Powered by

# 1.1 Understand Common Attack Types

# Intro

When you consider your security preparedness, it is useful to look first through the lens of the kinds of attacks your company is most likely to experience and need to prepare for.

As we start the cybersecurity risk assessment, the most important attack types to consider are:

  • Phishing and social engineering
  • Business email compromise and invoice fraud
  • Stolen credentials and password attacks
  • Ransomware and extortion
  • Unpatched system exploitation
  • Malware and infostealers
  • Cloud and SaaS account compromise
  • Third-party and supply chain compromise
  • DDoS and service disruption
  • Insider threat and human error

As a warm up for the cybersecurity assessments ask “Are we ready for when these kinds of attacks hit our business, and what would happen if they did? How will we react?”

# Tasks

  • Understand the main attack types
  • Compare the attack types to your organization's actual structure and makeup
  • Determine which attack types are the most critical, moderately critical and less applicable to your case.

# Attack Types

The following are the most prominent cybersecurity attack types and vectors. This means they are the most likely types of attacks your organization will encounter and should prepare for.

# 1. Phishing and Social Engineering

Phishing remains one of the most common ways attackers get inside organizations. It works because it targets people, not just technology. Employees may be tricked into clicking malicious links, opening infected attachments, entering passwords into fake login pages, scanning QR codes, or approving requests that appear to come from executives, vendors, or trusted partners.

The FBI reported that phishing and spoofing were the top cybercrime category by complaint volume in its 2024 Internet Crime Report. (Federal Bureau of Investigation) CISA also specifically warns small and medium-sized businesses to train employees to recognize phishing because attackers use it to steal sensitive information or deliver malicious attachments. (CISA)

Assessment question: Can employees quickly recognize and report suspicious emails, fake login pages, QR-code scams, voice phishing, and impersonation attempts?

# 2. Business Email Compromise and Invoice Fraud

Business email compromise, or BEC, is one of the most dangerous threats for SMEs because it directly targets money movement. Attackers may compromise or impersonate an executive, supplier, customer, or finance employee, then request a wire transfer, payroll change, invoice payment, or bank-account update.

This is not just an IT issue. It is a finance-control issue. The FBI’s 2025 IC3 report says business email compromise remained one of the largest categories of reported losses, behind investment-related fraud. (Internet Crime Complaint Center)

Assessment question: Do we require out-of-band verification before changing supplier bank details, approving unusual payments, or acting on urgent executive requests?

# 3. Stolen Credentials and Password Attacks

Many attackers no longer need to “hack” their way in. They simply sign in using stolen or guessed credentials. Password reuse, weak passwords, missing MFA, exposed credentials from previous breaches, and infostealer malware all make this easier.

Microsoft’s 2025 reporting states that more than 97% of identity attacks were password attacks, and that identity-based attacks increased by 32% in the first half of 2025. (The Official Microsoft Blog) Mandiant’s M-Trends 2025 report also found that stolen credentials became the second most common initial infection vector, representing 16% of intrusions observed in 2024. (Google Services)

Assessment question: Do all critical systems use MFA, strong password management, access reviews, and rapid account removal when employees leave?

# 4. Ransomware and Extortion

Ransomware is no longer just about encrypting files. Many ransomware groups now steal data first, then threaten to leak it if the company does not pay. This creates operational, legal, reputational, and customer-trust consequences.

ENISA’s 2025 threat landscape ranks ransomware among the top threats and identifies it as one of the most impactful cyber threats. (ENISA) Microsoft’s 2025 Digital Defense Report also highlights ransomware and data theft as widespread threats, with financially motivated attacks driving a large share of cyber activity. (Source)

Assessment question: Could we restore critical operations from clean backups without paying a ransom, and have we actually tested that recovery process?

# 5. Exploitation of Unpatched Systems

Attackers actively scan the internet for exposed and outdated systems. Unpatched VPNs, firewalls, remote access tools, servers, websites, and business applications can become entry points.

Mandiant’s M-Trends 2026 reporting says exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32% of intrusions. (Google Cloud) M-Trends 2025 also found that exploits were the most common initial infection vector in 2024, ahead of stolen credentials and phishing. (Google Services)

Assessment question: Do we know which systems are exposed to the internet, and do we patch critical vulnerabilities fast enough?

# 6. Malware and Infostealers

Malware includes tools that steal passwords, spy on activity, encrypt files, or give attackers remote access. Infostealers are especially dangerous because they quietly collect saved passwords, browser cookies, session tokens, and other credentials that can later be used to access business systems.

Mandiant reported a rise in infostealer use and linked that trend to stolen credentials becoming a major initial infection vector. (Google Cloud) CrowdStrike’s 2026 Global Threat Report also notes that many modern attacks are “malware-free,” meaning companies cannot rely only on traditional antivirus thinking; attackers increasingly use legitimate tools, valid credentials, and hands-on-keyboard activity. (CrowdStrike)

Assessment question: Do we have endpoint protection, browser credential controls, password managers, and monitoring for suspicious sign-ins?

# 7. Cloud and SaaS Account Compromise

Many SMEs now run on Microsoft 365, Google Workspace, accounting platforms, CRMs, cloud storage, and project management tools. If attackers compromise these accounts, they may access email, files, invoices, customer data, or admin settings without touching the company’s physical network.

Mandiant’s 2026 reporting found that, in cloud-related compromises, voice phishing, third-party compromise, stolen credentials, email phishing, insider threat, and exploits were all observed initial vectors; it also identified data theft in 59% of cloud compromises. (Industrial Cyber)

Assessment question: Are SaaS admin accounts protected with MFA, logging, least privilege, external-sharing controls, and regular access reviews?

# 8. Third-Party and Supply Chain Compromise

A company can have decent internal security and still be compromised through a vendor, IT provider, software supplier, contractor, or SaaS platform. This is a major issue for SMEs because they often outsource IT, payroll, accounting, marketing, development, and cloud administration.

IBM’s 2025 Cost of a Data Breach reporting identified supply chain compromise as one of the most prevalent and costly initial attack vectors, behind phishing in prevalence and among the highest in cost. ENISA’s 2025 threat landscape also highlights collaboration among threat groups and exploitation of vulnerabilities across digital infrastructure. (ENISA)

Assessment question: Which vendors have access to our systems or data, and what security requirements do we impose on them?

# 9. DDoS and Service Disruption

Distributed denial-of-service attacks flood websites, applications, or online services with traffic to make them unavailable. For SMEs that depend on e-commerce, online booking, customer portals, logistics platforms, or cloud-hosted services, availability attacks can become revenue-impacting events.

ENISA’s 2025 Threat Landscape identifies DDoS attacks as the most prevalent threat in the EU reporting period, with ransomware also ranked at the top. (ENISA)

Assessment question: Which online services are revenue-critical, and do we have protection or fallback plans if they become unavailable?

# 10. Insider Threat and Human Error

Not every incident is caused by an external attacker. Employees, contractors, or administrators may accidentally expose data, misuse access, send files to the wrong person, approve fraudulent requests, or intentionally steal information.

IBM’s 2025 breach research described malicious insider threats as among the costliest attack vectors. But for SMEs, the more common issue may be ordinary human error: weak access controls, unmanaged file sharing, poor offboarding, or accidental disclosure.

Assessment question: Do employees and contractors only have the access they need, and do we remove that access immediately when their role changes or ends?

# Key Tasks After Understanding Common Attack Types

After your organization reviews the main attack types, the next step is to translate that knowledge into company-specific risk work.

Proceed through the following steps:

# 1. Create a Company-Specific Attack Scenario List

The organization should convert general attack types into realistic business scenarios.

For example instead of listing “phishing” as a generic risk, define what phishing would look like inside the company.

Examples:

  • A finance employee receives a fake invoice from a vendor impersonator.

  • An executive receives a fake Microsoft 365 login page and enters credentials.

  • A help desk employee receives a phone call requesting an MFA reset.

  • A staff member downloads a fake software update that installs malware.

  • An employee approves a fraudulent bank-detail change.

  • A remote worker’s stolen password is used to access cloud storage.

The output should be a list of multiple realistic attack scenarios the company can actually imagine happening.

# 2. Identify Which Attack Types Are Most Relevant to the Company

Not every company faces the same risk profile. An e-commerce company, legal firm, manufacturer, clinic, accounting firm, logistics company, and software agency will each have different exposure.

Your organization should rate each attack type by relevance.

Suggested rating:

  • High relevance: likely to affect the company and could cause serious damage.

  • Medium relevance: possible, but not the most urgent risk.

  • Low relevance: possible, but less likely or lower impact.

Attack types to assess:

  • Phishing and social engineering
  • Business email compromise
  • Invoice fraud and payment redirection
  • Stolen credentials
  • Ransomware
  • Cloud and SaaS account compromise
  • Malware and infostealers
  • Exploitation of unpatched systems
  • Third-party or vendor compromise
  • Website compromise
  • Data theft and extortion
  • Insider threat or employee misuse
  • DDoS or service disruption

The output should be a prioritized attack-type risk list.

# 3. Map Each Attack Type to Business Impact

The company should connect each attack type to business consequences. Executives do not need a technical threat catalog. They need to know how each attack can hurt operations, cash flow, customers, compliance, and reputation.

For each attack type, ask:

  • Could this stop revenue?

  • Could this expose customer, employee, or financial data?

  • Could this create legal or contractual obligations?

  • Could this damage customer trust?

  • Could this trigger cyber insurance notification?

  • Could this interrupt payroll, invoicing, operations, or customer service?

  • Could this cause direct financial loss?

Example:

Attack type: Business email compromise
Business impact: fraudulent payment, vendor bank-detail change, payroll redirection, customer invoice manipulation, reputational damage.

Attack type: Ransomware
Business impact: downtime, data loss, recovery cost, customer disruption, operational paralysis, possible extortion.

Attack type: SaaS compromise
Business impact: email takeover, file theft, CRM exposure, customer data access, internal phishing, account persistence.

The output should be a business impact map.

# 4. Identify Likely Targets Inside the Company

Most attacks target specific people, systems, or processes. The organization should identify where each attack type would most likely land.

At the initial stage this can be done less formally, as it is a precursor to the more intensive Identify stage after Assess.

High-risk people usually include:

  • Executives
  • Finance staff
  • HR staff
  • IT administrators
  • Help desk staff
  • Sales teams
  • Procurement staff
  • Customer support teams
  • Employees with access to sensitive data
  • Employees with approval authority

High-risk systems usually include:

  • Email
  • Microsoft 365 or Google Workspace
  • Accounting software
  • Payroll systems
  • CRM
  • Cloud storage
  • VPN or remote access
  • Website admin panels
  • Password managers
  • Admin consoles
  • Backup systems
  • Endpoint management tools

High-risk processes usually include:

  • Invoice approval
  • Supplier bank-detail changes
  • Password resets
  • MFA resets
  • New vendor onboarding
  • Employee onboarding
  • Employee offboarding
  • Customer data exports
  • Contract sharing
  • Remote access approval

The output should be a target map showing which teams, systems, and workflows are most exposed.

# 5. Review Existing Controls Against Each Attack Type

Your company should then ask: “What do we already have in place to prevent, detect, and respond to this?”

For each attack type, review whether controls exist.

Examples:

For phishing:

  • Email filtering
  • Phishing reporting button or process
  • Employee training
  • Attachment controls
  • URL scanning
  • DMARC, SPF, and DKIM
  • Clear reporting path

For stolen credentials:

  • MFA
  • Password manager
  • Password reuse policy
  • Dark web credential monitoring
  • Login alerts
  • Access reviews
  • Fast offboarding

For ransomware:

  • Endpoint protection
  • Patch management
  • Restricted admin rights
  • Network segmentation
  • Immutable or offline backups
  • Restore testing
  • Incident response plan

For SaaS compromise:

  • Admin MFA
  • Audit logs
  • External sharing controls
  • OAuth app review
  • Mailbox forwarding rule alerts
  • User access reviews
  • Backup or export plan

For invoice fraud:

  • Payment verification policy
  • Bank-detail change controls
  • Dual approval
  • Out-of-band confirmation
  • Vendor contact validation
  • Finance-team training

The output should be a control coverage checklist.

# 8. Prioritize the Top Risks for Immediate Action

The company should not try to fix everything at once. That is how SME security programs fail.

Prioritize based on:

  • Likelihood
  • Business impact
  • Ease of exploitation
  • Current control weakness
  • Recovery difficulty
  • Legal or contractual exposure
  • Cost and effort to reduce the risk

A practical SME should identify the top six attack scenarios that require immediate attention.

Example top six for many SMEs:

Social Engineering and Phishing Business Email Compromise
Ransomware
Stolen credentials
Cloud/SaaS compromise
Invoice fraud or payment redirection

The output should be a short priority list for action.

# 9. Convert the Findings into Risk Assessment Inputs

This section should feed directly into the formal risk assessment. Each attack scenario should become a risk item that can be scored and tracked.

Example:

  • Risk: Attackers compromise a Microsoft 365 account through stolen credentials.

  • Cause: Weak MFA coverage, password reuse, limited login monitoring.

  • Impact: Email access, file theft, internal phishing, invoice fraud.

  • Current controls: MFA on some users, email filtering, basic antivirus.

  • Gaps: No conditional access, no mailbox forwarding alerts, no access review.

  • Risk level: High.

  • Recommended action: Enforce MFA, review forwarding rules, enable login alerts, conduct access review.

The output should be draft entries for the company’s risk register.

# 10. Brief Leadership on the Most Realistic Attack Paths

The final task is to summarize the findings for leadership in business language.

The briefing should answer:

  • Which attacks are most likely to affect us?

  • Which attacks would hurt us most?

  • Which systems, people, and vendors are most exposed?

  • Which controls are missing or weak?

  • What should we fix first?

  • What decisions or budget approvals are needed?

The output should be a short executive briefing, not a technical report.

# Expected Outputs from This Section

At the end of this “Understand Common Attack Types” step the organization should have:

  • A list of realistic company-specific attack scenarios.

  • A prioritized list of attack types most relevant to the business.

  • A map of likely targets, including people, systems, vendors, and workflows.

  • A business impact summary for each major attack type.

  • A control coverage checklist.

  • A list of missing or weak controls.

  • Assigned owners for major attack scenarios.

  • A short list of top risks to carry into the formal risk assessment.

# Practical Result

Your company should leave this stage with a clearer view of where it is exposed and compiled conclusions applying potential attack type risks to your actual organization makeup

After studying common attack types, the company should be able to say, “Here are the five attacks most likely to hurt us, here is how they would probably happen, here is what would fail, and here is what we need to fix first.”

© Copyright 2026. All rights reserved.