct email-based defenses.
IncorrectD: Compromising a specific, legitimate website that the targeted group frequently visits to infect them with malware
A Watering Hole attack compromises a website frequently visited by the intended victims (e.g., an industry forum, trade association site) and injects malware so that visitors from the target organization are automatically infected โ bypassing direct email-based defenses.
3What is Business Email Compromise (BEC)?
CorrectA: Compromising legitimate corporate email accounts to conduct unauthorized wire transfers, invoice fraud, or data theft
BEC is a sophisticated financially motivated attack where criminals compromise or spoof business email accounts to trick employees โ typically in finance or HR โ into transferring funds, redirecting payroll, or sharing sensitive data. The FBI estimates BEC losses in the billions annually.
IncorrectA: Compromising legitimate corporate email accounts to conduct unauthorized wire transfers, invoice fraud, or data theft
BEC is a sophisticated financially motivated attack where criminals compromise or spoof business email accounts to trick employees โ typically in finance or HR โ into transferring funds, redirecting payroll, or sharing sensitive data. The FBI estimates BEC losses in the billions annually.
4In the context of pre-attack reconnaissance, what does OSINT stand for?
CorrectC: Open-Source Intelligence
Open-Source Intelligence (OSINT) refers to the collection and analysis of publicly available information โ from social media, LinkedIn, company websites, WHOIS records, and public databases โ to build a detailed profile of a target before an attack.
IncorrectC: Open-Source Intelligence
Open-Source Intelligence (OSINT) refers to the collection and analysis of publicly available information โ from social media, LinkedIn, company websites, WHOIS records, and public databases โ to build a detailed profile of a target before an attack.
5How do attackers utilize OSINT to facilitate Spear Phishing?
CorrectB: By gathering publicly available information from social media and corporate websites to craft highly convincing, personalized emails
Attackers use OSINT to learn the victim's name, role, colleagues, recent projects, travel plans, and organizational structure โ all gleaned from LinkedIn, Twitter/X, press releases, and conference agendas โ enabling them to craft emails so convincing that even security-aware employees may be deceived.
IncorrectB: By gathering publicly available information from social media and corporate websites to craft highly convincing, personalized emails
Attackers use OSINT to learn the victim's name, role, colleagues, recent projects, travel plans, and organizational structure โ all gleaned from LinkedIn, Twitter/X, press releases, and conference agendas โ enabling them to craft emails so convincing that even security-aware employees may be deceived.
6What is a "Homograph Attack" in web spoofing?
CorrectD: Using visually indistinguishable characters from different alphabets (e.g., Cyrillic 'ะฐ' vs. Latin 'a') to forge a domain name
A Homograph (IDN Homograph) attack exploits the visual similarity of characters from different Unicode scripts. A domain like "ะฐpple.com" using the Cyrillic character "ะฐ" (U+0430) looks identical to "apple.com" in Latin but resolves to a completely different IP address.
IncorrectD: Using visually indistinguishable characters from different alphabets (e.g., Cyrillic 'ะฐ' vs. Latin 'a') to forge a domain name
A Homograph (IDN Homograph) attack exploits the visual similarity of characters from different Unicode scripts. A domain like "ะฐpple.com" using the Cyrillic character "ะฐ" (U+0430) looks identical to "apple.com" in Latin but resolves to a completely different IP address.
7Which protocol helps prevent email spoofing by allowing domain owners to specify which IP addresses or mail servers are authorized to send email on behalf of their domain?
CorrectA: SPF (Sender Policy Framework)
SPF (Sender Policy Framework) is a DNS TXT record that lists all IP addresses and mail servers authorized to send email from a domain. Receiving mail servers check SPF to verify the sender's identity, helping detect and reject spoofed emails.
IncorrectA: SPF (Sender Policy Framework)
SPF (Sender Policy Framework) is a DNS TXT record that lists all IP addresses and mail servers authorized to send email from a domain. Receiving mail servers check SPF to verify the sender's identity, helping detect and reject spoofed emails.
8What is the specific purpose of DKIM (DomainKeys Identified Mail) in email security?
CorrectC: To affix a digital cryptographic signature to emails, ensuring the message headers and body were not altered in transit
DKIM adds a digital signature (using asymmetric cryptography) to outgoing emails โ the public key is published in DNS. Receiving servers verify the signature to confirm that the email was not tampered with after leaving the sending server, providing email integrity.
IncorrectC: To affix a digital cryptographic signature to emails, ensuring the message headers and body were not altered in transit
DKIM adds a digital signature (using asymmetric cryptography) to outgoing emails โ the public key is published in DNS. Receiving servers verify the signature to confirm that the email was not tampered with after leaving the sending server, providing email integrity.
9What is "Reverse Social Engineering"?
CorrectD: Tricking the victim into initiating contact with the attacker, often by creating a fabricated problem first (e.g., breaking a network connection and leaving a fake IT support number)
In Reverse Social Engineering, the attacker sets up a situation where the victim believes they have a problem and voluntarily contacts the attacker's fake helpdesk. Because the victim initiated contact, they have a higher trust level and are more willing to follow instructions.
IncorrectD: Tricking the victim into initiating contact with the attacker, often by creating a fabricated problem first (e.g., breaking a network connection and leaving a fake IT support number)
In Reverse Social Engineering, the attacker sets up a situation where the victim believes they have a problem and voluntarily contacts the attacker's fake helpdesk. Because the victim initiated contact, they have a higher trust level and are more willing to follow instructions.
10Which psychological principle (defined by Dr. Robert Cialdini) is an attacker exploiting when they state, "Only 5 spots left for this exclusive IT training program"?
CorrectA: Scarcity
The Scarcity principle states that people assign more value to things that are rare or diminishing. Artificial scarcity ("limited spots", "offer expires tonight") forces quick decisions, bypassing careful evaluation โ a cornerstone technique in social engineering and fraudulent marketing.
IncorrectA: Scarcity
The Scarcity principle states that people assign more value to things that are rare or diminishing. Artificial scarcity ("limited spots", "offer expires tonight") forces quick decisions, bypassing careful evaluation โ a cornerstone technique in social engineering and fraudulent marketing.
11How does DMARC (Domain-based Message Authentication, Reporting, and Conformance) function?
CorrectB: It uses SPF and DKIM evaluations to provide instructions to the receiving mail server on exactly how to handle emails that fail authentication
DMARC builds on SPF and DKIM by specifying a policy โ none (monitor), quarantine (spam folder), or reject (block) โ for emails that fail alignment checks. It also enables reporting so domain owners can monitor authentication failures and detect spoofing attempts.
IncorrectB: It uses SPF and DKIM evaluations to provide instructions to the receiving mail server on exactly how to handle emails that fail authentication
DMARC builds on SPF and DKIM by specifying a policy โ none (monitor), quarantine (spam folder), or reject (block) โ for emails that fail alignment checks. It also enables reporting so domain owners can monitor authentication failures and detect spoofing attempts.
12What is "Elicitation" in human intelligence gathering?
CorrectC: The subtle extraction of sensitive information during a seemingly normal, innocent, and unthreatening conversation
Elicitation is the professional intelligence technique of drawing out sensitive information through casual, natural conversation without the target realizing information is being extracted. Techniques include flattery, feigned ignorance, false statements to provoke corrections, and appeals to ego.
IncorrectC: The subtle extraction of sensitive information during a seemingly normal, innocent, and unthreatening conversation
Elicitation is the professional intelligence technique of drawing out sensitive information through casual, natural conversation without the target realizing information is being extracted. Techniques include flattery, feigned ignorance, false statements to provoke corrections, and appeals to ego.
13What makes SMS-based phishing (Smishing) particularly effective compared to traditional email phishing?
CorrectB: Mobile devices often truncate URLs, and users generally trust text messages more implicitly than emails
Smishing is effective because users inherently trust SMS more than email, mobile screens truncate long URLs hiding destination details, and SPAM filtering for SMS lags far behind email. This combination significantly lowers user scrutiny of suspicious messages.
IncorrectB: Mobile devices often truncate URLs, and users generally trust text messages more implicitly than emails
Smishing is effective because users inherently trust SMS more than email, mobile screens truncate long URLs hiding destination details, and SPAM filtering for SMS lags far behind email. This combination significantly lowers user scrutiny of suspicious messages.
14Which of the following is a common technique used in "CEO Fraud" (a subset of BEC)?
CorrectD: Spoofing the CEO's email address to order the finance department to urgently wire funds to a foreign supplier
CEO Fraud involves spoofing or compromising the CEO's email to instruct the CFO or finance team to wire funds urgently to a fraudulent account โ often with a social engineering pretext like an acquisition, a confidential deal, or a vendor emergency. The FBI estimates losses in the billions.
IncorrectD: Spoofing the CEO's email address to order the finance department to urgently wire funds to a foreign supplier
CEO Fraud involves spoofing or compromising the CEO's email to instruct the CFO or finance team to wire funds urgently to a fraudulent account โ often with a social engineering pretext like an acquisition, a confidential deal, or a vendor emergency. The FBI estimates losses in the billions.
15What is the primary physical defense mechanism used to prevent Tailgating?
CorrectA: Implementing mantrap doors or full-height turnstiles that physically only allow one person to pass through per authentication
Mantrap doors (double-door security vestibules) and full-height turnstiles are the most effective physical controls against tailgating โ they create an airlock-style entry point that physically cannot allow two people through simultaneously without a separate authentication event.
IncorrectA: Implementing mantrap doors or full-height turnstiles that physically only allow one person to pass through per authentication
Mantrap doors (double-door security vestibules) and full-height turnstiles are the most effective physical controls against tailgating โ they create an airlock-style entry point that physically cannot allow two people through simultaneously without a separate authentication event.
16How do modern attackers bypass standard SMS-based Multi-Factor Authentication (MFA) using social engineering?
CorrectC: By executing a SIM swapping attack, tricking the telecom provider into porting the victim's number to the attacker's SIM card
SIM Swapping (SIM Jacking) is a social engineering attack against the telecom company โ the attacker calls or visits a phone store, impersonates the victim using OSINT-gathered personal details, and convinces the provider to reassign the number to an attacker-controlled SIM, intercepting all MFA codes.
IncorrectC: By executing a SIM swapping attack, tricking the telecom provider into porting the victim's number to the attacker's SIM card
SIM Swapping (SIM Jacking) is a social engineering attack against the telecom company โ the attacker calls or visits a phone store, impersonates the victim using OSINT-gathered personal details, and convinces the provider to reassign the number to an attacker-controlled SIM, intercepting all MFA codes.
17What is "Piggybacking" in physical security, and how does it differ from Tailgating?
CorrectD: In piggybacking, the authorized person is aware of and intentionally allows the unauthorized person to follow them; in tailgating, the authorized person is unaware
The key distinction: in Tailgating the authorized employee is unaware they are being followed. In Piggybacking, the authorized person is aware but deliberately โ and often out of politeness โ holds the door open for the unauthorized individual, making it a willful violation of access control policy.
IncorrectD: In piggybacking, the authorized person is aware of and intentionally allows the unauthorized person to follow them; in tailgating, the authorized person is unaware
The key distinction: in Tailgating the authorized employee is unaware they are being followed. In Piggybacking, the authorized person is aware but deliberately โ and often out of politeness โ holds the door open for the unauthorized individual, making it a willful violation of access control policy.
18Which highly popular OSINT tool is commonly used by attackers (and defenders) to graphically map complex relationships between people, domains, networks, and email addresses?
CorrectC: Maltego
Maltego is a visual link-analysis tool that enables investigators and attackers to map the relationships between entities โ people, organizations, domains, IP addresses, and email addresses โ by querying OSINT data sources and displaying the results as an interactive graph.
IncorrectC: Maltego
Maltego is a visual link-analysis tool that enables investigators and attackers to map the relationships between entities โ people, organizations, domains, IP addresses, and email addresses โ by querying OSINT data sources and displaying the results as an interactive graph.
19What is the defining characteristic of a "Consent Phishing" (OAuth Phishing) attack?
CorrectB: Tricking the user into granting a malicious third-party application persistent, tokenized access to their cloud data (e.g., Microsoft 365 or Google Workspace)
Consent Phishing (OAuth Phishing) tricks users into clicking an "Authorize" button that grants a malicious app persistent OAuth access tokens โ bypassing MFA entirely because no password is captured. The attacker gains ongoing access to email, files, and calendar data.
IncorrectB: Tricking the user into granting a malicious third-party application persistent, tokenized access to their cloud data (e.g., Microsoft 365 or Google Workspace)
Consent Phishing (OAuth Phishing) tricks users into clicking an "Authorize" button that grants a malicious app persistent OAuth access tokens โ bypassing MFA entirely because no password is captured. The attacker gains ongoing access to email, files, and calendar data.
20In social engineering, what is the "Social Proof" (Consensus) principle?
CorrectA: Influencing a victim by making them believe that many of their peers or colleagues are already performing the requested action
Social Proof exploits the human tendency to conform to group behavior โ statements like "All your colleagues have already completed this mandatory update" or "90% of your department has enrolled" create pressure to comply to avoid being an outlier.
IncorrectA: Influencing a victim by making them believe that many of their peers or colleagues are already performing the requested action
Social Proof exploits the human tendency to conform to group behavior โ statements like "All your colleagues have already completed this mandatory update" or "90% of your department has enrolled" create pressure to comply to avoid being an outlier.
Phishing & Social Engineering โ Advanced
1What is the functional mechanism behind an AiTM (Adversary-in-the-Middle) phishing framework like Evilginx2?
CorrectA: It acts as a transparent reverse proxy, capturing both the user's plaintext credentials and the live, authenticated session cookie, successfully bypassing MFA
Evilginx2 and similar AiTM frameworks operate as transparent reverse proxies between the victim and the real website. The user authenticates normally (including MFA), but the framework captures the session cookie post-authentication โ making traditional MFA completley ineffective against this attack.
IncorrectA: It acts as a transparent reverse proxy, capturing both the user's plaintext credentials and the live, authenticated session cookie, successfully bypassing MFA
Evilginx2 and similar AiTM frameworks operate as transparent reverse proxies between the victim and the real website. The user authenticates normally (including MFA), but the framework captures the session cookie post-authentication โ making traditional MFA completley ineffective against this attack.
2In advanced phishing, how do attackers bypass Secure Email Gateways (SEGs) using the "Right-to-Left Override" (RTLO) Unicode character?
CorrectB: By flipping the display order of characters in an attachment's filename, masking a malicious executable (e.g., invoicefdp.exe) to appear as a harmless document (invoiceexe.pdf)
The Unicode RTLO character (U+202E) instructs text renderers to display subsequent characters in reverse order. By inserting it into a filename like "invoiceโฎfdp.exe", the OS and email client display it as "invoiceexe.pdf" โ a harmless-looking PDF โ while it is actually an executable.
IncorrectB: By flipping the display order of characters in an attachment's filename, masking a malicious executable (e.g., invoicefdp.exe) to appear as a harmless document (invoiceexe.pdf)
The Unicode RTLO character (U+202E) instructs text renderers to display subsequent characters in reverse order. By inserting it into a filename like "invoiceโฎfdp.exe", the OS and email client display it as "invoiceexe.pdf" โ a harmless-looking PDF โ while it is actually an executable.
3What is the primary threat vector of Deepfake audio technology in social engineering?
CorrectC: Synthesizing the voice of a trusted executive in real-time to verbally authorize fraudulent financial transactions over a phone call
AI-powered voice cloning (deepfake audio) can replicate the voice of a CEO or executive with only a few seconds of training audio from public sources like earnings calls or interviews. This enables attackers to vocally authorize wire transfers or demand credentials, providing a deeply convincing layer of authority to a vishing attack.
IncorrectC: Synthesizing the voice of a trusted executive in real-time to verbally authorize fraudulent financial transactions over a phone call
AI-powered voice cloning (deepfake audio) can replicate the voice of a CEO or executive with only a few seconds of training audio from public sources like earnings calls or interviews. This enables attackers to vocally authorize wire transfers or demand credentials, providing a deeply convincing layer of authority to a vishing attack.
4How does an attacker execute an "IdN (Internationalized Domain Name) Homograph Attack" that flawlessly bypasses traditional visual inspection?
CorrectD: By exploiting the Punycode transcription system (xn--), causing modern browsers to display a Cyrillic or Greek domain exactly like a Latin one
Internationalized Domain Names use Punycode (xn-- prefix) to represent non-ASCII characters in DNS. A domain registered with Cyrillic characters (e.g., ะฐpple.com = xn--pple-43d.com) renders legitimately in the browser address bar as "ะฐpple.com" โ visually identical to "apple.com" but pointing to an entirely different server.
IncorrectD: By exploiting the Punycode transcription system (xn--), causing modern browsers to display a Cyrillic or Greek domain exactly like a Latin one
Internationalized Domain Names use Punycode (xn-- prefix) to represent non-ASCII characters in DNS. A domain registered with Cyrillic characters (e.g., ะฐpple.com = xn--pple-43d.com) renders legitimately in the browser address bar as "ะฐpple.com" โ visually identical to "apple.com" but pointing to an entirely different server.
5In the context of DMARC alignment, what does "strict" SPF alignment mandate?
CorrectC: The Return-Path (Mail FROM) domain must exactly match the domain found in the visible From header
Under strict SPF alignment (aspf=s in the DMARC record), the RFC5321.MailFrom (Return-Path) domain must exactly match the RFC5322.From header domain. Relaxed alignment (aspf=r) permits subdomain matches. Strict alignment is a stronger control against sophisticated spoofing that exploits organizational subdomain differences.
IncorrectC: The Return-Path (Mail FROM) domain must exactly match the domain found in the visible From header
Under strict SPF alignment (aspf=s in the DMARC record), the RFC5321.MailFrom (Return-Path) domain must exactly match the RFC5322.From header domain. Relaxed alignment (aspf=r) permits subdomain matches. Strict alignment is a stronger control against sophisticated spoofing that exploits organizational subdomain differences.
6What characterizes a "Browser-in-the-Browser" (BitB) phishing attack?
CorrectA: Simulating an entirely fake, draggable browser window within the host webpage to perfectly spoof a legitimate SSO login popup and its URL bar
BitB attacks simulate a fully functional browser window โ complete with a convincing but fake URL bar showing "accounts.google.com" โ entirely within the DOM of the attacker's webpage using HTML/CSS/JavaScript. Users see what appears to be a legitimate SSO popup and willingly enter their credentials.
IncorrectA: Simulating an entirely fake, draggable browser window within the host webpage to perfectly spoof a legitimate SSO login popup and its URL bar
BitB attacks simulate a fully functional browser window โ complete with a convincing but fake URL bar showing "accounts.google.com" โ entirely within the DOM of the attacker's webpage using HTML/CSS/JavaScript. Users see what appears to be a legitimate SSO popup and willingly enter their credentials.
7How do advanced threat actors utilize the InterPlanetary File System (IPFS) in modern phishing campaigns?
CorrectB: By hosting decentralized, immutable phishing pages that cannot be easily taken down by traditional web hosting providers or domain registrars
IPFS (InterPlanetary File System) is a decentralized, peer-to-peer file system. Attackers host phishing pages on IPFS because the content is distributed across thousands of nodes โ there is no single hosting provider to receive a takedown notice, making the infrastructure extremely resilient.
IncorrectB: By hosting decentralized, immutable phishing pages that cannot be easily taken down by traditional web hosting providers or domain registrars
IPFS (InterPlanetary File System) is a decentralized, peer-to-peer file system. Attackers host phishing pages on IPFS because the content is distributed across thousands of nodes โ there is no single hosting provider to receive a takedown notice, making the infrastructure extremely resilient.
8Which advanced technique involves hiding malicious payloads or secondary staging URLs within the metadata or pixel data of a seemingly benign image attached to a phishing email?
CorrectD: Steganography
Steganography is the practice of concealing data within another file โ in this context, hiding a malicious URL, a C2 beacon configuration, or even a full payload binary inside the pixel data of an innocuous JPEG or PNG image. Since the image appears normal and the file has no obvious malicious signature, it bypasses many static scanners.
IncorrectD: Steganography
Steganography is the practice of concealing data within another file โ in this context, hiding a malicious URL, a C2 beacon configuration, or even a full payload binary inside the pixel data of an innocuous JPEG or PNG image. Since the image appears normal and the file has no obvious malicious signature, it bypasses many static scanners.
9What is "Device Code Phishing" (e.g., abusing Microsoft's OAuth 2.0 Device Authorization Grant)?
CorrectA: Tricking a victim into entering a short, provided alphanumeric code on their authenticated device, which grants the attacker's remote device full access to their cloud environment
Device Code Phishing abuses the OAuth 2.0 Device Authorization Flow โ designed for smart TVs that cannot open browsers. The attacker initiates a device auth request, gets a device_code and user_code, then sends the victim a phishing email asking them to visit the legitimate microsoft.com/devicelogin and enter the user_code โ granting the attacker's device a valid, persistent access token.
IncorrectA: Tricking a victim into entering a short, provided alphanumeric code on their authenticated device, which grants the attacker's remote device full access to their cloud environment
Device Code Phishing abuses the OAuth 2.0 Device Authorization Flow โ designed for smart TVs that cannot open browsers. The attacker initiates a device auth request, gets a device_code and user_code, then sends the victim a phishing email asking them to visit the legitimate microsoft.com/devicelogin and enter the user_code โ granting the attacker's device a valid, persistent access token.
10In advanced OSINT gathering, what is the primary function of the tool "theHarvester"?
CorrectC: To passively gather emails, subdomains, hosts, employee names, and open ports from various public search engines and data sources
theHarvester is a passive OSINT reconnaissance tool that aggregates information from public sources โ Google, Bing, LinkedIn, Shodan, DNSDumpster, and more โ to collect email addresses, subdomains, virtual hosts, and employee names without directly touching the target's infrastructure.
IncorrectC: To passively gather emails, subdomains, hosts, employee names, and open ports from various public search engines and data sources
theHarvester is a passive OSINT reconnaissance tool that aggregates information from public sources โ Google, Bing, LinkedIn, Shodan, DNSDumpster, and more โ to collect email addresses, subdomains, virtual hosts, and employee names without directly touching the target's infrastructure.
11How do attackers abuse "Open Redirect" vulnerabilities to increase the success rate of a phishing campaign?
CorrectB: By appending a malicious destination URL as a parameter to a highly trusted domain's URL, ensuring the initial link bypasses reputation filters
Open Redirect vulnerabilities allow attackers to craft URLs like "https://trusted-bank.com/redirect?url=https://evil.com" โ the initial domain is a legitimate, trusted site that bypasses email gateway reputation checks. Users who hover see only the trusted domain name and are more likely to click.
IncorrectB: By appending a malicious destination URL as a parameter to a highly trusted domain's URL, ensuring the initial link bypasses reputation filters
Open Redirect vulnerabilities allow attackers to craft URLs like "https://trusted-bank.com/redirect?url=https://evil.com" โ the initial domain is a legitimate, trusted site that bypasses email gateway reputation checks. Users who hover see only the trusted domain name and are more likely to click.
12What is the primary psychological exploit utilized in a "Watering Hole" attack that relies on the target navigating to the site naturally rather than clicking an email link?
CorrectD: The victim's pre-existing, implicit trust in a specific, frequently visited industry or community website
The genius of a Watering Hole attack is that it requires no direct contact with the victim โ it exploits the implicit trust the victim has already placed in a website they regularly visit. There is no suspicious email to scrutinize; the attack is delivered through a trusted, familiar channel.
IncorrectD: The victim's pre-existing, implicit trust in a specific, frequently visited industry or community website
The genius of a Watering Hole attack is that it requires no direct contact with the victim โ it exploits the implicit trust the victim has already placed in a website they regularly visit. There is no suspicious email to scrutinize; the attack is delivered through a trusted, familiar channel.
13Why do advanced phishing campaigns often present a legitimate CAPTCHA challenge before displaying the actual credential-harvesting form?
CorrectA: To prevent automated security scanners, web crawlers, and sandboxes from analyzing the underlying malicious payload
CAPTCHAs are used in phishing pages to block automated analysis โ sandbox environments, security crawlers, and URL reputation scanners cannot complete CAPTCHAs. By requiring human interaction for the CAPTCHA before loading the malicious form, the page remains invisible to automated threat intelligence platforms for longer.
IncorrectA: To prevent automated security scanners, web crawlers, and sandboxes from analyzing the underlying malicious payload
CAPTCHAs are used in phishing pages to block automated analysis โ sandbox environments, security crawlers, and URL reputation scanners cannot complete CAPTCHAs. By requiring human interaction for the CAPTCHA before loading the malicious form, the page remains invisible to automated threat intelligence platforms for longer.
14In a highly targeted social engineering attack, how is the "Ebbinghaus Principle of Liking" typically applied?
CorrectB: The attacker establishes rapport, mirrors behavior, and finds common ground with the target over several weeks to build deep trust before making a request
The Liking principle states that people are more easily influenced by those they like and trust. In advanced social engineering, attackers invest weeks or months building a relationship โ joining the same LinkedIn groups, commenting on posts, sharing interests โ before making a request, dramatically increasing compliance.
IncorrectB: The attacker establishes rapport, mirrors behavior, and finds common ground with the target over several weeks to build deep trust before making a request
The Liking principle states that people are more easily influenced by those they like and trust. In advanced social engineering, attackers invest weeks or months building a relationship โ joining the same LinkedIn groups, commenting on posts, sharing interests โ before making a request, dramatically increasing compliance.
15How do threat actors leverage "HTML Smuggling" in phishing attachments?
CorrectD: By dynamically constructing a malicious file entirely on the client-side using JavaScript and HTML5 Blobs, bypassing network perimeter static file inspection
HTML Smuggling encodes a malicious payload (e.g., a dropper executable) as a Base64 string inside an HTML attachment. When opened in a browser, JavaScript decodes the data and uses HTML5 Blob/createObjectURL to assemble the file on the client-side โ the malicious binary never traverses the network as a raw file, bypassing email gateway and proxy inspection.
IncorrectD: By dynamically constructing a malicious file entirely on the client-side using JavaScript and HTML5 Blobs, bypassing network perimeter static file inspection
HTML Smuggling encodes a malicious payload (e.g., a dropper executable) as a Base64 string inside an HTML attachment. When opened in a browser, JavaScript decodes the data and uses HTML5 Blob/createObjectURL to assemble the file on the client-side โ the malicious binary never traverses the network as a raw file, bypassing email gateway and proxy inspection.
16What is the security implication of a domain's SPF record ending with ~all (SoftFail) instead of -all (HardFail)?
CorrectC: The receiving server will likely still accept the spoofed email, merely marking it as suspicious or routing it to the spam folder rather than rejecting it outright
SPF ~all (SoftFail) instructs the receiving server to accept but mark unauthorized emails โ often delivered to the spam folder. SPF -all (HardFail) instructs the server to reject them outright. SoftFail is weaker and can be abused: combined with a DMARC policy of none, spoofed emails may still reach the inbox.
IncorrectC: The receiving server will likely still accept the spoofed email, merely marking it as suspicious or routing it to the spam folder rather than rejecting it outright
SPF ~all (SoftFail) instructs the receiving server to accept but mark unauthorized emails โ often delivered to the spam folder. SPF -all (HardFail) instructs the server to reject them outright. SoftFail is weaker and can be abused: combined with a DMARC policy of none, spoofed emails may still reach the inbox.
17How does an attacker abuse "Calendar Phishing" (also known as Calendar Spam) in cloud enterprise environments?
CorrectD: By sending unauthenticated ICS meeting invites containing malicious links, which automatically populate and generate reminders on the victim's synchronized calendar
Calendar Phishing exploits the default behavior of Google Calendar and Microsoft Outlook to automatically add ICS-format meeting invites to a user's calendar, even from unknown senders. The invite contains a malicious link in the description โ generating reminders that repeatedly prompt the user to click.
IncorrectD: By sending unauthenticated ICS meeting invites containing malicious links, which automatically populate and generate reminders on the victim's synchronized calendar
Calendar Phishing exploits the default behavior of Google Calendar and Microsoft Outlook to automatically add ICS-format meeting invites to a user's calendar, even from unknown senders. The invite contains a malicious link in the description โ generating reminders that repeatedly prompt the user to click.
18What is the purpose of a "BIMI" (Brand Indicators for Message Identification) record in modern email security?
CorrectA: It allows organizations with strict DMARC enforcement to display their verified corporate logo next to their messages in supported email clients, building visual user trust
BIMI is a DNS-based standard that enables organizations with enforced DMARC policies to display their verified SVG logo in supported email clients (Gmail, Apple Mail, etc.). The visual brand mark helps recipients instantly identify legitimate emails โ reducing the success rate of spoofed emails that lack the logo.
IncorrectA: It allows organizations with strict DMARC enforcement to display their verified corporate logo next to their messages in supported email clients, building visual user trust
BIMI is a DNS-based standard that enables organizations with enforced DMARC policies to display their verified SVG logo in supported email clients (Gmail, Apple Mail, etc.). The visual brand mark helps recipients instantly identify legitimate emails โ reducing the success rate of spoofed emails that lack the logo.
19When countering advanced physical or voice-based (Vishing) social engineering, what is the purpose of a "Duress Word"?
CorrectB: A prearranged, covert code word used by an employee to signal to security that they are being coerced or that the caller is hostile
A Duress Word (or Duress Code) is a prearranged signal between an employee and their security team โ when spoken naturally in a conversation, it silently alerts security personnel that the employee is under duress, being coerced, or that the caller is fraudulent, without alerting the attacker.
IncorrectB: A prearranged, covert code word used by an employee to signal to security that they are being coerced or that the caller is hostile
A Duress Word (or Duress Code) is a prearranged signal between an employee and their security team โ when spoken naturally in a conversation, it silently alerts security personnel that the employee is under duress, being coerced, or that the caller is fraudulent, without alerting the attacker.
20How do advanced threat actors utilize "SEO Poisoning" to facilitate social engineering?
CorrectC: By manipulating search engine algorithms (using keywords and backlinking) to rank a malicious, spoofed website higher than the legitimate one for specific software downloads or portals
SEO Poisoning (also called Search Engine Poisoning) involves artificially boosting the search ranking of malicious websites so they appear above the legitimate results for popular software downloads or login portals. Users who believe they are downloading the genuine software instead receive trojanized installers โ combining social trust in Google search results with the appearance of a familiar site.
IncorrectC: By manipulating search engine algorithms (using keywords and backlinking) to rank a malicious, spoofed website higher than the legitimate one for specific software downloads or portals
SEO Poisoning (also called Search Engine Poisoning) involves artificially boosting the search ranking of malicious websites so they appear above the legitimate results for popular software downloads or login portals. Users who believe they are downloading the genuine software instead receive trojanized installers โ combining social trust in Google search results with the appearance of a familiar site.
Conclusion: Human-Centric Security
Phishing and social engineering exploit human psychology, not software vulnerabilities. No firewall or antivirus stops an employee from voluntarily handing over credentials under a well-crafted pretext. These 60 MCQs cover attack techniques (pretexting, vishing, BEC), red flags, organizational defenses (user education, technical controls), and incident response.
Build multi-layer defenses: combine user awareness training (phishing simulations, reporting culture), technical controls (DMARC enforcement, email gateways, MFA), and procedural controls (payment approval processes, callback verification). Users who know how to recognize and report attacks are your strongest last line of defense.
Key Takeaways โ Phishing & Social Engineering
- Phishing vs. Spear Phishing: Phishing = mass, generic; Spear phishing = targeted, personalized (higher success rate).
- Red Flags: Urgent language, mismatched sender/link URLs, poor grammar, requests for credentials or payment, unknown attachment.
- Social Engineering Exploits Psychology: Trust, authority, urgency, fear. Humans often easier target than code.
- BEC Bypasses Technical Controls: Attacker uses compromised executive email + social engineering to request wire transfer. No antivirus catches this. Prevention: MFA, separate payment approval process.
- Defense Requires Multiple Layers: User education (ongoing training), technical controls (email filtering, DMARC/SPF), MFA, incident response culture (safe to report).
- Urgency & Authority Kill Critical Thinking: Phishing exploits these cognitive biases. Pause, verify through secondary channel, never act immediately.
Quick Review & Summary
Use this summary table to consolidate key concepts before or after attempting the questions above.
| Attack Type | Method | Defense |
|---|---|---|
| Phishing | Mass emails with malicious links/attachments | Email filtering, DMARC/SPF, user training, sandboxing |
| Spear Phishing | Targeted email using personal details | Verify sender via secondary channel, scrutinize links, education |
| BEC | Compromised executive email requesting wire transfer | MFA, separate payment approval process, verify requests |
| Pretexting | False scenario to extract info from trusted contact | Verify identities, authentication protocols, awareness training |
| Vishing | Phone call impersonating authority figure | Verify caller ID via known number, hang up and call back |
| Baiting | Leave infected USB/device for discovery | Policy against plugging unknown devices, awareness training |
Frequently Asked Questions
Q. What is the difference between phishing and spear phishing?
Q. What is vishing?
Q. What is pretexting in social engineering?
Q. What makes spear phishing emails so effective?
Q. What is baiting in social engineering?
Q. How does security awareness training reduce social engineering risks?
Q. What is a whaling attack?
Struggling with some questions? Re-read the full Theory Guide: Phishing & Social Engineering