Certified Internal Auditor (CIA) Part 3: Business Knowledge for Internal Auditing — Question 110

A newly appointed board member received an email that appeared to be from the company’s CEO. The email stated:

“Good morning. As you remember, the closure of projects is our top priority. Kindly organize prompt payment of the attached invoice for our new solar energy partners.”

The board member quickly replied to the email and asked under which project the expense should be accounted. Only then did he realize that the sender’s mail domain was different from the company’s. Which of the following cybersecurity risks nearly occurred in the situation described?

Answer options

• A. A risk of spyware and malware
• B. A risk of corporate espionage
• C. A ransomware attack risk
• D. A social engineering risk

Correct answer: D

Explanation

The correct answer is D, as the scenario describes a classic case of social engineering where the board member was manipulated into responding to a fraudulent email. The other options do not apply since spyware and malware are not involved, corporate espionage typically involves stealing sensitive information rather than direct manipulation, and ransomware attacks generally involve encrypting data for a ransom rather than attempting to deceive someone through email.