Cyber Security Threats Built to Understand, Detect and Stop Attacks
Cyber security threats are potential dangers that can exploit vulnerabilities in your systems, networks or people to cause harm to your organisation. Cyber attacks are the deliberate actions attackers take to carry out those threats. Understanding what attackers use, how they operate and what they are after is the foundation of building a defence that actually works. This guide covers every threat category, attack type and defence framework your business needs in 2026.
Threat Fundamentals
What Are Cyber Security Threats?
A cyber security threat is any circumstance or event with the potential to cause harm to an information system through unauthorised access, destruction, disclosure, modification of data or denial of service. Threats can come from external attackers, malicious insiders, criminal organisations, nation-state groups or unintentional human error. Understanding the distinction between a vulnerability, a threat and an attack is the starting point for building effective defences.
Vulnerability
A weakness in a system, application or process that a threat actor could exploit. An unpatched operating system, a weak password or an overly permissive firewall rule are all vulnerabilities.
Threat
The potential for a vulnerability to be exploited. The existence of ransomware groups targeting businesses in your sector is a threat whether or not they have attacked you yet.
Attack
The actual execution of a threat — the deliberate action taken to exploit a vulnerability and cause harm. Effective defence requires addressing all three, not just waiting for attacks.
Cyber threats fall into several broad categories. Technical threats target systems and software directly. Human threats exploit people through deception and manipulation. Structural threats target the processes and governance structures organisations rely on to operate securely. All three categories require different defensive approaches and cannot be addressed by technology alone.
Effective cybersecurity requires addressing vulnerabilities before they are exploited, monitoring for threats relevant to your organisation and detecting attacks quickly when they occur. Organisations that focus only on prevention without detection and response are building defences against a threat model that no longer reflects reality.
Business Risk and Consequences
Why Understanding Cyber Threats Matters
The threat landscape facing organisations in 2026 is more sophisticated, better organised and more consequential than at any previous point. The FBI IC3 reported over $12.5 billion in cybercrime losses in 2023 alone, receiving over 2,000 cybercrime complaints every single day. IBM found the global average cost of a single data breach reached $4.45 million, taking an average of 277 days to identify and contain without modern detection tools.
Cybercrime losses reported to the FBI Internet Crime Complaint Centre in 2023, with BEC and investment fraud accounting for the largest portions.
Global average cost of a single data breach, per IBM’s Cost of a Data Breach Report, with regulated sectors costing significantly more.
Of breaches involved a human element — social engineering, errors or misuse — per the Verizon Data Breach Investigations Report analysis of 10,000+ confirmed breaches.
Average time to identify and contain a breach without modern detection tools. Over a third of UK businesses identify a cyber attack or breach each year, per the NCSC.
Understanding cyber threats matters for several practical reasons:
- Organisations that understand specific threats targeting their industry can prioritise defences against the attacks most likely to affect them rather than spreading resources across everything.
- Security investments justified by clear threat data are easier to defend to boards and leadership who need to understand risk in business terms.
- Regulatory frameworks increasingly require organisations to demonstrate threat awareness as part of their risk management programmes.
- An organisation that understands how attacks work is significantly better positioned to detect them when they occur and contain them before they reach their intended impact.
Malicious Software
Types of Malware and Malicious Software
Malware — malicious software — is the primary technical weapon in most cyber attacks. The main malware categories include ransomware, trojans, worms, spyware and keyloggers, rootkits, botnets and fileless malware. Each type operates differently, spreads through different vectors and requires different defensive controls. Understanding what each does helps organisations configure defences effectively.
Ransomware
Encrypts victim files and demands payment for the decryption key. Modern ransomware combines encryption with data theft for double extortion. Ransomware as a Service has industrialised the ecosystem and dramatically lowered the technical barrier to launching attacks.
Trojans
Disguise themselves as legitimate software to trick users into installing them. Once installed, create backdoors for remote access, steal data or install additional malware. Banking trojans specifically target financial credentials and transaction sessions.
Worms
Self-replicating malware that spread automatically across networks without any user action after initial infection. The WannaCry ransomware worm infected over 200,000 systems across 150 countries within days of its release.
Spyware and Keyloggers
Monitor user activity secretly and transmit information to attackers. Keyloggers capture every keystroke — passwords, card numbers, private messages — without any visible indication to the user that monitoring is occurring.
Rootkits
Designed to hide themselves and other malicious software deep within an operating system. Operating at kernel level, rootkits can conceal malware, network connections and malicious processes from security tools entirely.
Botnets
Networks of compromised devices under attacker control, used to conduct DDoS attacks, send phishing emails at massive scale and facilitate credential stuffing. The Mirai botnet compromised millions of IoT devices into powerful attack infrastructure.
Ransomware: The Most Costly Malware Category
Sophos’s State of Ransomware report found that 59% of organisations were hit by ransomware in the past year, with the average ransom payment exceeding $2 million and average total recovery costs exceeding $2.73 million including downtime, staff time, device replacement and lost business.
Ransomware as a Service has industrialised the ecosystem. Criminal groups develop and maintain ransomware platforms, then rent them to affiliates who conduct attacks in exchange for a percentage of ransom payments. This model has dramatically lowered the technical barrier to launching ransomware attacks, enabling less skilled threat actors to deploy sophisticated ransomware against organisations of all sizes.
Maintain tested, immutable backups isolated from the primary environment. Ransomware attackers specifically target backup systems. Backups that are not protected independently provide much weaker recovery capability than they appear to on paper.
Fileless Malware
Fileless malware operates entirely in system memory and uses legitimate operating system tools — PowerShell injection, WMI persistence — rather than disk-based files. Because nothing is written to disk, traditional antivirus has nothing to scan. Only behavioural monitoring tools like EDR can detect fileless attacks reliably based on what they do rather than what they are.
Infrastructure Attacks
Network-Based Attacks
Network attacks target the infrastructure that connects systems and the data that flows across it. The main network-based attack types are DDoS attacks against infrastructure, man-in-the- middle interception, DNS spoofing and cache poisoning, SQL injection against databases, and lateral movement by attackers already inside the perimeter. Each requires distinct detection and prevention capabilities.
DDoS Attacks
Overwhelm network infrastructure with traffic from many simultaneous sources. Modern attacks reach terabit-per-second volumes. Also used as distraction techniques to occupy security teams while other attacks proceed elsewhere in the network.
Man-in-the-Middle Attacks
An attacker positions between two communicating parties and intercepts, reads or modifies communications without either party knowing. Exploits unencrypted traffic, poor certificate validation and network vulnerabilities through ARP spoofing, DNS spoofing and SSL stripping.
DNS Spoofing and Cache Poisoning
Corrupts DNS cache to redirect users from legitimate websites to malicious ones without any visible indication. DNSSEC and encrypted DNS protocols like DNS-over-HTTPS provide the primary technical protection against DNS spoofing attacks.
SQL Injection
Inserts malicious SQL code into input fields processed by a database, enabling attackers to read, modify or delete content, execute server commands or bypass authentication. Despite being documented for over two decades, SQL injection remains common in web applications.
Lateral Movement
Techniques attackers use to progress through a network after initial access, using legitimate administrative tools and stolen credentials to blend in with normal activity. MITRE ATT&CK documents over 20 distinct lateral movement techniques used by real threat groups.
Supply Chain Attacks
Compromise software or services before they reach target organisations through trusted distribution channels. The SolarWinds attack inserted malicious code into a widely used IT monitoring platform, giving attackers access to thousands of government and corporate networks.
Lateral movement is particularly dangerous because attackers use legitimate protocols and stolen credentials to blend in with normal traffic. The MITRE ATT&CK framework documents techniques including pass-the-hash, pass-the-ticket, remote services exploitation and internal spear phishing as common lateral movement methods used by documented threat groups. Network segmentation is the primary control that limits how far lateral movement can progress once initial access is achieved.
Nation-State and Organised Threats
Advanced Persistent Threats (APTs)
Advanced Persistent Threats represent the most sophisticated end of the threat spectrum. APT groups are well-resourced, highly skilled and focused on long-term access to specific targets rather than quick financial gain. They conduct extensive reconnaissance before attacking, develop custom tools designed to evade specific target defences and maintain persistent access to compromised networks for months or years before achieving their objectives.
APT actors include nation-state intelligence and military agencies, state-sponsored criminal groups and highly organised criminal enterprises. Nation-state APT groups pursue intelligence collection, intellectual property theft, pre-positioning for future disruption and geopolitical influence operations. MITRE ATT&CK maintains detailed profiles of over 140 named APT groups, documenting their techniques, targets and the specific tools each group uses.
Extended Reconnaissance
APT groups invest significant time and resources before attacking — mapping personnel, technology, business relationships and security controls in detail before the first malicious action takes place.
Custom Tooling
Develop bespoke malware and attack tools designed specifically to evade the defences used by their targets, rather than relying on commodity tools that security products are tuned to detect.
Long-Term Persistence
APT actors maintain access to compromised networks for months or years, silently pursuing their objectives — data theft, espionage, pre-positioning for future disruption — without triggering detection.
Defending against APT groups requires capabilities beyond basic security tools. Threat intelligence, advanced behavioural detection, comprehensive logging and proactive threat hunting are essential because APT actors are specifically skilled at bypassing standard security controls and blending in with legitimate activity.
2026 Threat Landscape
Emerging Cyber Security Threats in 2026
The threat landscape continues to evolve rapidly. The four developments most significantly reshaping cyber security threats in 2026 are AI-powered attacks that automate and improve multiple attack phases, deepfake social engineering that undermines voice and video verification, generative AI threats and LLM vulnerabilities and supply chain attacks exploiting trusted distribution channels. All four require organisations to reassess previously reliable defensive assumptions.
AI-Powered Attacks
AI tools generate highly convincing phishing emails personalised to specific targets at scale, identify and exploit vulnerabilities faster than human operators, and accelerate malware development. The barrier to sophisticated attacks has dropped significantly as AI tools have become accessible to less technically skilled threat actors.
Deepfake Social Engineering
Fabricated voice and video calls that convincingly impersonate executives and partners. Attackers have already used deepfake audio to impersonate CEO voices in fraudulent wire transfer authorisations. Voice-based verification is becoming an increasingly unreliable authentication method.
Generative AI and LLM Threats
Prompt injection attacks manipulate AI systems into ignoring safety guidelines. AI-generated malware is created faster and at lower cost than traditionally developed malware. Training data in AI systems may contain sensitive information extractable through carefully crafted queries.
Supply Chain Attacks
Compromise software or services before they reach target organisations, using trusted distribution channels to bypass perimeter defences. Particularly difficult to defend against because attacks arrive through legitimate, trusted channels that security tools are configured to allow.
QR Code Phishing (Quishing)
QR codes in phishing emails direct victims to malicious websites while bypassing email security filters. Most email security tools scan text-based links effectively but cannot extract and analyse URLs encoded in QR code images.
Ransomware as a Service
Criminal groups provide ransomware platforms to affiliates in exchange for a percentage of ransom payments, dramatically lowering the technical barrier to launching attacks and expanding the pool of threat actors capable of sophisticated ransomware campaigns.
MITRE ATT&CK Framework
The Cyber Attack Lifecycle
Understanding how attacks progress from initial contact through to their final impact helps organisations deploy defences at every stage rather than only at the perimeter. The MITRE ATT&CK framework organises attacker behaviour into 14 tactical categories that describe the complete lifecycle of an attack. Each stage represents a defensive opportunity — the earlier an attack is detected in the lifecycle, the less damage it can cause.
| ATT&CK Tactic | What Attackers Do | Key Defence |
|---|---|---|
| Reconnaissance | Gather intelligence about the target — employee names, technology infrastructure, business relationships — from LinkedIn, company websites, job postings, DNS records and dark web sources. | Minimise publicly exposed information. Monitor for reconnaissance signals through threat intelligence. |
| Resource Development | Register lookalike domains, purchase server infrastructure, develop or acquire malware and establish command and control infrastructure before the attack begins. | Threat intelligence to identify attacker infrastructure before attacks launch. |
| Initial Access | First entry into the target environment through phishing, exploitation of public-facing applications, compromised credentials or supply chain compromise. | MFA, email security, patch management, employee security awareness training. |
| Execution | Running malicious code within the environment using PowerShell scripts, malicious macro documents, scripting interpreters and living-off-the-land tools. | Application control, PowerShell logging, EDR behavioural detection. |
| Persistence | Establishing mechanisms to maintain access across restarts and credential changes through scheduled tasks, registry modifications and backdoor account creation. | EDR monitoring of persistence mechanisms, privileged account auditing. |
| Privilege Escalation | Gaining higher-level permissions than initially obtained to access more sensitive systems and data within the environment. | Least-privilege access, credential protection, EDR privilege escalation detection. |
| Defence Evasion | Avoiding detection by disabling security software, clearing logs, obfuscating code and using legitimate tools to blend in with normal activity. | Immutable logging, SIEM monitoring for log clearing, EDR tamper protection. |
| Credential Access | Stealing account credentials through credential dumping, keylogging, brute force attacks and Kerberoasting to enable wider network access. | MFA, Credential Guard, privileged access management, SIEM credential theft detection. |
| Lateral Movement | Moving from the initial point of compromise toward higher-value targets using legitimate protocols and stolen credentials to avoid detection. | Network segmentation, NDR behavioural detection, SIEM lateral movement rules. |
| Collection | Identifying, staging and compressing sensitive data before attempting to move it outside the organisation for exfiltration. | DLP controls, data access monitoring, EDR file staging detection. |
| Exfiltration | Moving collected data outside the organisation through encrypted channels, legitimate cloud services or direct connections disguised as normal traffic. | Network monitoring for unusual outbound data volumes, DLP, DNS monitoring. |
| Impact | Deploying ransomware, completing a fraudulent financial transfer, publishing stolen data or sabotaging systems to achieve the final objective of the attack. | Immutable backups, incident response procedures, business continuity planning. |
The most important lesson from the attack lifecycle is that attacks progress through many stages before reaching final impact. An organisation with detection capability at only the initial access stage is defending against a small fraction of the attack surface. Defence in depth means deploying detection and response capabilities at every stage of the lifecycle — not just at the network perimeter.
Intelligence-Led Defence
Threat Intelligence and Attack Detection
Effective defence requires more than deploying security tools. It requires understanding the specific threats targeting your organisation and using that intelligence to improve detection and response. Cyber Threat Intelligence provides the information security teams need to prioritise defences against relevant threats. Indicators of Compromise enable automatic detection of known-bad activity. Proactive threat hunting finds attacker presence that automated detection missed.
Cyber Threat Intelligence (CTI)
Cyber threat intelligence is information about threats and threat actors that helps organisations make informed security decisions. Strategic intelligence covers high-level trends and the motivations of threat groups. Tactical intelligence covers the specific techniques, tools and procedures attackers use. Operational intelligence covers specific ongoing or planned attacks.
The primary value of CTI for most organisations is understanding which attack groups target their industry and geography, what techniques those groups prefer and what indicators of compromise their attacks leave behind. This enables security teams to prioritise defences against relevant threats rather than trying to defend against everything simultaneously.
Cyber Threat Intelligence
Information about threat actors, their techniques and their indicators of compromise. Enables prioritised defence against threats most relevant to your industry and geography.
Indicators of Compromise
Evidence that a system has been compromised: known malicious IPs, file hashes, suspicious registry keys, unusual network connections and anomalous account activity. Integrated with SIEM and EDR for automatic detection.
Proactive Threat Hunting
Analysts actively search for evidence of compromise that automated tools missed, using knowledge of attacker techniques and threat intelligence to find attacker presence before alerts are triggered.
OSINT and Attack Surface Awareness
Open Source Intelligence tools allow security teams to gather information about their own organisation from publicly available sources, helping them understand what attackers can see during their own reconnaissance phase. Understanding your external attack surface from an attacker’s perspective is a powerful starting point for vulnerability reduction and informs which phishing pretexts and impersonation scenarios to prepare employees for.
Adversarial Testing
Red Team, Blue Team and Purple Team
Organisations that want to validate their defences against real attack techniques use red, blue and purple team exercises to test how well their security programme performs in practice. Red teams simulate real attackers. Blue teams are the defensive security function. Purple teams work collaboratively to improve detection coverage systematically. All three approaches reveal where defences fail in practice rather than where they should succeed in theory.
Red Team
Simulates real attackers using the same techniques, tools and procedures that actual threat actors use — including social engineering, physical security testing and advanced persistent attack techniques. Red team findings reveal where defences fail in practice. Gaps found here are far less costly to close than those found by a real attacker.
Purple Team
Red and blue teams work collaboratively rather than adversarially. The red team demonstrates specific MITRE ATT&CK techniques while the blue team evaluates whether tools detect them. Particularly effective for systematically improving detection coverage and immediately addressing identified gaps.
Blue Team
The organisation’s defensive security function — SOC, incident response and security engineering teams. During exercises, reveals how effectively monitoring tools detect real attack techniques, how well analysts distinguish malicious from benign activity and how quickly the team responds to confirmed compromises.
Red team findings reveal where defences fail in practice rather than where they should succeed in theory. Purple team exercises are particularly effective for improving detection coverage across the MITRE ATT&CK framework because they systematically test detection capability against specific techniques and immediately address identified gaps — producing measurable improvements in detection coverage with each exercise.
Core Defence Controls
How to Protect Against Cyber Threats
No single control protects against all cyber threats. Effective defence requires layered controls that address the full range of attack vectors across people, processes and technology. The controls that provide the highest risk reduction across the widest range of threats are MFA, patch management, detection and monitoring, employee security training, network segmentation and properly protected backups.
- Implement multi-factor authentication everywhere. MFA prevents credential theft from enabling account compromise and blocks the most common initial access method across all categories of attack. It is the single highest-impact control for most organisations.
- Keep systems patched and updated. A significant proportion of successful attacks exploit known vulnerabilities for which patches already exist. Establish patch management processes that prioritise critical vulnerabilities and apply them within defined timeframes.
- Deploy detection and monitoring capabilities. You cannot respond to threats you cannot see. EDR, network monitoring and centralised log management with SIEM analysis are the foundation of threat detection. Without them, attackers operate undetected for an average of 277 days.
- Train employees to recognise social engineering. Because 74% of breaches involve human elements, security awareness training that helps employees identify phishing, suspicious requests and social engineering attempts directly reduces the success rate of the most common attack types.
- Segment your network. Network segmentation limits lateral movement and ransomware spread, containing damage when attackers do gain initial access and preventing a single compromised endpoint from becoming a full network compromise.
- Back up your data properly. Maintain tested, offline or immutable backups of critical data. Ransomware attackers specifically target backup systems. Backups connected to the primary environment provide much weaker recovery capability than they appear to.
- Use threat intelligence relevant to your sector. Focus defences on the threats most likely to target organisations like yours. Sector-specific, geography-specific threat intelligence is significantly more actionable than generic threat data.
- Conduct regular vulnerability assessments and penetration testing. Regular testing identifies security gaps before attackers find them and provides objective data on your security programme’s effectiveness against real-world attack techniques.
Strategic Planning
Building a Cyber Threat Defence Strategy
A threat-informed defence strategy focuses security investments on the attacks most likely to target your organisation and the controls most likely to detect and stop them. It begins with identifying threats relevant to your specific context, maps current defences against those threats using MITRE ATT&CK, prioritises controls by risk reduction and builds detection capability tuned to the techniques real threat actors use.
- Identify threats relevant to your organisation. Use threat intelligence sources, industry information sharing groups and NCSC guidance to understand which threat actors, malware families and attack techniques are most relevant to your sector and geography.
- Map your current defences against those threats. Use the MITRE ATT&CK framework to assess which attack techniques your current security controls can detect and which they cannot. This honest assessment of defensive coverage is the foundation of prioritised improvement.
- Prioritise controls by risk reduction. Focus investment on controls that address the highest-probability, highest-impact threats first. The CIS Controls and NCSC Cyber Essentials both provide prioritised control sets that reduce risk most efficiently.
- Build detection capability for your highest-priority threats. Configure SIEM, EDR and network monitoring to detect specific techniques used by threat groups targeting your sector. Tuned detection catches far more attacks than default configurations.
- Establish and test incident response procedures. For the attacks most likely to affect you — ransomware, BEC fraud, credential theft — develop and test specific incident response playbooks. Tested procedures produce significantly faster and better-controlled outcomes.
- Review your threat landscape regularly. The threats targeting your organisation change as your business changes, as your industry becomes a more or less attractive target and as attacker capabilities evolve. Review threat intelligence and adjust defences at least annually.
Build a Threat-Informed Security Programme
Cyber Security Solutions Ltd helps organisations across the UK and USA build threat-informed security programmes that focus defences where they matter most and deliver genuine, measurable risk reduction against the attacks most likely to target businesses like yours.
Cyber Threats FAQs
Frequently Asked Questions
Practical answers to common questions about cyber security threats, ransomware, social engineering, APTs, MITRE ATT&CK and threat-informed defence.
What is the most common type of cyber attack?
Phishing is consistently the most common initial attack vector across all categories of cybercrime. The Verizon DBIR reports that phishing is involved in a significant proportion of all breaches each year. Business email compromise, credential theft and ransomware all typically begin with phishing. Training employees to recognise phishing combined with multi-factor authentication addresses the most common attack entry point.
What is the difference between a cyber threat and a cyber attack?
A cyber threat is the potential for harm — the existence of attackers, vulnerabilities or malicious tools that could be used against your organisation. A cyber attack is the actual deliberate action taken to exploit a vulnerability and cause harm. All attacks were preceded by a threat, but not all threats result in attacks. Security programmes try to address threats before they become attacks.
What is ransomware and how does it work?
Ransomware is malware that encrypts a victim’s files and demands payment for the decryption key. Modern ransomware attacks typically begin with phishing or vulnerability exploitation to gain initial endpoint access, followed by lateral movement to spread across the network and disable backup systems before triggering encryption. Many ransomware groups also steal data before encrypting it, threatening to publish it if the ransom is not paid — a technique known as double extortion.
What is an Advanced Persistent Threat (APT)?
An APT is a sophisticated, long-term cyber attack typically conducted by nation-state groups or highly organised criminal enterprises. APT actors conduct extensive reconnaissance before attacking, use custom tools designed to evade specific defences and maintain persistent access to compromised networks for months or years to achieve their objectives. APT attacks require advanced security capabilities including threat hunting and behavioural detection to identify.
What is social engineering in cyber security?
Social engineering attacks exploit human psychology rather than technical vulnerabilities. They manipulate people into revealing credentials, authorising fraudulent transactions or taking actions that compromise security. Phishing emails, vishing phone calls, BEC fraud and pretexting are all forms of social engineering. They are among the most successful attack methods because they bypass technical security controls by targeting people directly.
What is the MITRE ATT&CK framework?
MITRE ATT&CK is a globally recognised knowledge base that catalogues the tactics, techniques and procedures used by real threat actors in observed attacks. It organises attack behaviour into 14 tactical categories covering the full attack lifecycle from reconnaissance through to final impact. Security teams use ATT&CK to assess detection coverage, prioritise threat hunting activities and structure red and blue team exercises.
How do I know if my organisation has been attacked?
Common indicators of a cyber attack include unexpected system slowdowns or crashes, unusual account activity or login attempts outside normal working hours, unexpected outbound network traffic, security tool alerts, missing or corrupted files, changed system configurations and reports from employees of unusual emails or requests. Many breaches are not discovered by the victim organisation at all — they are reported by law enforcement, third parties or security researchers. Continuous monitoring with EDR, SIEM and network detection tools dramatically improves the likelihood of detecting attacks quickly.
What is threat hunting and why is it important?
Threat hunting is the proactive practice of searching for evidence of compromise in endpoint, network and log data that automated detection tools have not flagged. Threat hunters use knowledge of attacker techniques, threat intelligence and hypotheses about how specific threat groups operate to search for signs of malicious activity that evaded automated detection. Regular threat hunting reduces dwell time — the period between initial compromise and detection — which directly reduces the impact and cost of security incidents.
Defend Against Real Threats
Build a Threat-Informed Defence That Focuses Where It Matters Most
Cyber security threats are not going away. The criminal ecosystem generating ransomware, phishing campaigns, BEC fraud and data theft is well-organised, well-funded and highly motivated. But effective defence is possible. Organisations that understand the specific threats targeting them, build defences informed by real attacker techniques, monitor continuously and respond decisively can significantly reduce both the likelihood of a breach and its impact when one occurs.
Human-Targeted Attacks
Social Engineering Attacks
Social engineering attacks exploit human psychology rather than technical vulnerabilities. They are among the most prevalent and successful attack methods because they target the most complex and least patchable component of any organisation: people. The Verizon DBIR confirms that 74% of all breaches involve a human element. Social engineering attacks include phishing, spear phishing, business email compromise, vishing, smishing, quishing, whaling and pretexting.
Phishing
Deceptive communications — typically emails — appearing to come from trusted sources to trick recipients into revealing credentials, clicking malicious links or downloading malware. Hundreds of thousands of unique phishing sites are detected every month.
Spear Phishing
Targeted phishing directed at specific individuals using research about the target — LinkedIn, company websites, social media — to craft highly personalized messages. Responsible for 66% of all data breaches despite representing a small fraction of total phishing volume.
Business Email Compromise
Impersonates executives, suppliers or trusted partners to manipulate employees into transferring funds or sharing sensitive information. The FBI IC3 reported over $2.9 billion in BEC losses in 2023 alone — consistently one of the highest-cost cybercrime categories.
Vishing and Smishing
Voice phishing uses phone calls to impersonate bank fraud departments, IT helpdesks or corporate executives. Smishing uses text messages. As mobile device use for business has increased, smishing and vishing attacks targeting employees have grown correspondingly.
Whaling
Spear phishing specifically targeting high-value individuals including executives, board members, legal counsel and finance directors. Because these targets have significant authority and access, successful whaling attacks cause enormous financial and reputational damage.
Pretexting and Baiting
Pretexting creates fabricated scenarios — impersonating IT support, auditors or new employees — to extract information. Baiting uses the promise of something enticing such as a found USB drive to trick targets into actions that compromise security.
Business Email Compromise: No Malware Required
BEC attacks often require no malware and generate no technical indicators that security tools can detect. CEO fraud specifically impersonates the chief executive, sending urgent payment requests to finance staff. The FBI IC3 reported over $2.9 billion in BEC losses in 2023, making it consistently one of the highest-cost cybercrime categories despite requiring no technical sophistication to execute.
Any email instruction to transfer funds, change supplier banking details or approve a new payment account must be confirmed through a voice call to a pre-registered contact number before action is taken. Email alone should never authorise a financial transaction above your defined threshold.
Quishing: QR Code Phishing
Quishing uses QR codes in emails or physical materials to direct victims to malicious websites while bypassing email security filters that scan for text-based malicious URLs. Most email security tools cannot extract and analyse URLs encoded in QR code images. Quishing attacks have increased sharply as organisations have improved defences against traditional link-based phishing and attackers have adapted their techniques accordingly.