During a penetration testing exercise, you decide to perform social engineering attacks based on the principle of influence. Which of the following actions would be BEST to establish a sense of authority to convince an employee to provide confidential information?
Send a phishing email requesting a prompt reply with the information needed, without any specific context or established authority.
Pose as a high-level executive of the company and request the information through a direct phone call, referencing a critical and confidential business decision.
Impersonate an IT support staff member via email, stating that there is an issue with their account that needs immediate resolution involving sensitive information.
Pose as a third-party contractor and request sensitive information through a phone call, claiming it's required for an urgent system update.
Posing as a high-level executive within the company establishes the illusion of authority, as employees are generally conditioned to comply with requests from their superiors due to organizational hierarchy. This approach exploits the human tendency to follow the orders of those they perceive to be in power, making it highly effective for extracting information during a social engineering attack.
Other options are not as effective: sending a generic phishing email does not explicitly exploit the principle of authority, and while IT support is a position of trust, it does not typically invoke the immediate compliance associated with high-ranking officials. Likewise, an unknown third-party contractor would generally have less inherent authority within the target organization.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What are the key principles of influence that can be used in social engineering?
Open an interactive chat with Bash
Why is posing as a high-level executive more effective than other impersonations?
Open an interactive chat with Bash
What are the risks involved in social engineering attacks during penetration testing?