Understanding Common Cyber Attacks

FBI IC3 reports phishing as the most common form of cyber attack 298,878 complaints received with losses over $834 million. Phishing is so common now that it's almost become part of our everyday language. Recently, I even received an email saying, "I'm phishing for your thoughts," which was a clever, albeit spammy, twist on the term that left an impression on me. However, phishing remains one of the biggest threats in cybersecurity today.

According to NIST, phishing is defined as:

"A technique for attempting to acquire sensitive data, such as bank account numbers, through a fraudulent solicitation in email or on a website, in which the perpetrator masquerades as a legitimate business or reputable person."

"Tricking individuals into disclosing sensitive personal information through deceptive computer-based means."

That last part—deceptive computer-based means—is important. Phishing methods are increasingly more sophisticated in mimicking trusted sources, making it harder for the average user to detect schemes.

Example: Sometimes our curiosity gets the best of us. As a cybersecurity pro, I've had direct experience defending and reacting to phishing, and have even at least partly fallen for phishing attempts.

• A user clicked on a seemingly harmless PDF attachment from what appeared to be a legitimate source, only to find out it was loaded with malware that began sending phishing emails to everyone in his Outlook address book.
• A colleague received an email from an apparent legitimate source and clicked on a link in the email that led to a fake login page. He entered his credentials. IT didn't realize the breach until months later when hackers hijacked his email account and targeted his contacts.
• In one instance, a carefully crafted phishing email test fooled me into clicking on a link. Fortunately, it was just a test, but it highlighted how even the trained eye can sometimes be deceived.

Whenever we create accounts on third-party websites, our security is only as strong as their defenses. If these sites experience a data breach, your passwords may wind up on the dark web, where they are sold to malicious actors. This is a major problem because many people reuse passwords across multiple sites, amplifying the risk.

Example: Years ago, I was guilty of reusing passwords across sites. One day, after landing from a flight, I received an email informing me that my Netflix account had been compromised. The culprit? A password I had been using for years, which had been leaked in a data breach. Thanks to my password manager, I was able to quickly change my passwords across affected sites, but the incident served as a wake-up call. Just a few days ago, I received a notice from PlayStation that my account was accessed from a foreign location. The password hadn't been updated because I hadn't used the account in years, yet it was still vulnerable.

While phishing relies on email and websites, vishing (voice phishing) uses phone calls to manipulate victims into providing sensitive information. These calls often induce fear or urgency, pushing people to act before thinking critically.

Example: I recently received a voicemail from a "Bryan from the legal department," though no specific legal department was mentioned. The call mentioned someone I knew by name, claiming they were in trouble. The caller's New England accent and area code caught my attention, as we tend to think of cybercriminals as being in far-off places, but they can be local too. The goal was clearly to scare me into sending money or personal information under the guise of helping someone I know.

Ransomware is a major cybersecurity threat and is a type of malware that encrypts the victim's data and demands payment, usually in cryptocurrency, for the decryption key. Consider ransomware the payload of an effective hack. From an external surface, the attacks are typically carried out through phishing emails, malicious downloads, or vulnerabilities in outdated software. Once the attacker has infiltrated the internal environment, the victim's files are rendered inaccessible by way of encryption, and the attackers threaten to leak or destroy the data if the ransom isn't paid.

Example: Ransomware is becoming an increasingly dangerous threat, not only to businesses but also to public safety. In 2023, the City of Dallas experienced a significant ransomware attack that took down critical emergency services, including 911 dispatching systems, delaying response times and putting lives at risk. According to a report by Emsisoft, "At least 95 government entities were impacted in 2023," demonstrating how widespread this threat has become. The FBI's 2023 Internet Crime Report revealed that government agencies were the third-largest ransomware targets, with 153 complaints from critical infrastructure sectors that were affected by ransomware attacks.

As these attacks grow more sophisticated, they threaten not just financial loss but critical services society relies on.

DDoS attacks overwhelm a target's server, network, or website by flooding it with an excessive amount of traffic, causing the system to crash or become unavailable to legitimate users. These attacks often use botnets—a network of infected computers that operate under the control of the attacker—to carry out the attack.

Example: In 2016, Dyn, a major domain name system provider, was hit with one of the largest DDoS attacks in history. The attack disrupted access to major websites like Twitter, Netflix, and Reddit by overwhelming Dyn's infrastructure.

Malware, short for "malicious software," encompasses a wide range of harmful programs designed to disrupt, damage, or gain unauthorized access to computer systems. Malware can include viruses, worms, Trojans, and spyware, among others. Cybercriminals use malware to cause disruption, steal information, spy on users, or gain control of their systems.

Example: In the early 2000s, the ILOVEYOU virus spread rapidly through email systems, tricking users into downloading a malicious attachment that overwrote files and spread to all their contacts. It caused billions of dollars in damages and illustrated how a simple email could cause global chaos.

Social engineering involves manipulating individuals into divulging confidential information by exploiting human psychology rather than using technical hacking methods. Attackers often impersonate trusted figures (like tech support, government officials, or coworkers) to convince the victim to share sensitive information or grant access to systems.

Example: In a well-known case from 2016, hackers used social engineering to convince a high-level executive at a major tech company to wire $100 million to a fraudulent bank account. The attackers posed as business partners through email and used a mix of confidence and urgency to push the transaction through.