IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 27 Topic 3 Discussion

IIA-CIA-Part3 Exam Topic 3 Question 27 Discussion:

Question #: 27

Topic #: 3

An intruder posing as the organization's CEO sent an email and tricked payroll staff into providing employees' private tax information. What type of attack was perpetrated?

Boundary attack.

Spear phishing attack.

Brute force attack.

Spoofing attack.

Get Premium IIA-CIA-Part3 Questions

Explanation

A spear phishing attack is a highly targeted email-based attack where an attacker impersonates a trusted individual (e.g., the CEO) to trick recipients into providing sensitive information.

In this scenario, an intruder posed as the CEO and deceived payroll staff into sharing employees' private tax information.

Spear phishing is more targeted than general phishing, often using personal details to make the fraudulent request seem legitimate.

A. Boundary attack. (Incorrect)

A boundary attack refers to attempts to breach an organization’s network perimeter defenses, such as firewalls and intrusion detection systems.

This scenario describes a social engineering attack, not a technical boundary attack.

B. Spear phishing attack. (Correct)

Spear phishing attacks are highly personalized email attacks, usually targeting specific employees within an organization.

Attackers research their targets and use realistic messages to trick them into divulging sensitive data.

This fits the scenario, as the attacker impersonated the CEO to steal tax information.

C. Brute force attack. (Incorrect)

A brute force attack involves systematically guessing passwords to gain unauthorized access to systems.

This attack was based on deception, not password cracking.

D. Spoofing attack. (Incorrect, but closely related)

Email spoofing is a technique where an attacker falsifies the sender’s email address.

While spear phishing often includes spoofing, the broader technique used here is spear phishing, as it involved social engineering and deception.

IIA GTAG 16 – Security Risk: IT and Cybersecurity discusses phishing and social engineering threats, emphasizing internal controls to mitigate them.

IIA Standard 2120 – Risk Management highlights the need for risk assessments in cybersecurity, including employee awareness training for phishing attacks.

National Institute of Standards and Technology (NIST) Special Publication 800-61 classifies spear phishing as a high-risk cyber threat to organizations.

Explanation of Answer Choices:IIA References:

Actual exam question for IIA IIA-CIA-Part3 exam by Echo86336 at Sep 2, 2025, 11:50:46 AM

Contribute your Thoughts:

Chosen Answer: A B C D
This is a voting comment (?). It is better to Upvote an existing comment if you don't have anything to add.

New Year Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 27 Topic 3 Discussion

IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 27 Topic 3 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

New Year Sale Limited Time 70% Discount Offer - Ends in 0d 00h 00m 00s - Coupon code: simple70

IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 27 Topic 3 Discussion

IIA Business Knowledge for Internal Auditing IIA-CIA-Part3 Question # 27 Topic 3 Discussion

Correct Answer:

Options Selected by Other Users:

Contribute your Thoughts:

Awaiting moderator approval