My Story Partners Podcasts Blog Resources Contact CISSP Training Program
Academy Login

Weekly CISSP Practice

Exam Questions

Week 37 - Question 1

Which of the following is NOT an example of a Social Engineering attack?

A. Phishing
B. Baiting
C. SQL Injection
D. Pretexting

Answer: C

Explanation:

A. Phishing

Phishing is the most common form of social engineering, relying on bulk fraudulent communications (usually email).  

  •  The Mechanism: The attacker masquerades as a trusted entity (a bank, a colleague, or a service provider) to trick the victim into clicking a malicious link or providing credentials.  

  • Variations for the Exam: * Spear Phishing: Targeted at a specific individual or department.  

    • Whaling: Targeted at high-level executives (C-suite).  

    •  Vishing: Phishing conducted over voice/phone.  

B. Baiting

Baiting is similar to phishing but involves a "promise" or a physical item to pique the victim's curiosity or greed.  

  • The Classic Example: An attacker leaves a malware-infected USB drive in a company parking lot labeled "Executive Salary Review." An employee finds it and, out of curiosity, plugs it into a corporate workstation.

  • The Digital Example: Offering a "free" movie or software download that secretly contains a Trojan.  

C. SQL Injection (SQLi)

This is the correct answer because it is a Technical/Software Attack, not a social one.

  • Why it's the Answer: SQL Injection involves inserting malicious SQL code into an input field (like a login box or search bar) to manipulate the backend database.  It exploits a failure in Input Validation in the application code. No human interaction or trickery is required for the attack to succeed; it is purely machine-to-machine. 

[Image showing a SQL Injection attack where malicious code is entered into a web form to bypass authentication]

D. Pretexting

Pretexting is the act of creating an elaborate, fabricated scenario (the "pretext") to steal a victim's personal information.  

  • The Method: Unlike phishing, which is often a generic "click here" request, pretexting usually involves a character. For example, an attacker calls a help desk claiming to be an external auditor who needs a specific report "for the board meeting in ten minutes."

  • The Focus: It relies on building a false sense of trust or urgency with the victim.

Podcasts

Check out my weekly podcasts that delve deep into the relevant topics related to each of CISSP domains. In addition, I will go over specific questions and they can be interpreted and answered.

Listen Podcasts

CISSP Cyber Training Academy

Tired of not knowing how to study for the CISSP Exam? 

Check out the CISSP Cyber Training Academy to help you on your journey!

Learn about the Academy!

CISSP Cyber Training - YouTube

Check out my video collection on YouTube discussing all the details needed to help you pass the CISSP exam.   

Check out channel