The described situation is a classic social engineering attack, specifically a phishing or CEO fraud (business email compromise) attempt. Social engineering exploits human psychology rather than technical vulnerabilities. In this case, the attacker attempted to impersonate the CEO and trick the board member into making an unauthorized payment.
(A) Incorrect – A risk of spyware and malware.
Spyware and malware typically involve malicious software installed on a device, which is not the case here.
This attack relied on deception rather than malware to obtain unauthorized funds.
(B) Incorrect – A risk of corporate espionage.
Corporate espionage involves unauthorized data theft, sabotage, or insider threats.
The attacker here attempted financial fraud, not intellectual property theft.
(C) Incorrect – A ransomware attack risk.
Ransomware encrypts files and demands payment for decryption.
There is no mention of system encryption or ransom demands in this case.
(D) Correct – A social engineering risk.
The attacker impersonated the CEO and used urgency to manipulate the board member into processing a fraudulent payment.
This technique is a business email compromise (BEC) scam, a well-known social engineering tactic.
IIA’s GTAG (Global Technology Audit Guide) – Cybersecurity Risks and Controls
Discusses social engineering and its impact on financial fraud.
NIST Cybersecurity Framework – Social Engineering Threats
Defines social engineering tactics, including email impersonation and phishing.
COBIT Framework – Information Security Governance
Recommends controls to mitigate social engineering risks, such as employee training and email authentication mechanisms.
Analysis of Answer Choices:IIA References and Internal Auditing Standards:
