Attacks and Awareness Training Materials

Scenario 1 (Phishing)

A phishing attack refers to the use of emails, social media, SMS and instant messaging to trick the unsuspecting target into revealing sensitive information (Salahdine).

A chief financial officer (CFO) to an organization receives an email from its impersonated suppliers on the change of bank account details to which it is to make payments and provides contact details (in the form of a button labelled "contact us") if the CFO needs clarification. The email comes an hour before the usual time of such transactions takes place. Based on trust with the specific supplier, the CFO decides to allow the transaction to get the new account unwittingly.

Step 1: Attack Formulation

Goal identification: This attack aims to get money wired into the attacker's account.

Target identification: Chief Financial Officer of an organization is the target. This due to his or her direct link to the financials.

Step 2: Information Gathering

Identify potential sources: All the possible financial records available of the supplier, the CFO's business card for contact details, email samples of the organizations and supplier.

Gather information from sources: Obtain the CFO's contact details, collect email samples (especially those between the CFO or organization and supplier), and financial records from receipts or invoices.

Assess gathered information: Understand the email format used by the suppliers to the specific organization (this includes the formal language used, structure, and any detail), assess the financials to determine the amount paid to the supplier and know the means of communication used by the organization's CFO to the supplier.

Step 3: Preparation

Combination and analysis of gathered information: Identify the supplier's recent invoice to the organization (the dates and time of delivery), identify the organization mode of payment, whether on credit or debit, get a view of the structure of email, including language structure used in communication between the two.

Development of an attack vector: Write an email to the CFO that is identical to that of the supplier. This is from the "combination and analysis of gathered information". This email includes a contact us button that redirects to the attacker's own staged contacts. The attack is to work once the CFO clicks the button; hence it ought not to be conspicuous but fit with the email structure.

Step 4: Developing Relationships

Establishment of communications: A communication is first established when the CFO sends and receives the email. The CFO needs to read the email and not sense any peculiarity in its format.

Report building: This is done on the email that is structured so that the CFO trust its authenticity. It comes from established communication. The CFO is not to delete the email at this point but take an interest in it by going through it and acting accordingly.

Step 5: Exploit Relationship

Priming the target: When the authenticity matches that of the supplier, to the point that the CFO needs to call for clarification, this part would have been deemed complete. For the target to primed, there is a need that he or she be confident with what is written in the email.

Elicitations: The CFO believes that the authenticity of the email. He acts based on the previous trust built between the organization and the supplier by allowing the money to be sent to the attacker's account.

Step 6: Debrief

Maintenance: The CFO should be completely unaware that he is being manipulated into writing finances into the attacker account. As long as the CFO is not suspicious, then the attack is close to completion.

Transition: The CFO thus decides to transition to the fake account with complete conviction that the attacks are the actual supplier.

Goal satisfaction: The attacker thus receives that amount based on the initial goal set out as achieved.

Awareness Training Material

Question & answers

  1. In a phishing social engineering attack, attackers mainly target __________
    • CCTV cameras
    • WI-FI network
    • Emails
    • HVAC
    • Which of the following is not an example of a physical type of hacking?
  • Putting a pen drive in the mainframe computer
  • Phishing
  • Drugging the victim then asking for information
  • Sneaking in
  1. Which of the four accurately describe phishing?
  • Formulating false but convincing stories with an aim to gain access to sensitive information from the victim.
  • Inviting family and friends to your wedding celebration via emails
  • Following an employee without their knowledge into a restricted area
  • Sending a malicious email to people to get sensitive information from them in a manner that they are not aware of any manipulation.


  1. Use a two-way authentication on all payments
  2. Personal information of any kind ought not to be entered on a pop-up screen, especially from suspicious email links or websites.
  3. Always exercise caution on all communication received within and outside the organization, especially those containing suspicious links.
  4. Create short phishing attacks drills once in a while to keep the employees alert on such nature attempts.
  5. Attachments in a suspicious email are not to be open since they may contain malware.

Scenario 2 (Pretexting)

Pretexting refers to a social engineering attack in which the attacker creates a fabricated story to fool the victim (Mouton).

Some clothing store seeks to get into a particular country's market but lacks the means by which to do that, i.e., in order for them to gain smooth entry into the country, they need a citizen of the country who understands local business operations and laws better within the country. In their search, the HR department gets an email from a citizen of the country claiming to be a salesperson. His portfolio looks completely legit and reliable. As a result, they get in touch with the salesperson alleged to be from their target country via contacts given in the email. They allow the salesperson to represent the clothing store business in his country, his role being the sales agent and brand promoter. He promises a good deal.

Step 1: Attack Formulation

Goal identification: The goal, in this case, is to get the bank accounts details of the clothing store.

Target identification: Clothing store with a need for expanding its market base.

Step 2: Information Gathering

Identify potential sources: The clothing store's advertisements found online or on papers and the store's website.

Gather information from sources: Find data on the recent sales, nature of the sales, and business model. Examination of its online presence, range of customers and type of marked targeted. Understanding its primary purpose for expansion by doing a bit of bench-marking.

Assess gathered information: Understand the company's policy on data and structure on its growths plan based on previous successful expansions. This gives a clear picture of what the company is all about. Know the financial prospects within its target market and get to know the type of salespeople it employs.

Step 3: Preparation

Combination and analysis of gathered information: Combine the information gathered, sorting out the importance of each and how it would help better understand the company, keeping in mind the development of a suitable background story that would best allow proper execution of the plan.

Development of an attack vector: Based on the information assessed, develop a suitable and convincing background story that fits the store's salesperson type criteria. Prepare a convicting portfolio of successful business deals made.

Step 4: Developing Relationships

Establishment of communications: Contact the store with a view of winning their trust based on the portfolio. Get rid of as much doubt on the professionalism of the salesperson as much as possible.

Report building: The main aim is to make sure that the clothing store believes entirely in the story line to the extent of becoming its salesperson.

Step 5: Exploit Relationship

Priming the target: Making two or three good deals to solidify the store's belief and trust further. It would take time. However, it would result in a much stronger hold on conviction levels on the attacker's ability.

Elicitation: Asking for the bank details based on the proper trust base already formed. It becomes easier to convince the clothing store that such information makes doing business more comfortable, efficient, and faster.

Step 6: Debrief

Maintenance: Not breaking character and maintaining trust to gain details to the bank account and making more business deals that would satisfy the store's confidence.

Transition: The length of time has gotten rid of all doubts, and hence the store has the freedom to share its bank account details with the attacker.

Goal satisfaction: The objective of the attack is attained, and now the attacker has access to the store's details and can thus proceed to do with it as he wishes.

Awareness Training Material

Question & answers

  1. ___________ involves an attack where an individual creates a story line to lie to a person to acquire privilege data.
    • Reverse social engineering
    • Phishing
    • Pretexting
    • Baiting
  2. Pretexting is the only category of social engineering attack that cannot be done physically.
  • True
  • False
  1. Which of the following is an example of a social engineering attack by pretexting?
  • An email that contains an attachment and has a malicious link.
  • A person formulates a false but believable story to gain access to an organization's sensitive information?
  • An investment opportunity that promises a good return, too good of a deal, requires sensitive information to gain its benefits.
  • All of the above


  1. Create a policy against suspected pretext and ensure all employees are aware of such policies.
  2. Formulate a social engineering awareness department that filters employee email searching for any malicious attempts at the organization's system.
  3. Limit access to an organization's sensitive information to a few.
  4. Alert and create awareness for employees on the possibility of pretexts.
  5. Install a culture of pro-activeness (confirming sources of information) rather than re-activeness.

Scenario 3 (Baiting)

Bating attack is based on human curiosity or greed. It involves using a false promise or offering something enticing to the victim to gain access to his or her information (Salahdine).

An employee of a technology company finds a USB stick bearing its logo on the parking lot in the morning. She picks it up, turns it around and sees it labelled confidential. The employee's curiosity gets the better of her, and she decides to plug it into her work desktop when getting into the building. By plugging the USB stick into her computer, it causes her desktop to be infected by malware.

Step 1: Attack Formulation

Goal identification: Gain access to the company's computer network.

Target identification: Target company's employee.

Step 2: Information Gathering

Identify potential sources: Company's flyers, public records, and sample USB stick.

Gather information from sources: From the company's flyers, information about the logo, security clearance, building structure can be obtained. From the company flyers, get as much information about the company.

Assess gathered information: Understanding the building structure and security clearance to aid in placement of the USB stick.

Step 3: Preparation

Combination and analysis of gathered information: Replicate the company's USB stick, plan on placing the USB stick on the parking lot and know the target's route.

Development of an attack vector: Placing the USB stick infected with malware on the parking lot and awaiting the victim to pick it up.

Step 4: Developing Relationships

Establishment of communications: The first mode of communication would be seeing the USB stick with a company's logo.

Report building: The employee sees the word "confidential" written on the other side of the USB stick, hence making her curiosity.

Step 5: Exploit Relationship

Priming the target: The USB stick is utterly like those used with the company, convincing enough for the employee to take it with her.

Elicitations: The USB stick makes its way into the company building with the unsuspecting employee's aid.

Step 6: Debrief

Maintenance: The USB stick completely resembles and fits into the company's standard; hence nothing suspicious noticed by the employee.

Transition: The USB stick is plugged into one of the company's desktop, triggering the malware and allowing access to its computer network.

Goal satisfaction: Access to the company's system is granted.

Awareness Training Material

Question & answers

  1. An email revealing that you have won the lottery; all you need to do is fill out a form, is an example of what type of social engineering attack?
    • Phishing
    • Baiting
    • Vishing
    • Quid Pro Quo
  2. Which of the following would not protect against the social engineering attack baiting?
  • Adding the numbers of security personnel at the front gate
  • Updating software security patches
  • Training employees against social engineering attacks
  • Creating a culture of mental sharpness against any malicious attacks
  1. Baiting is the act of capitalizing on the curiosity and greed of human nature to trick them into revealing sensitive information.
  • True
  • False


  1. Making an organization's information security every employee's responsibility.
  2. Implementing an awareness training program
  3. Securing the computer network system and upgrading firmware
  4. Creating a culture of integrity and openness among employees

Scenario 4 (Quid Pro Quo)

Quid Pro Quo refers to promising the victim something positive in exchange for information or aid (CITE COL)

The Human Resource Manager of an online retail business gets contacted by an IT company claiming to have the tools required to secure and upgrade its payments system to the latest technology. He offers the first service for free. Then the rest would need a manageable subscription plan. The IT website looks and has a feel of legitimacy with renowned partners listed at the footer on the web page. That convinces the human resource manager to hire them.

Step 1: Attack Formulation

Goal identification: Gain access to the retail business payments platform.

Target identification: HR Manager to the online retail business.

Step 2: Information Gathering

Identify potential sources: Retail business recruit advertisements and publicly available information on the company.

Gather information from sources: Putting the most useful information obtained from the sources.

Assess gathered information: Picking the right information to work on to formulate a plan

Step 3: Preparation

Combination and analysis of gathered information: Matching each piece of information and its fits in the attack vector.

Development of an attack vector: Creating a legitimate-looking website listing partner and reviews from a theoretical customer on the quality of service and preparing an email that fits the retail business communication structure level.

Step 4: Developing Relationships

Establishment of communications: Sending an email to the human resource manager. The email includes a link to the website and contacts.

Report building: Allowing the HR Manager to call for validation or clarification on any information not understood. This would be done by providing contact details.

Step 5: Exploit Relationship

Priming the target: The HR Manager browses through the website, sees the renown partnerships and reviews.

Elicitations: The IT company's services convince the target due to the excellent rapport created and the partnerships shown.

Step 6: Debrief

Maintenance: The HR Manager gives information about their online retail business on the website sign-in page and finally hires the IT company.

Transition: The HR Manager allows access to its payments system.

Goal satisfaction: The IT company gets all data needed to perform an attack on the payment system.

Awareness Training Material

Question & answers

  1. What is Quid Pro Quo?
    • A favour done in return for something.
    • Exchange of malicious information.
    • Willingly revealing company secrets to an outsider.
    • None of the above.
  2. What is the goal of Quid Pro Quo?
  • To impersonate a person.
  • To increase one's influence over someone.
  • To obtain sensitive information.
  • To damage a person's reputation.
  1. Which of the following is false about Quid Pro Quo?
  • Quid Pro Quo can be done either physically or online.
  • IT companies cannot be victims of this type of attack.
  • It is a type of social engineering attack.
  • Anyone can be a target.


  1. Questioning email sources, especially those requesting some information
  2. Holding back on offers that seem too good
  3. Avoiding downloading files and sharing personal information from unknown senders
  4. Viewing offers via the actual company website rather than links.

Scenario 5 (Reverse Social Engineering)

Reverse social engineering attacks are when the victim is tricked into initiating contact by the attacker (Irani).

An employee without his knowledge clicks a phishing link that affects an organization's entire intranet computer system. The link looked like an email from the finance department concerning his pay. However, it came from a social engineering attack disguised as an IT specialist. The organization contacts an IT specialist who had continuously advertised his services at a subsidized fee in areas around the organization by using posters and brochures. The advertisement was done a week prior to the phishing link incident. The organization hires the specialist, not knowing that he is the attacker.

Step 1: Attack Formulation

Goal identification: Gain backdoor access to the computer system.

Target identification:  An organization employee.

Step 2: Information Gathering

Identify potential sources: Organization brochures, flyers, public records, and website.

Gather information from sources: Acquiring information on the company system, employee hierarchies and organization culture.

Assess gathered information: Determine the various means to carry out phishing attacks on the organization, understand the role each targeted employee within the organization has, and know security procedures and policies within the organization.

Step 3: Preparation

Combination and analysis of gathered information: Narrow down to the best phishing attack to carry out, create an advertisement on services offered as malware removal that are most likely to capture the organization's attention.

Development of an attack vector: A week to the attack, roll out the advertisement. Carry out the phishing attack with the aid of malware.

Step 4: Developing Relationships

Establishment of communications: The organization contacts the attacker for malware removal.

Report building:  Agreement on the terms of service offered (malware removal) and building trust.

Step 5: Exploit Relationship

Priming the target: Organization feels like it got a good deal with the quick response time. This feeling ought to be maintained.

Elicitation: Attacker request access to one of the main computer networks.

Step 6: Debrief

Maintenance: Keeping the organization's confidence in the professionalism of the attacker.

Transition: Creating backdoor access within the organization's computer system while getting rid of the malware.

Goal satisfaction: The objectives have been achieved, and the attacker can now monitor the organization's activities via backdoor access.

Awareness Training Material

Question & answers

  1. Reverse social engineering attack is the only type that cannot be mitigated?
  • True
  • False
  1. ________ is the type of attack in which the victim initiates contact with the attacker.
  • Phishing
  • Reverse social engineering
  • Baiting
  • Quid Pro Quo
  1. Reverse social engineering must be done using technology?
  • True
  • False


  1. Avoid clicking links, downloading, or opening attachments from unsolicited emails.
  2. Not giving offers to unknown sources, especially of an organization's security, is at stake.
  3. Always use at least two-factor authentication for critical accounts.


Irani, D., Balduzzi, M., Balzarotti, D., Kirda, E., & Pu, C. (2011). Reverse Social Engineering Attacks in Online Social Networks. DIMVA 2011, 8th Conference on Detection of Intrusions and Malware & Vulnerability Assessment. Amsterdam: Springer.

Mouton, F., Malan, M., Leenen, L., & Venter, H. (2014). Social Engineering Attack Framework. Information Security for South Africa, 1 - 9.

Salahdine, F., & Kaabouch, N. (2019). Social Engineering Attacks: A Survey. Future Internet, 2 - 8.

Syiemlieh, P., Khongsit, G., Usha, M., & Sharma, B. (2015). Phishing - An Analysis on the Types, Causes, Preventive Measures and Case Studies in the Current Situation. IOSR Journal of Computer Engineering, 1-8.

According to the police, the answer lies in being aware and working collectively to tackle such crimes.

"The most important and effective preventing measure for everyday use is knowledge (being informed).

"It is important to educate people on the threats and what they can do to stay safe in cyberspace, and this is not only a police matter but a matter for society as a whole.

"When different entities work together for the common good, we will get people who are more able to spot the different dangers of cybercrime and hence avoid them," an officer told Norway Today.

"International cooperation between different countries is very important in combating cybercrime, as the perpetrators can be situated across borders, and their attacks are seldom restricted to one country.

"This shows that cooperation and information exchange is important for all countries.

"At the same time, we have to develop methods and stay updated on trends in the cybercrime field. We need to keep up as the criminals develop new methods to commit cybercrime," Norway Today's police source said. 

The officer also explained that one of the easiest measures one can take to secure their online presence is two-factor authentication on the different services they use.

"Other measures are strong, unique passwords on each service, and security measures such as anti-virus and firewall.

"Back-ups of important materials are another way of securing yourself from the effects of cybercrime."

Attacks and awareness training materials