The Most Common Types of Attacks Part 1: Cyber Attacks Against Individuals

3.5 billion dollars-That’s how much the FBI says cybercrime costs victims each year in the United States! Let’s explore what type of cyberattacks hackers utilize to cause so much damage!

It is obvious that most of the hackers are after your money. According to Verizon DBIR, 86% of breaches were financially motivated, and Better Business Bureau reported 44,762 online scams in 2020. But the question is, how do hackers do it? We have listed some common tricks, tools, techniques, and software they use to deploy their scams. We have divided this article into two parts.

1) The Most Common Types of Attacks Against Individuals

2) The Most Common Types of Attacks Against Businesses and Machines

This is the first part where we have listed the psychological manipulation hackers use to defraud the users. Also, we will publish the second part of this topic soon, the most common types of cyber-attacks against businesses and machines, in which we will walk you through the tools and modern technology hackers use to hack the businesses.

Let’s explore the most common types of attacks against individuals.

Cyber Attacks Against People

Here, the attacker plays psychological games with people and tricks them into taking steps they shouldn’t-the the actions lead them (or a company they are associated with) to a cybercrime. Following are some common types of cyberattacks performed to manipulate humans.

1. Email Phishing

Here, the attacker sends emails masquerading as a legit company or person. The victim believes that the email is coming from:

• a company they trust,
• their colleagues, boss, relatives, or friends
• a reputed charity organization
• government or law enforcement department

Hackers insert malware in the attachments or add links that redirect you to a spammy or phishing website. They also trick you into sharing your login credentials and personal, professional, or financial information. You think you are providing your information to a trusted person or entity, but it’s the hacker on the receiving end.

Often, scammers make you transfer money to their accounts. For example, you receive an emotional email from a reputed charitable organization asking for a donation for a noble cause. Your heart melts, and you donate. But that’s a phishing email, and all your money went for the welfare of the hacker only! Plus, they might also steal your payment card number and commit further financial fraud.   

Here’s an example of how a phishing email looks like.

As you can see, the email is claiming to belong to Amazon. However, the sender’s email address is not from Amazon’s official domain, i.e., it doesn’t have @amazon.com, but it’s coming from some unknown domain @gaadi.com. In the email, although the link looks like legit ones, when we hover our cursor over it, we noticed that it is redirecting to some spammy or malware-loaded sites.

2) Phone-Based Phishing Attacks

These are essentially the same as phishing emails, but they use voice calls and SMS messages instead.

Voice Phishing (Vishing): These typically require a bit more time and effort to execute, so they’re usually more targeted attacks. A hacker typically wouldn’t spend extra time, effort and energy on an attack with a low chance of success. They would usually only do so if it was targeted i.e., they put the effort into learning their victim and feel confident they will be able to scam them.

This is How a Voice Phishing Attack Might Look:

• You get a call purporting to be from a trusted service provider, such as your web hosting company, credit card provider, bank, insurer, etc.
• The scammers may have a few key details about your account to make the call seem credible and genuine.

For example, they may know which hosting provider you use for your website, the purchase date of your hosting subscription, the subdomains you have, your geographical location, etc., because that information can be found in publicly available data.

• Once you trust them, they’ll find a way to get some key details from you, possibly by asking you to “verify your account.” They may ask for your credentials, security questions, CVV, and other account-related information.
• They’ll then use those details as part of a separate phishing attack or to commit financial fraud.

SMS Phishing (Smishing): In general, the attacker sends phishing SMS in bulk with some tools. They send interesting offers, deals, news, etc., to lure recipients into clicking on the given malicious link. Some smishing attacks are carefully targeted.

For example, the attacker finds out the last four digits of your credit card number and bank. They send you an SMS stating.

“A transection of $$$ has taken place from your account. If you haven’t done this transaction, click on this link to stop payment.”

When you see such a message with your credit card number and bank name, you think the message is legit. And you immediately take the given steps in a panic to cancel the transaction. But that’s the trap.

You might click on the given link that downloads malware in your phone or leads you to a fake site that looks exactly like your bank website, where you will be asked to log in with your credentials.

Here’s how an example SMS phishing attack works:

As you can see in the above example, scammers have used the victim’s first name in some messages to sound genuine.

3) Social Media Attacks/Fraud

According to the FBI, people lost a total of $257M in 2020 due to social media scams! So how do attackers scam people using social media? Let’s explore.

a. Fake profiles: Hackers make fake profiles of the people you already know and send them friend requests. You might think the person, let’s say your distant cousin or school friend, has made a new profile and accept the invitation. Then, you get messages from this account asking for urgent fund transfers. If you don’t call the person to verify the message and send the money, you become a victim of the scam.

b. Hack the genuine profile: Hackers steal your credentials and get unauthorized access to your profile. Then they send messages to your friend list asking for money or links with malware. As the messages are coming from your original profile, it is obvious that your contacts will believe it and take the actions they shouldn’t.

c. Guess the credentials using your social media information: People have a tendency to set a password that they can easily remember, like the name of their partner, parents, pet, favorite celebrity, sports, etc., or important dates, like birthday, anniversary, etc. Hackers gather this information from your social media profile, list down the probable password combinations to try out their luck!

d. Blackmailing: Attackers hack your social media profile and post inappropriate stuff online and make your pictures disgraceful using online tools like photoshop. Then they ask you for a ransom to stop such activities and give you back access to your account. 

4) Man-in-the-browser Attack

When you download a corrupted file or click on a malicious link, different types of malware like viruses, trojan horse, worms, etc., invade your system and deploy many types of cyberattacks. One of the most dangerous ones is man-in-the-browser (MitB), which we are including in this article.

Once a MitB gets installed on your device, it auto-installs itself to browser extensions, user scripts, or browser helper object (BHO). That means the hacker can see all your online surfing activities, the sites you visit, the products you buy, and all the information you input on the sites. They can easily craft a well-planned phishing attack with such information. They also sell such information to other hackers and advertisers.

But that’s not all! A MitB trojan can

• Modify the website’s appearance and alter the website’s form fields.
• Change the user’s transaction information like transaction amount, email ID, shipping address, bank account number, etc.  
• Hijack the entire screen and the transaction.
• Change the website servers’ responses like confirmation receipts.
• Delete the transaction details when the user revisits the website. 

Please note that the original website stays unharmed- Only you (victim) see the different screen and the altered information on a website as your browser is compromised.

This attack is highly dangerous because you are surfing on a legit website, so no malware detector or security extensions can identify that something is fishy. On the other side, this is not an attack against a website or business. Hence, the website owner won’t get a clue that you are seeing a modified version of their website.

Final Words on The Most Common Types of Attacks Against Individuals

These are just a few types of cyberattacks that we think are relevant to most people today. In fact, there are many other ways a hacker can hack an individual using ransomware, spyware, botnet, keyloggers, etc. The best thing you can do is to be highly vigilant when downloading anything or clicking on a link from the internet, whether it be via email, SMS, or social media. Make sure you verify the sender’s identity first before taking any steps. If you get an unusual message on email or social media from someone you know, there’s no harm in calling them first before reacting. Use a call ID app to weed out spam and fake phone calls. And last but not the least, regularly check all your browsers’ extensions/add-ons, and if you see any unknown extensions, delete them immediately!