Close Menu
    Internet

    Types of Cybersecurity Attacks: The Full List With Examples

    By
    Json.title 1 4

    This taxonomy-style guide covers the major types of cybersecurity attacks, explaining what each one is, how it works, the typical impact, and a quick real-world-style example. Use it as a fast reference for risk assessments, training, and incident triage.

    Quick definition: A cybersecurity attack is any attempt to compromise the confidentiality, integrity, or availability of systems, networks, applications, or data.

    Jump to a section

    Social engineering attacks

    Social engineering attacks target people rather than software vulnerabilities. They often aim to steal credentials, induce fraudulent payments, or get a victim to run malware.

    Phishing

    What it is: Broad, mass-targeted messages that trick recipients into revealing information or clicking malicious links.

    • How it works: An attacker impersonates a brand or colleague and pushes urgency (“reset your password,” “invoice due”).
    • Usual impact: Account takeover, malware infection, financial fraud.
    • Example: A fake Microsoft 365 sign-in page captures usernames and passwords.

    For a concise primer and defensive checklist, see CISA guidance on phishing and social engineering.

    Spear phishing

    What it is: Phishing tailored to a specific person or role, using personal/contextual details.

    • How it works: The message references real projects, colleagues, or vendors to appear legitimate.
    • Usual impact: Higher success rate than generic phishing; often used to breach corporate email.
    • Example: A project manager receives a “revised contract” from a lookalike vendor domain.

    Whaling (executive phishing)

    What it is: Spear phishing aimed at executives or other high-value decision makers.

    • How it works: Uses authority and high stakes (legal notices, acquisitions, urgent wire approvals).
    • Usual impact: Large financial losses, sensitive strategy leaks, rapid lateral movement.
    • Example: A CFO receives a spoofed “board request” to approve a transfer before a deadline.

    Business Email Compromise (BEC)

    What it is: Fraud that uses compromised or spoofed corporate email to redirect payments or data.

    • How it works: Attackers compromise an executive/vendor mailbox, then change bank details on invoices.
    • Usual impact: Direct financial theft, payment delays, reputational damage.
    • Example: A supplier’s email is compromised and invoices are quietly updated with a new account number.

    Smishing and vishing

    What it is: SMS phishing (smishing) and voice-call phishing (vishing).

    • How it works: Texts/calls impersonate banks, help desks, delivery services, or HR to harvest codes or passwords.
    • Usual impact: MFA bypass via one-time code theft, account takeover, fraud.
    • Example: A caller claims to be IT and asks for the “verification code” just sent to the employee.

    Pretexting

    What it is: A fabricated scenario designed to get a victim to disclose information or perform an action.

    • How it works: The attacker plays a role (auditor, new hire, vendor support) and asks for access “to complete a task.”
    • Usual impact: Data leakage, unauthorized access, fraud.
    • Example: “I’m from payroll—can you confirm your bank routing details for a system update?”

    Baiting

    What it is: Luring a victim with something enticing (free downloads, prizes, found USB drives).

    • How it works: The bait contains malware or redirects to a malicious site.
    • Usual impact: Endpoint compromise, credential theft, ransomware entry.
    • Example: A “salary report” spreadsheet prompts the user to enable macros, launching malware.

    Tailgating (physical social engineering)

    What it is: Gaining physical access by following an authorized person into a restricted area.

    • How it works: The attacker blends in (delivery, contractor) and exploits politeness or urgency.
    • Usual impact: Device theft, rogue hardware installation, access to internal networks.
    • Example: An attacker enters behind an employee and plugs a rogue device into an open Ethernet port.

    Malware attacks

    Malware is software designed to harm systems or steal information. It spreads through downloads, email attachments, compromised websites, exposed services, or infected removable media.

    Virus

    What it is: Malware that attaches to legitimate files and spreads when the host file is executed.

    • How it works: Infects files, then replicates to other files/systems via user actions.
    • Usual impact: Data corruption, system instability, reduced performance.
    • Example: A malicious macro infects documents shared on a file server.

    Worm

    What it is: Self-replicating malware that spreads across networks without user interaction.

    • How it works: Exploits vulnerabilities to propagate to new hosts automatically.
    • Usual impact: Rapid, wide disruption; network congestion; mass compromise.
    • Example: A worm scans the internal network for an unpatched service and spreads host-to-host.

    Trojan (Trojan horse)

    What it is: Malware disguised as legitimate software to trick users into installing it.

    • How it works: Delivered as a “utility,” “patch,” or “crack,” then installs a backdoor or stealer.
    • Usual impact: Persistent access, credential theft, further malware delivery.
    • Example: A fake VPN client installs a remote access tool (RAT).

    Ransomware

    What it is: Malware that encrypts files (and sometimes steals data) to extort payment.

    • How it works: Enters via phishing, exposed RDP/VPN, or unpatched vulnerabilities; spreads laterally; encrypts data.
    • Usual impact: Operational downtime, data loss, extortion, regulatory exposure.
    • Example: A hospital’s file shares are encrypted overnight, forcing diversion of patients.

    For an authoritative overview and terminology, review the NIST ransomware resource.

    Spyware

    What it is: Malware that secretly monitors activity and collects data (browsing, credentials, messages).

    • How it works: Runs in the background, exfiltrating data to an attacker-controlled server.
    • Usual impact: Privacy loss, credential theft, corporate espionage.
    • Example: A browser extension silently captures sessions and cookies.

    Keylogger

    What it is: A form of spyware that records keystrokes to steal logins and sensitive text.

    • How it works: Hooks keyboard input at the OS or application layer.
    • Usual impact: Account compromise, payment theft, data exposure.
    • Example: Passwords typed into an internal admin portal are captured and exfiltrated.

    Rootkit

    What it is: Malware designed to hide itself and maintain privileged, persistent access.

    • How it works: Alters system components or drivers to evade detection.
    • Usual impact: Long-term stealthy compromise; difficult incident response.
    • Example: A compromised server shows “clean” process lists while malicious services remain hidden.

    Botnet

    What it is: A network of compromised devices controlled by an attacker.

    • How it works: Infected devices connect to command-and-control (C2) to receive instructions.
    • Usual impact: DDoS attacks, spam campaigns, credential stuffing, crypto mining.
    • Example: Thousands of compromised IoT cameras are used to flood a website with traffic.

    Cryptojacking

    What it is: Unauthorized use of computing resources to mine cryptocurrency.

    • How it works: Malicious scripts or miners run on endpoints, servers, or containers.
    • Usual impact: Increased costs, performance degradation, shortened hardware lifespan.
    • Example: A compromised Kubernetes cluster runs hidden mining containers.

    Credential and identity attacks

    These attacks aim to obtain, guess, reuse, or bypass authentication to take over accounts and move laterally.

    Brute-force attack

    What it is: Systematic guessing of passwords until a correct one is found.

    • How it works: Automated login attempts against a service (VPN, OWA, SSH, admin portals).
    • Usual impact: Account takeover; potential privilege escalation if admin accounts are hit.
    • Example: An exposed SSH service receives thousands of password guesses per hour.

    Password spraying

    What it is: Trying a small set of common passwords across many accounts to avoid lockouts.

    • How it works: “Winter2026!” is tried against hundreds of usernames at low frequency.
    • Usual impact: Compromise of weak-password accounts; broad access if SSO is used.
    • Example: Multiple employee accounts are accessed using a seasonal password pattern.

    Credential stuffing

    What it is: Using leaked username/password pairs from breaches to log into other services.

    • How it works: Bots test known credentials at scale, exploiting password reuse.
    • Usual impact: Customer account takeover, fraud, support costs.
    • Example: Stolen credentials from a retail breach are used to access payroll accounts elsewhere.

    MFA fatigue (push bombing)

    What it is: Repeated MFA push requests to pressure users into approving one.

    • How it works: After acquiring a password, the attacker triggers endless push notifications.
    • Usual impact: Unauthorized login even with MFA enabled; rapid lateral movement.
    • Example: An employee taps “Approve” to stop the prompts, granting access.

    Session hijacking

    What it is: Stealing or abusing authenticated session tokens/cookies to bypass login.

    • How it works: Tokens are stolen via malware, insecure Wi-Fi, or web vulnerabilities.
    • Usual impact: Immediate account access; difficult detection if no password changes occur.
    • Example: A stolen browser cookie grants access to an email account without MFA prompts.

    Web and application attacks

    Application-layer attacks target websites, APIs, and software logic. They often lead to data theft, account takeover, or server compromise.

    SQL injection (SQLi)

    What it is: Injecting malicious SQL into an application query to read/modify database data.

    • How it works: Unsanitized user input changes the intended query logic.
    • Usual impact: Customer data exposure, credential theft, data tampering.
    • Example: A login form is manipulated to dump user tables.

    Cross-site scripting (XSS)

    What it is: Injecting scripts into web pages viewed by other users.

    • How it works: The app reflects or stores untrusted content that runs in the victim’s browser.
    • Usual impact: Session theft, account takeover, malicious redirects.
    • Example: A comment field stores a script that steals cookies from anyone viewing the page.

    Cross-site request forgery (CSRF)

    What it is: Tricking a logged-in user’s browser into performing an unwanted action.

    • How it works: A malicious site triggers a request to a target site using the victim’s existing session.
    • Usual impact: Unauthorized account changes, payments, or administrative actions.
    • Example: A hidden form submits “change email address” while the victim is logged into an account.

    Remote code execution (RCE)

    What it is: Exploiting a flaw that allows an attacker to run commands on a server or application.

    • How it works: Vulnerable deserialization, template injection, command injection, or unsafe file handling.
    • Usual impact: Full system compromise, ransomware deployment, data exfiltration.
    • Example: A vulnerable web plugin allows attackers to run shell commands as the web user.

    Directory traversal (path traversal)

    What it is: Accessing files outside the intended directory by manipulating file paths.

    • How it works: “../” sequences or encoded variants reach sensitive files.
    • Usual impact: Configuration leaks, credential exposure, sometimes RCE.
    • Example: A download endpoint is abused to fetch “/etc/passwd” or application secrets.

    API abuse and broken authorization

    What it is: Exploiting weak access controls to access or modify data via APIs.

    • How it works: IDOR (Insecure Direct Object References), missing authorization checks, excessive data exposure.
    • Usual impact: Large-scale data leakage, account takeover, business logic fraud.
    • Example: Changing a numeric user ID in an API call returns another customer’s records.

    Network and infrastructure attacks

    These attacks target connectivity, routing, name resolution, and core services. The impact often includes outages, interception, and enabling further intrusion.

    Denial-of-service (DoS) and distributed denial-of-service (DDoS)

    What it is: Overwhelming a service so legitimate users can’t access it.

    • How it works: Floods traffic (volumetric), exhausts resources (application-layer), or abuses protocols.
    • Usual impact: Downtime, lost revenue, customer trust damage.
    • Example: A botnet sends millions of requests per minute to an e-commerce checkout API.

    Man-in-the-middle (MitM)

    What it is: Intercepting and potentially altering communications between two parties.

    • How it works: Rogue Wi-Fi access points, ARP spoofing, DNS tricks, or TLS downgrades (when misconfigured).
    • Usual impact: Credential theft, data interception, transaction manipulation.
    • Example: A fake “Free Airport Wi-Fi” hotspot captures logins to webmail.

    Packet sniffing (eavesdropping)

    What it is: Capturing network traffic to extract sensitive information.

    • How it works: Monitoring unencrypted traffic or using MitM positioning to observe data flows.
    • Usual impact: Credential exposure, data leakage, reconnaissance for later attacks.
    • Example: Plaintext HTTP logins are captured on a shared network.

    DNS spoofing / cache poisoning

    What it is: Redirecting users to malicious destinations by corrupting DNS resolution.

    • How it works: Poisoned cache entries or compromised DNS settings route traffic to attacker-controlled IPs.
    • Usual impact: Phishing at scale, malware delivery, credential theft.
    • Example: “company-portal.com” resolves to a fake login site hosted elsewhere.

    ARP spoofing

    What it is: Mapping the attacker’s MAC address to another device’s IP on a local network.

    • How it works: Sends forged ARP messages to reroute traffic through the attacker.
    • Usual impact: Local MitM, session hijacking, data interception.
    • Example: On an office LAN, the attacker positions themselves between a workstation and the gateway.

    Port scanning and service enumeration

    What it is: Probing systems to find open ports, services, and versions.

    • How it works: Automated scans identify exposed services and likely vulnerabilities.
    • Usual impact: Not always a breach by itself, but it enables targeted exploitation.
    • Example: A scan finds an exposed database port on a public IP and attempts default credentials.

    Supply chain and third-party attacks

    Supply chain attacks exploit trust relationships between organizations and their vendors, software, service providers, or update mechanisms.

    Software supply chain compromise

    What it is: Malicious code introduced into legitimate software, libraries, or build pipelines.

    • How it works: Compromised developer accounts, poisoned dependencies, or tampered updates distribute malware to users.
    • Usual impact: Large blast radius; downstream organizations become victims without direct targeting.
    • Example: A popular package update includes a backdoor that runs on customer servers.

    Managed service provider (MSP) compromise

    What it is: Attacking an IT provider to gain access to many client environments.

    • How it works: Exploits remote management tools, weak tenant separation, or stolen admin credentials.
    • Usual impact: Multi-organization ransomware deployment, widespread outages.
    • Example: A compromised remote monitoring tool pushes a malicious script to hundreds of endpoints.

    Vendor invoice and payment redirection fraud

    What it is: Manipulating vendor communications to reroute payments.

    • How it works: Email compromise or spoofing changes bank details at the moment an invoice is due.
    • Usual impact: Financial loss, legal disputes, operational delays.
    • Example: A vendor’s “new banking instructions” email is sent from a lookalike domain.

    Insider threats

    Insider threats originate from people with legitimate access (employees, contractors, partners). They can be malicious or accidental.

    Malicious insider

    What it is: Intentional misuse of access to steal data or sabotage systems.

    • How it works: Copies sensitive files, plants backdoors, alters records, or deletes data.
    • Usual impact: Data theft, compliance violations, operational disruption.
    • Example: A departing employee exports a customer list and sells it to a competitor.

    Negligent or accidental insider

    What it is: Unintentional actions that create security incidents (misconfigurations, wrong recipients, weak passwords).

    • How it works: Mistakes, poor security hygiene, or failure to follow procedures.
    • Usual impact: Data exposure, account compromise, compliance risk.
    • Example: A cloud storage bucket is set to public and exposes internal documents.

    Advanced and emerging attack patterns

    These patterns often combine multiple techniques, making them harder to detect and contain.

    Zero-day exploitation

    What it is: Exploiting a software vulnerability before a patch is available or widely deployed.

    • How it works: Attackers use undisclosed or newly discovered flaws to gain access.
    • Usual impact: Stealthy compromise, rapid breach of high-value targets.
    • Example: A new flaw in a widely used edge device is exploited across the internet within days.

    Advanced persistent threat (APT)

    What it is: Long-term, well-resourced intrusion focused on stealth, persistence, and strategic objectives.

    • How it works: Initial access (phishing, exploits), privilege escalation, lateral movement, data exfiltration, persistence.
    • Usual impact: Intellectual property theft, espionage, long-duration control of environments.
    • Example: An attacker maintains hidden access for months to siphon product designs.

    Lateral movement

    What it is: Moving from one compromised system/account to others inside the same environment.

    • How it works: Uses stolen credentials, remote admin tools, shared drives, and trust relationships.
    • Usual impact: Broader compromise; higher likelihood of domain admin takeover.
    • Example: A compromised workstation is used to access file servers, then a domain controller.

    Privilege escalation

    What it is: Gaining higher permissions than initially granted (from user to admin/root).

    • How it works: Exploits OS/app flaws, misconfigurations, weak local admin controls.
    • Usual impact: Full control over systems; easier persistence and data access.
    • Example: A local vulnerability grants SYSTEM privileges on a Windows endpoint.

    Data exfiltration

    What it is: Unauthorized transfer of data out of an organization.

    • How it works: Uses cloud drives, covert channels, DNS tunneling, or encrypted outbound connections.
    • Usual impact: Breach notification, fines, customer churn, extortion (“double extortion”).
    • Example: Sensitive files are compressed and uploaded to an attacker-controlled storage account.

    Cloud account and configuration attacks

    What it is: Abusing cloud identity, permissions, exposed keys, and misconfigured services.

    • How it works: Stolen API keys, overly permissive IAM roles, exposed management interfaces, weak tenant controls.
    • Usual impact: Large-scale data exposure, resource hijacking, persistent access.
    • Example: A leaked access key is used to enumerate storage and copy sensitive backups.

    IoT and OT attacks

    What it is: Targeting smart devices (IoT) and operational technology (OT) such as industrial control systems.

    • How it works: Default passwords, unpatched firmware, exposed management ports, insecure protocols.
    • Usual impact: Safety risks, production outages, botnet enrollment.
    • Example: A factory camera with default credentials becomes a foothold into the internal network.

    Mobile attacks

    What it is: Targeting smartphones and tablets through malicious apps, OS flaws, or phishing.

    • How it works: Fake apps, SMS phishing, device management abuse, or spyware installation.
    • Usual impact: Credential theft, message interception, corporate email compromise.
    • Example: A counterfeit “Authenticator” app steals MFA seeds and login details.

    FAQs

    What are the most common attack types organizations see?

    Most organizations frequently encounter phishing (including spear phishing and BEC), credential attacks (password spraying and credential stuffing), and ransomware-driven intrusion chains that start with email or exposed remote access.

    Which attacks usually cause the most downtime?

    Ransomware, destructive malware, and DDoS attacks tend to cause the most immediate downtime. Long-running intrusions (APTs) may not cause downtime at first but can lead to major disruption during response and recovery.

    What’s the difference between malware and a phishing attack?

    Phishing is a delivery or deception method that targets people to get clicks, credentials, or actions. Malware is the malicious software payload that may be delivered via phishing (or other channels) to compromise systems.

    How should I use this taxonomy in a risk assessment?

    Map each attack type to (1) your critical assets, (2) likely entry points (email, VPN, web apps, cloud identity), and (3) impact categories (downtime, data loss, fraud). Then prioritize controls where likelihood and impact are highest.

    Tip for navigation: Bookmark this page and use the section links above to jump directly to the attack family you’re investigating.

    Share.

    Related Posts

    Leave A Reply