Certified Ethical Hacker (CEH v13) — Question 284

A penetration tester is hired by a company to assess its vulnerability to social engineering attacks targeting its IT department. The tester decides to use a sophisticated pretext involving technical jargon and insider information to deceive employees into revealing their network credentials.

What is the most effective social engineering technique the tester should employ to maximize the chances of obtaining valid credentials without raising suspicion?

Answer options

• A. Create a convincing fake IT support portal that mimics the company’s internal systems
• B. Send a generic phishing email with a malicious attachment to multiple employees
• C. Visit the office in person as a maintenance worker to gain physical access to terminals
• D. Conduct a phone call posing as a high-level executive requesting urgent password resets

Correct answer: D

Explanation

The correct answer is D, as conducting a phone call while impersonating a high-level executive can leverage authority to elicit trust and prompt employees to comply with the request for password resets. Option A, while effective, may not maximize the chances as well as a direct communication approach. Option B is too generic and less likely to be effective in targeting specific credentials, while C relies on physical presence which may not be practical or feasible.