Purchasing receives a phone call from a vendor asking for a payment over the phone. The phone number
displayed on the caller ID matches the vendor’s number. When the purchasing agent asks to call the
vendor back, they are given a different phone number with a different area code.
Which of the following attack types is this?

A.
Hoax

B.
Impersonation

C.
Spear phishing

D.
Whaling

Explanation:
In this question, the impersonator is impersonating a vendor and asking for payment. They have managed
to ‘spoof’ their calling number so that their caller ID matches the vendor’s number.
Impersonation is where a person, computer, software application or service pretends to be someone or
something it’s not. Impersonation is commonly non-maliciously used in client/server applications.
However, it can also be used as a security threat.
Incorrect Answers:
A: A hoax is something that makes a person believe that something is real when it is not. A hoax is usually
not malicious or theft.
C: Spear phishing is an e-mail spoofing fraud attempt that targets a specific organization, seeking
unauthorized access to confidential data. As with the e-mail messages used in regular phishing
expeditions, spear phishing messages appear to come from a trusted source. Phishing messages usually
appear to come from a large and well-known company or Web site with a broad membership base, such
as eBay or PayPal. In the case of spear phishing, however, the apparent source of the e-mail is likely to be
an individual within the recipient’s own company and generally someone in a position of authority. Spear
phishing involves email spoofing rather than telephone spoofing. Therefore this answer is incorrect.
D: Whaling is a specific kind of malicious hacking within the more general category of phishing, which
involves hunting for data that can be used by the hacker. In general, phishing efforts are focused on
collecting personal data about users. In whaling, the targets are high-ranking bankers, executives or
others in powerful positions or job titles.
Hackers who engage in whaling often describe these efforts as “reeling in a big fish,” applying a familiar
metaphor to the process of scouring technologies for loopholes and opportunities for data theft. Those
who are engaged in whaling may, for example, hack into specific networks where these powerful
individuals work or store sensitive data. They may also set up keylogging or other malware on a work
station associated with one of these executives. There are many ways that hackers can pursue whaling,
leading C-level or top-level executives in business and government to stay vigilant about the possibility of
cyber threats. This is not what is described in this question.
http://searchsecurity.techtarget.com/definition/spear-phishing
http://www.techopedia.com/definition/28643/whaling