A spear phishing attack is a highly targeted email-based attack where an attacker impersonates a trusted individual (e.g., the CEO) to trick recipients into providing sensitive information.
In this scenario, an intruder posed as the CEO and deceived payroll staff into sharing employees' private tax information.
Spear phishing is more targeted than general phishing, often using personal details to make the fraudulent request seem legitimate.
A. Boundary attack. (Incorrect)
A boundary attack refers to attempts to breach an organization’s network perimeter defenses, such as firewalls and intrusion detection systems.
This scenario describes a social engineering attack, not a technical boundary attack.
B. Spear phishing attack. (Correct)
Spear phishing attacks are highly personalized email attacks, usually targeting specific employees within an organization.
Attackers research their targets and use realistic messages to trick them into divulging sensitive data.
This fits the scenario, as the attacker impersonated the CEO to steal tax information.
C. Brute force attack. (Incorrect)
A brute force attack involves systematically guessing passwords to gain unauthorized access to systems.
This attack was based on deception, not password cracking.
D. Spoofing attack. (Incorrect, but closely related)
Email spoofing is a technique where an attacker falsifies the sender’s email address.
While spear phishing often includes spoofing, the broader technique used here is spear phishing, as it involved social engineering and deception.
IIA GTAG 16 – Security Risk: IT and Cybersecurity discusses phishing and social engineering threats, emphasizing internal controls to mitigate them.
IIA Standard 2120 – Risk Management highlights the need for risk assessments in cybersecurity, including employee awareness training for phishing attacks.
National Institute of Standards and Technology (NIST) Special Publication 800-61 classifies spear phishing as a high-risk cyber threat to organizations.
Explanation of Answer Choices:IIA References:
