CCNA Social Engineering Attacks Questions

30 questions · Social Engineering Attacks · All types, answers revealed

1
MCQhard

An employee finds a USB drive labeled 'Employee Bonuses Q4' in the parking lot and plugs it into their work computer to see the contents. The computer immediately begins exhibiting erratic behavior. Which social engineering attack was executed?

A.Phishing
B.Pretexting
C.Baiting
D.Tailgating
AnswerC

Baiting uses an enticing item (like a labeled USB drive) to trick a victim into introducing malware into a system.

Why this answer

The correct answer is C, baiting. Baiting is a social engineering attack that uses a physical device (like a USB drive) or digital offer to lure a victim into taking an action that compromises security. In this scenario, the attacker left a USB drive labeled with an enticing file name ('Employee Bonuses Q4') in a public location, and the victim plugged it into their work computer, which then executed malicious code (e.g., autorun.inf or a malicious script) that caused erratic behavior.

This is a classic example of a physical baiting attack, distinct from phishing or pretexting which rely on digital communication or fabricated scenarios.

Exam trap

The trap here is that candidates often confuse baiting with phishing because both involve deception, but CompTIA A+ 220-1202 specifically tests the distinction that baiting uses a physical or digital lure (like a USB drive or free download) while phishing relies on electronic communication.

How to eliminate wrong answers

Option A is wrong because phishing is a social engineering attack delivered via electronic communication (e.g., email, SMS, or fake websites) that tricks the user into revealing credentials or clicking a malicious link, not by physically plugging in a USB drive. Option B is wrong because pretexting involves creating a fabricated scenario or false identity (e.g., impersonating IT support) to obtain information, not using a physical lure like a USB drive. Option D is wrong because tailgating (or piggybacking) is a physical security attack where an unauthorized person follows an authorized individual into a restricted area without proper authentication, not involving a USB drive or computer interaction.

2
MCQmedium

A user reports receiving a phone call from someone claiming to be from 'Microsoft Support' saying their computer has a virus and asking for remote access to fix it. The user did not grant access. What type of attack was attempted?

A.Phishing
B.Vishing
C.Smishing
D.Pretexting
AnswerB

Vishing is voice phishing, using phone calls to deceive victims into granting remote access or revealing information.

Why this answer

This is a vishing (voice phishing) attack, a social engineering technique where the attacker uses phone calls to trick victims into providing sensitive information or remote access. Legitimate companies like Microsoft do not make unsolicited support calls.

3
MCQeasy

A new employee is setting up their workstation and receives a phone call from someone claiming to be from the IT department. The caller says there is a critical security update and needs the employee's login credentials to install it remotely. What social engineering principle is the attacker primarily exploiting?

A.Urgency
B.Scarcity
C.Authority
D.Social proof
AnswerC

Authority is the correct answer, as the attacker uses the perceived power of IT to gain compliance.

Why this answer

The attacker is impersonating IT staff, which leverages the principle of authority. By claiming to be from the IT department, the attacker exploits the employee's tendency to comply with perceived organizational authority, especially regarding security updates. This is a classic social engineering tactic where the attacker uses a trusted role to bypass security protocols.

Exam trap

CompTIA often tests the distinction between urgency and authority: candidates confuse the caller's demand for immediate action (urgency) with the underlying exploitation of the caller's claimed position (authority), but the question explicitly asks for the primary principle being exploited.

How to eliminate wrong answers

Option A is wrong because urgency involves creating a sense of immediate need (e.g., 'act now or your account will be locked'), but here the primary driver is the caller's claimed role, not a time pressure. Option B is wrong because scarcity involves limited availability (e.g., 'only a few licenses left'), which is not present in this scenario. Option D is wrong because social proof relies on others' behavior (e.g., 'everyone else is doing it'), whereas this attack uses a single authoritative figure.

4
MCQhard

A technician receives an email that appears to be from the company's HR department asking them to click a link to update their direct deposit information. The email contains several grammatical errors and the sender's domain is 'company-hr.com' instead of the official 'company.com'. What is the most effective way to confirm this is a phishing attempt?

A.Reply to the email asking for verification.
B.Click the link to see if it looks legitimate.
C.Forward the email to the company's security team for analysis.
D.Call the phone number listed in the email signature.
AnswerC

Forwarding to the security team allows experts to analyze headers, links, and other indicators to confirm phishing.

Why this answer

Option C is correct because forwarding the suspicious email to the company's security team allows trained analysts to inspect headers, attachments, and URLs in a sandboxed environment without exposing the technician to risk. This aligns with organizational incident response procedures for phishing, as the security team can verify the sender domain (e.g., SPF/DKIM/DMARC failures) and determine if the email is malicious.

Exam trap

CompTIA A+ exams often test the principle that verifying suspicious emails through official channels (e.g., security team) is safer than any direct interaction with the email's contents or contacts, and the trap here is that candidates may think calling a listed number is safe, but attackers can spoof phone numbers or use VoIP to appear legitimate.

How to eliminate wrong answers

Option A is wrong because replying to the email confirms the technician's address as active to the attacker and may trigger further targeted attacks; legitimate HR would not request sensitive updates via an unverified link. Option B is wrong because clicking the link could execute a drive-by download, redirect to a credential harvesting page, or install malware, even if the page appears legitimate. Option D is wrong because the phone number in the email signature is likely controlled by the attacker or spoofed, and calling it could lead to social engineering or verification of the technician's contact details.

5
MCQeasy

An employee finds a USB drive labeled 'Employee Salary Info Q4' in the parking lot. Out of curiosity, they plug it into their work computer to see the contents. What type of social engineering attack is this an example of?

A.Phishing
B.Tailgating
C.Baiting
D.Pretexting
AnswerC

Baiting exploits human curiosity or greed by offering something desirable. The USB drive with a tempting label is a classic baiting technique.

Why this answer

Option C is correct because baiting is a social engineering attack that exploits human curiosity or greed by offering something enticing, such as a USB drive labeled 'Employee Salary Info Q4.' When the employee plugs the USB into their work computer, they may inadvertently install malware (e.g., a keylogger or backdoor) that compromises the system. This attack relies on physical media as the delivery vector, distinguishing it from other social engineering methods.

Exam trap

CompTIA A+ often tests the distinction between baiting and phishing by emphasizing that baiting involves a physical lure (like a USB drive) while phishing is purely digital, causing candidates to confuse the two when the attack involves a digital payload.

How to eliminate wrong answers

Option A is wrong because phishing is a digital attack that uses deceptive emails, messages, or websites to trick users into revealing sensitive information, not physical USB drives. Option B is wrong because tailgating involves an unauthorized person physically following an authorized individual into a restricted area without proper authentication, not the use of a dropped USB drive. Option D is wrong because pretexting involves fabricating a scenario or identity (e.g., impersonating IT support) to obtain information, not leaving a physical device to exploit curiosity.

6
MCQmedium

A new employee receives an email that appears to be from the company's HR department, asking them to click a link to verify their direct deposit information for payroll. The email contains the company logo and looks professional. What is the most likely social engineering attack?

A.Whaling
B.Phishing
C.Vishing
D.Shoulder surfing
AnswerB

Phishing is a broad category of attacks that use deceptive emails to trick recipients into revealing sensitive information or clicking malicious links. This scenario is a classic phishing attempt.

Why this answer

Phishing is the correct answer because the attack uses a deceptive email that impersonates a legitimate entity (HR department) to trick the recipient into clicking a malicious link. This is a classic example of a broad, untargeted social engineering attack delivered via email, which is the defining characteristic of phishing.

Exam trap

The trap is that candidates may confuse phishing with whaling because both use email, but the key differentiator is the target: phishing is broad and untargeted, while whaling specifically targets high-level executives or individuals with privileged access. For example, an email targeting a CEO about a wire transfer is whaling, while an email targeting many employees about updating HR info is phishing.

How to eliminate wrong answers

Option A is wrong because whaling is a highly targeted form of phishing aimed at senior executives or high-value individuals, not a general employee receiving a mass-distributed email. Option C is wrong because vishing (voice phishing) is conducted over the phone using voice calls or VoIP, not through email. Option D is wrong because shoulder surfing involves directly observing someone's screen or keyboard to steal information, such as passwords, without any electronic communication.

7
MCQhard

A technician is investigating a data breach and discovers that an attacker obtained sensitive files by searching through the company's recycling bins. The bins contained printed reports with customer names and account numbers. What social engineering attack was used?

A.Tailgating
B.Shoulder surfing
C.Dumpster diving
D.Phishing
AnswerC

Dumpster diving is the correct term for retrieving information from discarded materials.

Why this answer

Dumpster diving is the physical act of searching through trash to find sensitive information. This attack relies on the failure to properly dispose of documents. Shredding or secure disposal policies are essential countermeasures.

8
MCQeasy

A receptionist holds the door for a person carrying a large box, assuming they work in the building. Later, that person is seen plugging a USB drive into a workstation in the finance department. Which social engineering technique was most likely used to gain initial access?

A.Phishing
B.Pretexting
C.Tailgating
D.Baiting
AnswerC

Tailgating occurs when an unauthorized person follows an authorized person into a restricted area without proper authentication.

Why this answer

The correct answer is C because tailgating involves an unauthorized person gaining physical access to a secure area by following an authorized individual. In this scenario, the receptionist held the door for the person carrying a large box, assuming they worked in the building, which allowed the attacker to bypass physical security controls without authentication.

Exam trap

The trap here is that candidates confuse tailgating with pretexting, as both involve deception, but tailgating specifically relies on physical proximity and social norms rather than a fabricated story or identity.

How to eliminate wrong answers

Option A is wrong because phishing is a digital social engineering technique that uses deceptive emails or messages to trick victims into revealing credentials or installing malware, not physical access. Option B is wrong because pretexting involves creating a fabricated scenario or identity to obtain information, such as impersonating IT support, but here the attacker simply followed someone in without a detailed story. Option D is wrong because baiting involves offering something enticing (e.g., a free USB drive) to lure a victim into compromising security, but the attacker in this case used physical proximity, not a lure.

9
MCQmedium

A technician is troubleshooting a printer issue and finds a sticky note under the keyboard with the domain admin password written on it. The user says they kept it there 'for convenience.' Which social engineering attack does this practice most enable?

A.Phishing
B.Shoulder surfing
C.Tailgating
D.Baiting
AnswerB

Shoulder surfing involves visually obtaining information like passwords; a sticky note in plain view makes this trivial.

Why this answer

The sticky note with the domain admin password under the keyboard directly enables shoulder surfing, where an attacker visually captures sensitive information (the password) by looking over the user's shoulder or at the exposed note. This is a physical social engineering attack that exploits the convenience of storing credentials in plain sight, bypassing any technical authentication controls.

Exam trap

The trap here is that candidates may confuse shoulder surfing with baiting because both involve physical access, but baiting requires an active lure (like a malicious USB drive) whereas shoulder surfing is purely passive observation of exposed information.

How to eliminate wrong answers

Option A is wrong because phishing is a digital social engineering attack that uses deceptive emails, messages, or websites to trick users into revealing credentials, not a physical note left under a keyboard. Option C is wrong because tailgating involves an unauthorized person following an authorized individual into a restricted area without proper authentication, not the exposure of written credentials. Option D is wrong because baiting involves offering something enticing (e.g., a USB drive labeled 'Confidential' or a free download) to lure a victim into executing malware or revealing information, not the passive discovery of a password on a sticky note.

10
MCQmedium

A technician is helping a customer configure a new laptop. The customer mentions they received a pop-up on their old computer warning of a virus and a phone number to call for support. The customer called the number and gave remote access to a 'technician' who then installed several programs. What social engineering attack occurred?

A.Shoulder surfing
B.Phishing
C.Tech support scam
D.Dumpster diving
AnswerC

Tech support scams specifically use fake alerts and phone calls to trick users into granting remote access.

Why this answer

This is a classic tech support scam, a form of social engineering where attackers use fake virus warnings to gain remote access. The pop-up is designed to scare the user into calling a fraudulent support number. Once access is granted, the attacker can install malware or steal data.

11
MCQhard

During a security audit, a technician discovers that an unauthorized person accessed a restricted server room by pretending to be a fire inspector. The person had a fake ID and clipboard. Which social engineering technique was used, and what is the best mitigation?

A.Tailgating; install mantraps at entrances.
B.Phishing; implement email filtering.
C.Pretexting; enforce visitor check-in and verification procedures.
D.Baiting; disable USB ports on workstations.
AnswerC

Pretexting uses a fabricated identity; verifying visitors against official records and requiring escorts prevents this.

Why this answer

The attacker used a fabricated identity (fake ID and clipboard) to create a false scenario—pretending to be a fire inspector—which is the hallmark of pretexting. The best mitigation is to enforce visitor check-in and verification procedures, such as requiring government-issued ID validation and escort policies, to prevent unauthorized access based on fabricated roles.

Exam trap

CompTIA often tests the distinction between pretexting and tailgating, where candidates confuse impersonation with simply following someone through a door; the trap here is that the fake ID and clipboard clearly indicate a fabricated identity (pretexting), not physical piggybacking.

How to eliminate wrong answers

Option A is wrong because tailgating involves an unauthorized person following an authorized person through a secured door without consent, not using a fake identity or pretext. Option B is wrong because phishing is a digital attack using fraudulent emails or messages to steal credentials, not an in-person impersonation with a fake ID. Option D is wrong because baiting involves offering something enticing (e.g., a free USB drive) to trick a victim into installing malware, not impersonating an authority figure to gain physical access.

12
MCQmedium

During a routine security audit, a technician discovers that an unknown person has been using a badge to enter the building after hours. The badge belongs to a former employee who left the company six months ago. Which type of social engineering attack likely enabled this unauthorized access?

A.Phishing
B.Tailgating
C.Dumpster diving
D.Shoulder surfing
AnswerB

Tailgating is the correct term for unauthorized physical access by following someone in, possibly with a stolen badge.

Why this answer

The correct answer is B, tailgating. This attack involves an unauthorized person physically following an authorized individual into a secured area without using their own credentials. In this scenario, the unknown person used a badge that belonged to a former employee, which indicates they likely gained entry by closely following someone else through a door or turnstile, exploiting the fact that the badge was not deactivated or that the access control system did not require re-authentication for each individual.

Exam trap

The trap here is that candidates often confuse tailgating with phishing or shoulder surfing because all involve deception, but tailgating is specifically a physical access attack that relies on bypassing authentication mechanisms through proximity, not digital or visual eavesdropping.

How to eliminate wrong answers

Option A is wrong because phishing is a digital social engineering attack that uses deceptive emails or messages to trick victims into revealing sensitive information or installing malware; it does not involve physical badge use or building entry. Option C is wrong because dumpster diving involves searching through trash for discarded documents or equipment containing sensitive information, not using a badge to enter a building. Option D is wrong because shoulder surfing is the act of looking over someone's shoulder to obtain passwords, PINs, or other confidential data; it does not involve using a physical badge to gain unauthorized physical access.

13
MCQhard

During a security audit, a technician finds that a user's workstation was infected with malware after the user inserted a USB drive found in the parking lot. The drive was labeled 'Employee Salary Info Q4'. What social engineering principle did the attacker exploit?

A.Scarcity
B.Baiting
C.Pretexting
D.Tailgating
AnswerB

Baiting is the correct term, as the attacker left a malicious device (the bait) to exploit the user's curiosity.

Why this answer

Baiting is the correct answer because the attacker exploited the victim's curiosity by leaving a malware-infected USB drive in a visible location, labeled with an enticing message ('Employee Salary Info Q4'). When the user inserted the drive, the malware executed automatically (e.g., via Autorun.inf in Windows), compromising the workstation. This is a classic baiting attack, which relies on offering something desirable to trick the victim into performing a risky action.

Exam trap

The trap here is that candidates confuse baiting with pretexting because both involve deception, but baiting specifically uses a physical lure (like a USB drive) to trigger an action, whereas pretexting relies on a fabricated story or identity to gain information.

How to eliminate wrong answers

Option A (Scarcity) is wrong because scarcity involves creating a false sense of urgency or limited availability (e.g., 'Only 5 licenses left!'), not leaving a physical device to be found. Option C (Pretexting) is wrong because pretexting requires the attacker to fabricate a false identity or scenario (e.g., pretending to be IT support) to extract information, not relying on the victim's curiosity about a found object. Option D (Tailgating) is wrong because tailgating involves an unauthorized person physically following an authorized person into a restricted area, not leaving a malicious device for the victim to pick up and use.

14
MCQeasy

A user calls the help desk, frantic because their banking app shows an unauthorized transfer of $500. They say they received a call earlier from 'bank security' asking them to install a remote access tool to 'verify their account'. What type of social engineering attack did the user fall victim to?

A.Phishing
B.Vishing
C.Smishing
D.Shoulder surfing
AnswerB

Vishing (voice phishing) uses phone calls to impersonate legitimate organizations and trick victims into revealing sensitive information or installing malware. This scenario perfectly matches that description.

Why this answer

The user received a phone call (voice channel) and was tricked into installing remote access software, which is the hallmark of vishing (voice phishing). Unlike phishing, which uses email or malicious links, vishing exploits telephone systems and social engineering to gain unauthorized access or sensitive information.

Exam trap

CompTIA A+ 220-1202 often tests the distinction between vishing and phishing by emphasizing the communication medium (voice call vs. email), so candidates mistakenly choose phishing when the attack vector is a phone call rather than a digital message.

How to eliminate wrong answers

Option A is wrong because phishing typically involves deceptive emails or websites that trick users into clicking a link or entering credentials, not a phone call requesting software installation. Option C is wrong because smishing uses SMS text messages to deliver malicious links or requests, not a live voice call. Option D is wrong because shoulder surfing relies on physically observing a user's screen or keystrokes, not a remote phone-based interaction.

15
MCQhard

A technician is troubleshooting a user's slow computer. The user mentions they received a call from 'Windows Support' saying their computer had a virus. The user gave the caller remote access to 'fix' it. Now, the computer is running slower and has strange pop-ups. What is the most likely consequence of this social engineering attack?

A.The computer is now part of a botnet used for DDoS attacks.
B.The attacker installed a keylogger to steal credentials and sensitive data.
C.The computer's BIOS has been corrupted.
D.The hard drive has been physically damaged.
AnswerB

A keylogger is a common payload in tech support scams. The attacker can capture passwords, banking info, and other sensitive data, leading to identity theft or financial loss.

Why this answer

The attacker gained remote access to the user's computer under the guise of tech support. Once in, they installed a keylogger to capture keystrokes, which is a common payload in such social engineering attacks. This allows the attacker to steal credentials, banking information, and other sensitive data, explaining the continued slow performance and pop-ups.

Exam trap

CompTIA A+ often tests the distinction between generic malware effects (like botnet membership) and the specific, high-value goal of credential theft in social engineering scenarios, leading candidates to choose a broader but less precise answer.

How to eliminate wrong answers

Option A is wrong because while a botnet infection is possible, the immediate and most likely consequence of a tech support scam is credential theft via a keylogger, not necessarily DDoS participation. Option C is wrong because BIOS corruption requires specific, targeted firmware-level access and is not a typical outcome of a remote desktop session; the attacker would need to reboot into a special mode or use a BIOS flashing tool. Option D is wrong because physical hard drive damage cannot occur through remote access; the symptoms are caused by malicious software, not hardware failure.

16
MCQmedium

A user reports that they received a voicemail from the company's HR director asking them to call back a number to verify their account details for payroll. The user is suspicious because the HR director is on vacation. What type of social engineering attack is this?

A.Smishing
B.Vishing
C.Pretexting
D.Pharming
AnswerB

Vishing is the correct term for voice-based phishing attacks via phone calls or voicemail.

Why this answer

Vishing (voice phishing) is the correct classification because the attack uses a phone call—specifically a voicemail—to trick the user into calling back and divulging sensitive payroll information. Unlike phishing via email or SMS, vishing exploits voice communication channels to bypass text-based security filters and create a false sense of urgency or authority.

Exam trap

The key differentiator between vishing and pretexting is the communication channel—vishing specifically involves voice (phone/voicemail), while pretexting can occur via any medium (email, in-person, etc.).

How to eliminate wrong answers

Option A is wrong because smishing uses SMS text messages, not voicemail or phone calls. Option C is wrong because pretexting is a broader social engineering technique that involves fabricating a scenario (pretext) to steal information, but the specific delivery method here—a voicemail requesting a callback—makes vishing the more precise term. Option D is wrong because pharming redirects users from legitimate websites to fraudulent ones by poisoning DNS caches or modifying host files, which does not involve direct voice communication.

17
MCQmedium

A customer complains that their computer is running slowly and they keep seeing pop-ups offering free antivirus software. They admit they clicked 'OK' on one pop-up. Which type of social engineering attack has likely occurred?

A.Phishing
B.Baiting
C.Pretexting
D.Shoulder surfing
AnswerB

Baiting uses an enticing offer (free antivirus) to trick the user into executing malware, often via pop-ups or physical media.

Why this answer

The correct answer is Baiting. In this scenario, the user clicked 'OK' on a pop-up offering free antivirus software, which is a classic baiting attack. Baiting lures victims with a false promise (e.g., free software) to trick them into executing malware or revealing credentials.

Unlike phishing, which typically uses deceptive emails or websites to steal sensitive information, baiting relies on the allure of a free item or service to trigger a malicious download.

Exam trap

CompTIA often tests the distinction between phishing and baiting by presenting a scenario where a user is tricked by a free offer or physical media (like a USB drive), leading candidates to mistakenly choose phishing because both involve deception, but baiting specifically relies on the promise of a reward or free item.

How to eliminate wrong answers

Option A (Phishing) is wrong because phishing usually involves fraudulent emails or websites that impersonate legitimate entities to steal credentials or financial data, not pop-ups offering free software. Option C (Pretexting) is wrong because pretexting involves fabricating a scenario or identity to gain trust and extract information, not offering a free download. Option D (Shoulder surfing) is wrong because shoulder surfing is the direct observation of a user's screen or keyboard to capture sensitive data, such as passwords, and does not involve pop-ups or downloads.

18
MCQeasy

A user reports receiving an email that appears to be from their CEO, urgently requesting that they purchase $500 in gift cards and reply with the codes. The email address looks slightly off (e.g., ceo@cornpany.com instead of ceo@company.com). What type of social engineering attack is this?

A.Spear phishing
B.Vishing
C.Whaling
D.Tailgating
AnswerC

Whaling is a phishing attack that targets senior executives (or impersonates them) to steal sensitive data or money. The email impersonating the CEO is a textbook example.

Why this answer

Whaling is a targeted social engineering attack aimed at senior executives (the 'big fish') like the CEO. The email impersonates the CEO to trick the recipient into performing a financial action, and the slightly spoofed domain (cornpany.com vs company.com) is a classic indicator of a whaling attempt, as it exploits the authority of a high-level executive to bypass normal security checks.

Exam trap

CompTIA A+ often tests the distinction between spear phishing (targeted at any individual) and whaling (specifically targeting executives or high-value targets), so the trap here is confusing the broad category of spear phishing with the more specific whaling attack due to the personalized nature of the email.

How to eliminate wrong answers

Option A is wrong because spear phishing targets specific individuals or groups but does not specifically focus on high-ranking executives; the attack here is directed at a subordinate impersonating the CEO, making it whaling. Option B is wrong because vishing (voice phishing) uses phone calls or voice messages, not email, to deceive victims. Option D is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized person into a restricted area, which has no relation to email-based social engineering.

19
MCQhard

A technician receives an email from what appears to be the company's CEO, asking for a list of all employee passwords for a 'security audit'. The email address is correct, but the tone and request are unusual. The technician suspects a social engineering attack. What is the best course of action?

A.Reply to the email asking for more details to confirm the request.
B.Forward the email to the security team and do not respond.
C.Provide the list as requested, since the CEO has authority.
D.Call the CEO immediately to verify the request.
AnswerB

The correct action is to report the suspicious email to the security team for investigation and not engage with the potential attacker. This follows proper incident response protocols.

Why this answer

Option B is correct because forwarding the email to the security team ensures that the incident is handled by the appropriate personnel who can investigate the potential phishing or social engineering attack without engaging the attacker. Responding to the email, even for confirmation, could validate the technician's email address as active and potentially expose the organization to further attacks. The security team can analyze headers, links, and attachments using tools like email security gateways or SIEM systems to determine the legitimacy of the request.

Exam trap

CompTIA often tests the misconception that verifying with the CEO by phone is the best immediate action, but the correct priority is to report to the security team first to ensure proper incident response and evidence preservation.

How to eliminate wrong answers

Option A is wrong because replying to the email, even for clarification, confirms to the attacker that the email address is monitored and may trigger follow-up social engineering attempts; it also risks accidental disclosure of sensitive information. Option C is wrong because providing passwords violates security policy and best practices; no legitimate security audit would request plaintext passwords, as they should be hashed and never transmitted. Option D is wrong because while calling the CEO is a good verification step, it delays immediate reporting to the security team, who should be notified first to preserve evidence and coordinate a response; the technician should not act on the request until the security team confirms it is legitimate.

20
MCQeasy

A receptionist at a company receives a call from someone claiming to be from the IT department. The caller says they need her password to perform an urgent server update. The receptionist provides the password. What type of social engineering attack is this?

A.Tailgating
B.Pretexting
C.Phishing
D.Baiting
AnswerB

Pretexting is when an attacker invents a plausible scenario to trick a victim into providing information or access. The caller's false identity as IT staff is a classic pretext.

Why this answer

Pretexting is a social engineering attack where the attacker fabricates a scenario (the pretext) to manipulate the target into divulging sensitive information. In this case, the caller falsely claims to be from the IT department and invokes an urgent server update to trick the receptionist into revealing her password. This is not a technical exploit but a psychological manipulation that relies on the target's trust in authority and urgency.

Exam trap

CompTIA often tests the distinction between pretexting and phishing by emphasizing that pretexting relies on a fabricated scenario (often via phone or in-person) rather than a technical lure or electronic message, so candidates mistakenly choose phishing when the attack vector is a voice call.

How to eliminate wrong answers

Option A is wrong because tailgating involves an unauthorized person physically following an authorized individual into a restricted area, not a phone-based request for credentials. Option C is wrong because phishing typically uses deceptive electronic communications (e.g., email, fake websites) to harvest credentials, not a direct voice call with a fabricated story. Option D is wrong because baiting lures victims with a promise of a reward (e.g., free USB drive) or a digital trap (e.g., infected download), not a false claim of authority and urgency.

21
MCQmedium

During a security incident investigation, a technician finds that an attacker called the help desk, pretended to be a new employee who forgot their password, and successfully reset it. The attacker knew the employee's name and department. Which social engineering technique was used?

A.Phishing
B.Pretexting
C.Tailgating
D.Shoulder surfing
AnswerB

Pretexting is the correct term, as the attacker created a false identity and scenario to gain the help desk's trust.

Why this answer

Pretexting is a social engineering technique where the attacker fabricates a scenario (pretext) to manipulate a target into performing an action. In this case, the attacker called the help desk, assumed the identity of a new employee, and used the known details (name and department) to create a believable story, convincing the help desk to reset the password. This relies on psychological manipulation rather than technical exploitation.

Exam trap

CompTIA often tests the distinction between pretexting and phishing by emphasizing that pretexting involves direct impersonation and a fabricated scenario (often via phone or in person), while phishing relies on electronic communication like email or text messages.

How to eliminate wrong answers

Option A (Phishing) is wrong because phishing involves sending deceptive emails or messages that trick users into revealing sensitive information or clicking malicious links, not directly calling and impersonating someone to reset a password. Option C (Tailgating) is wrong because tailgating is a physical security breach where an unauthorized person follows an authorized individual into a restricted area without proper authentication, not a phone-based impersonation. Option D (Shoulder surfing) is wrong because shoulder surfing involves directly observing someone's screen or keyboard to steal information like passwords, not fabricating a story over the phone.

22
MCQmedium

During a security audit, a technician notices that an unauthorized person is standing just behind an employee at the secure door, waiting for the employee to badge in so they can enter without badging themselves. What type of social engineering attack is being attempted?

A.Pretexting
B.Baiting
C.Tailgating
D.Phishing
AnswerC

Tailgating is when an unauthorized person gains access by closely following an authorized person through a secure entry point. This is exactly what is described.

Why this answer

Tailgating (also known as piggybacking) is a physical social engineering attack where an unauthorized person follows an authorized individual into a secured area without using their own credentials. In this scenario, the attacker waits for the employee to badge in and then slips through the door before it closes, bypassing the access control system. This exploits the trust or politeness of the employee and the physical security gap between the door closing and the authentication check.

Exam trap

CompTIA often tests the distinction between tailgating and pretexting, where candidates mistakenly choose pretexting because they think the attacker is 'pretending' to be authorized, but the key difference is that tailgating requires no verbal deception—just physical proximity and timing.

How to eliminate wrong answers

Option A is wrong because pretexting involves fabricating a false identity or scenario to trick a victim into divulging information or performing an action, not physically following someone through a door. Option B is wrong because baiting relies on offering something enticing (e.g., a free USB drive or download) to lure the victim into a trap, not exploiting physical proximity at a secure door. Option D is wrong because phishing is a digital attack using deceptive emails, messages, or websites to steal credentials or install malware, not a physical entry technique.

23
MCQeasy

A technician receives a call from someone claiming to be from the company's IT security team, asking for the administrator password to 'run a critical update.' The caller's voice sounds stressed and they mention a data breach. What should the technician do?

A.Provide the password immediately to prevent a data breach.
B.Ask for a callback number and verify it against the company directory.
C.Ignore the call because IT never calls about updates.
D.Change the password and give them the new one.
AnswerB

Verifying the caller's identity through official channels is the standard security procedure to prevent credential theft.

Why this answer

Option B is correct because it follows the principle of verifying identity through a trusted channel before disclosing sensitive information. The technician should ask for a callback number and cross-reference it against the company directory to ensure the caller is legitimate, as social engineering attacks often use urgency and impersonation to bypass security protocols.

Exam trap

This question tests the candidate's ability to resist urgency and authority-based social engineering by presenting a scenario where the caller seems legitimate and the threat appears imminent, leading candidates to prioritize speed over verification.

How to eliminate wrong answers

Option A is wrong because providing the password immediately without verification would violate security policies and could lead to a data breach by enabling an attacker. Option C is wrong because IT security teams may legitimately call about updates, especially during a breach, so ignoring the call could delay a critical response. Option D is wrong because changing the password and giving the new one still discloses credentials to an unverified caller, which does not mitigate the social engineering risk.

24
MCQmedium

A user calls the help desk because they received a pop-up on their screen claiming their computer is infected with a virus and to call a toll-free number for immediate support. The user did not call the number. What should the technician advise the user to do?

A.Call the number to see if it's legitimate.
B.Ignore the pop-up and continue working.
C.Close the pop-up and run a full antivirus scan.
D.Reboot the computer immediately.
AnswerC

The safest action is to close the pop-up (using Task Manager if necessary) and run a security scan to check for any malware that may have been downloaded.

Why this answer

Option C is correct because the pop-up is a classic tech support scam, a form of social engineering. The user should close the pop-up (e.g., using Task Manager or Alt+F4) and immediately run a full antivirus scan to detect and remove any potential malware that may have triggered the pop-up or been downloaded in the background. This ensures the system is cleaned and prevents further compromise.

Exam trap

The trap here is that candidates may confuse a tech support scam pop-up with a legitimate security warning and think calling the number or rebooting is the correct response, but CompTIA emphasizes that the proper procedure is to never engage with the scam and to run a security scan to ensure the system is clean.

How to eliminate wrong answers

Option A is wrong because calling the toll-free number would connect the user to a malicious actor who would attempt to gain remote access or extract payment, directly falling for the social engineering attack. Option B is wrong because ignoring the pop-up and continuing working leaves the system vulnerable; the pop-up may be a symptom of an active infection or a drive-by download, and ignoring it does not address the underlying threat. Option D is wrong because rebooting the computer immediately may allow persistent malware (e.g., a rootkit or scheduled task) to reinitiate the scam pop-up upon startup, and it does not remove the malicious software.

25
MCQmedium

A user reports that they clicked a link in a text message that appeared to be from their bank, warning of suspicious activity. The link led to a realistic-looking login page, but the user realized it was fake after entering their credentials. What type of social engineering attack is this?

A.Vishing
B.Smishing
C.Pharming
D.Pretexting
AnswerB

Smishing is the correct term for SMS-based phishing attacks.

Why this answer

Smishing (SMS phishing) is the correct classification because the attack vector is a text message (SMS) containing a link to a fraudulent website. The user received the message on their mobile device, clicked the link, and entered credentials on a fake login page, which is the hallmark of smishing. Unlike vishing (voice phishing), this attack uses text-based messaging to deliver the malicious link.

Exam trap

The CompTIA A+ exam often tests the distinction between smishing and vishing by focusing on the delivery method (SMS vs. voice), so candidates mistakenly choose vishing when they see 'text message' but focus on the 'warning of suspicious activity' pretext rather than the medium.

How to eliminate wrong answers

Option A (Vishing) is wrong because vishing involves voice calls or voicemail messages that trick victims into revealing information, not text messages with links. Option C (Pharming) is wrong because pharming redirects users from legitimate websites to fraudulent ones via DNS poisoning or local host file manipulation, without requiring the user to click a link in a message. Option D (Pretexting) is wrong because pretexting relies on fabricating a scenario (pretext) to obtain information, typically through direct conversation or impersonation, not via a link in a text message.

26
MCQmedium

A technician is configuring a new employee's workstation. The employee mentions that a 'friendly IT guy' from the help desk called earlier and asked for their username and temporary password to 'pre-setup the account'. The employee provided the information. What should the technician do first?

A.Proceed with the setup as planned, since the employee already provided the info.
B.Reset the employee's password and report the incident to the security team.
C.Call the help desk to verify if they made the call.
D.Tell the employee it was likely a test and to ignore it.
AnswerB

The correct response is to immediately reset the compromised password and report the social engineering attempt to the security team so they can investigate and prevent further attacks.

Why this answer

Option B is correct because the employee has already fallen victim to a social engineering attack (phishing or vishing). The technician must immediately reset the compromised password to prevent unauthorized access and report the incident to the security team so they can investigate and mitigate further risk. This follows the principle of least privilege and incident response best practices for credential compromise.

Exam trap

CompTIA A+ often tests the candidate's ability to prioritize containment over verification or investigation, as many students mistakenly choose to verify the call (Option C) instead of immediately resetting the compromised credentials.

How to eliminate wrong answers

Option A is wrong because proceeding with the setup ignores the clear security breach, allowing the attacker to potentially use the stolen credentials to access the network or sensitive resources. Option C is wrong because calling the help desk wastes critical time and may tip off the attacker if the call was indeed from a malicious actor; the priority is to contain the breach by resetting the password and reporting. Option D is wrong because telling the employee to ignore the incident dismisses a real threat and fails to follow proper security protocols, leaving the account vulnerable.

27
MCQhard

A security analyst notices that an attacker has been sending emails that appear to come from the company's internal email system, asking employees to click a link to update their shared drive password. The link leads to a fake login page. The attacker is using a spoofed internal domain. What specific type of phishing is this?

A.Whaling
B.Spear phishing
C.Vishing
D.Pharming
AnswerB

Spear phishing is the correct term for targeted phishing attacks against specific people or groups.

Why this answer

This is spear phishing because the attacker targets specific employees within the organization using a spoofed internal domain to make the email appear legitimate. Unlike generic phishing, spear phishing is highly targeted and personalized, often leveraging internal context (e.g., 'update your shared drive password') to increase credibility. The use of a spoofed internal domain exploits trust in the company's email infrastructure, often bypassing SPF/DKIM checks if misconfigured.

Exam trap

For CompTIA A+, remember that spear phishing targets specific individuals within an organization, while whaling specifically targets senior executives or high-profile individuals. In this scenario, the attacker is targeting general employees to update their shared drive password, so it is spear phishing, not whaling. Candidates often mistakenly choose whaling when they see a targeted attack, but the key differentiator is the target's role within the organization.

How to eliminate wrong answers

Option A is wrong because whaling targets high-profile executives (e.g., CEO, CFO) with tailored attacks, not general employees updating a shared drive password. Option C is wrong because vishing (voice phishing) uses phone calls or VoIP, not email with a fake login page. Option D is wrong because pharming redirects users from a legitimate website to a fake one by poisoning DNS or local hosts files, not by sending spoofed emails with a link.

28
MCQmedium

During a software deployment, a user reports that a stranger in a delivery uniform asked to use their computer to 'check a shipment status' and then quickly left. Later, the user notices unusual network activity. What should the technician investigate first?

A.Check the user's email for phishing messages.
B.Verify the delivery person's identity with the shipping company.
C.Scan the workstation for malware and review recent system changes.
D.Disable the user's network access permanently.
AnswerC

Given physical access, the attacker may have installed malware or created backdoors; scanning and auditing changes is the correct first step.

Why this answer

The scenario describes a classic social engineering attack where an unauthorized individual gains physical access to a workstation under a pretext. The immediate technical priority is to scan the workstation for malware and review recent system changes because the attacker may have installed a backdoor, keylogger, or remote access trojan (RAT) that explains the unusual network activity. This aligns with incident response best practices: isolate and analyze the affected system first to contain potential data exfiltration or lateral movement.

Exam trap

The CompTIA A+ exam often tests the candidate's ability to prioritize immediate technical containment over administrative or non-technical follow-ups; the trap here is that many candidates choose Option B (verifying identity) because it seems logical for a physical security breach, but the exam expects you to recognize that the workstation is already compromised and must be investigated first.

How to eliminate wrong answers

Option A is wrong because checking the user's email for phishing messages addresses a different attack vector (email-based social engineering), but the incident here involved direct physical access, not a phishing link. Option B is wrong because verifying the delivery person's identity with the shipping company is a non-technical, administrative step that does not address the immediate technical threat of malware or unauthorized system changes already present on the workstation. Option D is wrong because permanently disabling the user's network access is an overreaction and violates the principle of least disruption; a temporary network isolation (e.g., disabling the NIC or blocking the port) is appropriate, but permanent access removal is not a diagnostic or containment step.

29
MCQeasy

A user calls the help desk claiming they received an urgent email from the CEO asking them to purchase gift cards for a client and reply with the codes. The user is suspicious because the email address looks slightly off. What type of social engineering attack is this?

A.Shoulder surfing
B.Phishing
C.Tailgating
D.Dumpster diving
AnswerB

Phishing uses fraudulent communications, often email, to trick recipients into revealing sensitive information or performing actions like purchasing gift cards.

Why this answer

This is a phishing attack because the attacker impersonates a trusted entity (the CEO) via email to trick the user into performing a fraudulent action (purchasing gift cards and sharing codes). The suspicious email address indicates a spoofed sender, a common phishing technique that exploits trust and urgency to bypass user skepticism.

Exam trap

CompTIA A+ often tests the distinction between social engineering attack types by using a scenario that involves electronic communication (email) to trick the user, leading candidates to confuse phishing with physical or observation-based attacks like shoulder surfing or tailgating.

How to eliminate wrong answers

Option A is wrong because shoulder surfing involves directly observing a user's screen or keystrokes to steal information, not sending deceptive emails. Option C is wrong because tailgating is a physical security breach where an unauthorized person follows an authorized individual into a restricted area, unrelated to email-based deception. Option D is wrong because dumpster diving involves searching through trash for discarded sensitive documents or data, not crafting fraudulent electronic communications.

30
MCQeasy

A user calls the help desk, frantic because they received an email from what appears to be the CEO asking them to urgently purchase $500 in gift cards for a client and reply with the codes. The email address looks slightly off, and the signature is missing the usual legal disclaimer. What type of social engineering attack is this most likely an example of?

A.Shoulder surfing
B.Phishing
C.Tailgating
D.Pretexting
AnswerB

Phishing is the correct term for fraudulent emails designed to trick recipients into taking harmful actions, such as buying gift cards.

Why this answer

This is a classic example of phishing, specifically a subtype known as spear phishing or whaling, because the attacker impersonates a high-level executive (the CEO) to trick the user into performing a financial action. The telltale signs are the slightly off email address (spoofed domain or lookalike character) and the missing legal disclaimer, which are common indicators of a fraudulent email designed to harvest credentials or money. Phishing relies on social engineering to bypass technical controls by exploiting human trust and urgency.

Exam trap

The CompTIA A+ exam often tests the distinction between phishing and pretexting by presenting a scenario where the attacker uses a fabricated story (pretext) but delivers it via email, leading candidates to choose pretexting instead of recognizing that the email delivery method makes it phishing.

How to eliminate wrong answers

Option A is wrong because shoulder surfing involves directly observing a user's screen or keystrokes over their shoulder to capture sensitive information, which does not apply to an email-based request. Option C is wrong because tailgating is a physical security attack where an unauthorized person follows an authorized individual into a restricted area without proper authentication, not a digital email scam. Option D is wrong because pretexting is a social engineering technique where the attacker fabricates a scenario (pretext) to obtain information, often via phone or in person, but the core mechanism here is the fraudulent email itself, which is the defining characteristic of phishing.

Ready to test yourself?

Try a timed practice session using only Social Engineering Attacks questions.