17 Most Common Cyber Attacks You Need To Be Aware of in 2024

Image by Gerd Altmann

Cyber attacks will cost the world $8 trillion in 2024. 

How frightening is that?

To put this into context, cybercrime would be the world’s third-largest economy after the United States and China.

That’s troubling for everyone. Imagine the damage you could suffer if not proactive.

If you’re like me, then you probably have different online accounts.

Your email is just one. There is online banking, 401(k), and streaming services like Netflix or Hulu.

The world practically revolves around online platforms now.

These accounts were created with personal information that can’t fall into the wrong hands.

Unfortunately, these accounts increase our online footprint, making us vulnerable to cyber-criminals and their attacks. 

Cyber attacks come in many shapes and sizes. Sadly, many people realize this only after they’ve become victims.

To avoid falling victim and help protect you and your family, I’ve written this guide on the different types of cyber attacks that fraudsters use. I’ll cover the latest strategies, like SIM Swapping, that could put you in peril, and provide actionable tips that you can use to protect yourself and your loved ones.

What is a Cyber Attack and Why is it Increasing?

Image by Gerd Altmann

Cyber attacks are offensive attempts to gain unauthorized access to data on a computer system, database, or network. These attempts aim to steal, alter, expose, disable, or destroy sensitive information.

When opening an online account, you typically need to follow a mandatory process like the Know Your Customer (KYC) to verify your identity.

We sometimes have to submit our address, passport, driver’s license, or even Social Security numbers.

Unfortunately, this exposes our records to criminals should the organization experience a cyber attack.

For example, Yahoo suffered a data breach in 2013, which affected all 3 billion users.

While organizations are frequently targeted for data breaches, cyber-criminals can also attack individuals directly.

How much safer do you think you’ll be considering cyber attacks happen every 39 seconds?

The odds don’t look good, do they?

You may be affected sooner or later – if you don’t protect yourself. Unfortunately, many people become cyber attack victims unknowingly. 

That’s why I’m going to describe the many different types of cyber-attacks out there.

Quite frankly, no one can actually know how many are there. So this is in no way an exhaustive list.

But, I’ll cover the ones you should be worried about.

Let’s get right into it.

17 Most Common Cyber Attacks That You Should Know

If you want to protect yourself from danger, at least you need to know what it is in the first place.

Identifying the types of cyber attacks that are lurking in the dark will save you from potential damage.

What type of damage?

There are many.

Identity theft, credit card fraud, criminal activities, take your pick.

You’ll also be able to alert authorities faster before things go south.

So, what are these dangerous cyber attacks to look out for?

1. Phishing Attacks

Phishing will always come up when discussing anything related to Internet attacks.

Why?

Because this attack is common.

And, it’s also one of the easiest to fall for.

Here’s what happens in a phishing attack:

A cyber-criminal contacts you through emails, texts, calls, or falsified websites. The goal is to make you think they are from a legitimate organization, so you can share sensitive information.

But obviously, they are not.

The information could be your password, credit card number, login credentials, or other personal information.

As you may already know, these deets shouldn’t get into the wrong hands!

For example, a hacker might send you an email that appears to be from a legitimate source, such as Gmail or your bank. They may ask that you click on a link to update your account information or check for suspicious activity.

However, if you click the link it will redirect you to a fake website that looks legitimate. Once you enter your login credentials, the hacker steals them.

Phishing has become so rampant that Google blocks over 100 million phishing emails daily.

According to the FBI’s Internet Crime Complaint Center, phishing was the most commonly reported cybercrime in 2020. Victims filed 241,342 complaints, resulting in more than $54 million in losses.

In 2016, Hilary Clinton’s presidential aspiration took a huge hit when her campaign chairman fell for an email phishing scam from Russian hackers.

The hackers posed as Google and sent John Podesta an email claiming there was “unusual activity” on his account. He was urged to click a link to change his password.

As you would expect, this malicious link gave hackers access to his email account. Once they were in, they released thousands of private – often classified – emails.

There are many types of phishing scams:

1.1. Spear Phishing

Spear phishing is exactly what it sounds like.

You can only use a spear to target specific items.

In the same way, a hacker can target specific individuals, organizations, or demographics who are likely to fall for their antics. 

Let me share an example.

A scammer might target your parents or grandparents with an email they’re likely to believe.

No, it’s not because older people believe everything you tell them.

However, they are more likely to have health or insurance issues and may be unsure about their taxes.

So, an email that promises to “help” them out if they could just do the simple task of sharing their information, will sound believable.

The crazy part is your parents won’t even think to contact you.

It’s not only the seniors, though.

Even you can be targeted if you fit into a certain demographic.

1.2. Vishing

Here, the hacker uses phone calls or voice messages to impersonate an employee from a reputable organization.

Most times, the victim patronizes the organization, so they assume the call is legitimate.

1.3. Whaling

This one’s similar to spear phishing, too only that hackers target high-profile individuals like C-level executives. The aim is to gain backdoor access to their company’s network by stealing their credentials. If you’re a CEO or an executive, you must be careful. 

Did you know hackers steal $26 billion yearly through CEO fraud?

1.4. Manipulated URLS

How many times have you actually checked a URL before clicking on it?

No, I’m not talking about glancing over it, but carefully checking it.

There’s a good chance you don’t. Hackers know this.

So, they make sure to alter a URL address to redirect you to a fake site. That site might look like the real deal, but it’s far from it.

Nowadays, many people use URL shorteners because they’re easy to remember. 

But hackers can “poison” the shortened URL, so it redirects you to a bogus site created to steal your personal information. 

This kind of situation once happened in 2018. Maybe you can learn from it.

Facebook was hit by the largest data breach in its history when an attacker gained access to the personal data of over 50 million Facebook users.

There were only a little over 2o0 million users in 2018, so this attack affected a quarter of all users as at the time.

The hacker was able to manipulate URLs through a vulnerability in Facebook’s “View As” feature, which allowed them to take over users’ accounts.

You can prevent phishing attacks by being super cautious.

It could be about the emails you open, the attachments you download, and the links you click on. 

Pay close attention to email headers, poor grammar, or spelling, and avoid clicking anything that appears suspicious.

2. Your Company Needs to Beware of Zero-Day Exploits

One of the biggest problems I have with apps and software today is how frequently there are updates. I am sure you agree as well.

I could install an application on my phone today, and the next day it tells me there’s a need for a new update.

You wouldn’t believe that scammers have figured out a way to also make this work in their favor.

For example, if I install an app called Origin App and I use it for a few weeks before it needs an update.

Now, imagine I go through with the update but there’s a vulnerability. Since the company just released the new security patch, they may not know there’s a weakness.

A scammer might notice this new update is weak and quickly try to exploit that weakness by creating a code that can be injected into the app.

This is what a zero-day exploit means.

These attacks can occur when, for example, a company releases a new update or software version, unaware that there are vulnerabilities in the code that can be exploited by threat actors.

Since the vendor doesn’t know that the software is vulnerable to an attack, there wouldn’t be a patch readily available to fix the problem, so attackers can capitalize on exploiting networks and servers to steal data, or install malware until the flaw has been fixed.

In 2010, the Stuxnet worm, designed by the US and Israeli intelligence, used several zero-day exploits to infect industrial control systems in Iran. 

The worm was designed to cause significant physical and financial damage to centrifuges in Iran’s nuclear program.

And it did.

3. Malware Attacks

Malware is a combination of two words – Malicious and Software.

That doesn’t sound good, does it?

Because it isn’t. Malware it disrupts a computer, network, or server to change how it operates, destroys data, or spies on network traffic.

The number of malware installed daily is actually alarming.

According to the AV-Test Institute, there are over 450,000 new malicious programs and potentially unwanted applications (PUA) installed daily.

Malware-based cyber attacks are so powerful that most of the cyber attacks will discuss later on are closely tied to malware. 

Why?

It’s because malware can take many forms, such as viruses, spyware, and trojans.

Hackers may lure you into downloading and installing malware on your device. 

Once it’s there, the job is DONE!

The malicious script runs in the background, bypassing your antivirus and firewalls such as Windows Defender.

This allows hackers to access sensitive data stored in your system. In some cases, they may hijack your device and take control of it.

Something similar happened in 2017.

You may have heard about the NotPetya malware attack that hit thousands of computers in Ukraine and the world. 

At the time, it was the most devastating cyber attack since the advent of the Internet. 

You’ll be surprised at how it happened.

The malware was spread via a software patch (a quick fix to improve security vulnerabilities or remove bugs) from a Ukrainian accounting software company. Once installed, it would quickly encrypt a computer’s hard drive.

See? That’s how easily you could become a victim of such malware attacks.

NotPetya caused billions of dollars in damages.

Here’s an interesting thing to know about malware attacks.

They typically require action from you before it can infect your device. You have to download, receive, or install the software.

As the first line of defense, it’s critical to scrutinize the type of software or programs you install on your device, the links you click, and the emails and attachments you read and open.

Ensure you also install firewalls like Bitdefender, Norton 360 Deluxe, and Avast Premium Security.  

4. Why You Should be Worried About Distributed Denial of Service (DDoS) Attacks

A DDoS attack may sound like something organizations should be worried about.

Yes, they should.

But, it can also affect you.

This attack overwhelms a network or website with false requests, which disrupts regular business operations.

When a DDoS attack happens, users can’t perform routine tasks like accessing their email, websites, or any other compromised resource.

Have you ever tried accessing a website or social media platform, but you couldn’t because it was down? 

A DDoS attack may be the likeliest reason. The platform may have been experiencing a DDoS attack.

Just a year before the countless attacks in 2017, domain service provider, Dyn, was hit by a DDoS attack. This disrupted access to popular platforms like Netflix, Twitter, and Spotify, affecting millions of users globally.

DoS and DDoS are often used interchangeably. But they are quite different.

The only difference between DoS and DDoS is that the former originates from one system while the latter is launched from multiple systems. 

Organizations usually find it harder to block DDoS attacks because it involves identifying multiple systems that must be mitigated.

Although most DoS attacks do not result in data loss and are usually resolved without a ransom, they cost the organization time, money, and other resources to restore critical business operations.

5. Man-in-the-Middle (MITM)

MITM attacks happen when an attacker intercepts or eavesdrops on the communication between two parties.

Let me explain how this works.

Imagine I am the attacker who is trying to eavesdrop on your conversation. The moment you visit a website as a user and send information, I could stand in between the communication between you and the website.

It’s like you’re at the park and there’s a creep eavesdropping on a conversation with your spouse.

For example, if you try to log into your online banking app, I would typically stand in between (man in the middle).

So, every time you enter your password or do anything, I’ll be able to see what you’re doing in plain text.

This means I’m “eavesdropping.”

But it’s not only personal information I as the attacker might be able to collect.

What if you just shared a secret with a friend? Or do they send a picture that no one else should see?

I could steal it and blackmail you into giving money or I would release it to the public.

You may be wondering how this happens.

It’s because most of us expose ourselves to these attacks by connecting to free Wi-Fi.

This is because an attacker might create a fake Wi-Fi hotspot or an “evil twin.” Once you connect to the network and use it to access any platform, the attacker can steal your login credentials or any other sensitive information.

As a rule of thumb, I advise people not to use public Wi-Fi.

Most people make an excuse by saying they only access secure websites with the “padlock” symbol and HTTPS. But did you know 95 percent of HTTPS servers are still vulnerable to MITM attacks?

The best way to protect yourself from MITM attacks is to avoid public networks, install firewalls, and enable antivirus software.

✎ Read: What Is Shoulder Surfing? How It Happens & How to Avoid It ➔

6. Session Hijacking

Session hijacking is a form of man-in-the-middle attack where the attacker takes over a session between the client and the server.

The attacker’s computer switches its IP address for the client’s address and continues communicating with the server without requiring authentication.

Hackers can do anything the client’s account can do once they’ve hijacked a session.

In 2019, a hacker, alleged to be Paige Thompson, used session hijacking to steal the personal records of more than 100 million Capital One customers. 

The former Amazon employee and software engineer allegedly broke into the company’s confidential data using a misconfigured firewall.

Unfortunately, this could be the case with many other companies.

We only know Paige’s story because she was caught. Who knows? There could be many others out there!

7. Ransomware

Image by Mohamed Hassan

Ransomware is like the blackmail of cyber-attacks.

I hope you’ve never been blackmailed, but if you have, you know how difficult that is.

Basically, the ransomware attack encrypts your files or system, so you can’t access them without the decryption key. 

The hacker then demands payment, usually in cryptocurrency, in exchange for the decryption key.

As you may have noticed from the name, it is also a type of malware. 

It feels like 2017 was the year of cyber-attacks.

Did you hear about the WannaCry ransomware attack? It hit computer systems in over 150 countries infected over 200,000 computers and caused billions of dollars in damages.

The attackers demanded ransom payment in Bitcoin, which many victims were forced to pay to regain access to their files, including photos, tax documents, etc. 

But if you thought that was too much, wait till you hear about the 2022 attack.

In the first half of 2022 alone, there were about 236.7 million global ransomware attacks.

These frequent attacks are both sad and scary at the same time.

Think of the many victims and how these attacks have affected them. Nobody wants to be them.

It’s clear ransomware attacks are growing, and protecting your devices is critical.

Listen, ransomware can be embedded in websites or email attachments, which when downloaded, encrypts your files. 

As such, it’s important to be vigilant regarding the sites you visit and the links to click on.

You should also consider antivirus software like Malwarebytes.

8. Structured Query Language (SQL) Injection

This is more common than many organizations realize. And that’s dangerous.

According to research by Positive Technologies, 73 percent of vulnerabilities discovered in web applications between 2020 and 2021 were related to SQL injection.

How does SQL Injection happen?

Here’s a breakdown:

When you register on most websites, the platform keeps your account information, like logins and passwords, in a SQL database.

Unfortunately, attackers can inject malicious SQL code or commands into a vulnerable website’s SQL database. 

You can see this is bad news for any website owner – and you, the innocent visitor who just wants to access your favorite content.

These commands can read sensitive data, and modify database data.

What’s more? They can even initiate executive functions like shutting down the entire system.

As you may well know, the prospect of that happening is CATASTROPHIC for many reasons.

If that happens, then the attacker gains access to the information kept in the database, allowing them to manipulate the data for their purposes.

In 2017, credit bureau Equifax suffered a massive data breach that affected the records of over 143 million people. 

You may be wondering how this could happen to Equifax of all organizations. But that’s the reality. No one is immune to these attacks!

The attackers launched a SQL injection on the credit reporting agency’s website, gaining access to their database and stealing sensitive data.

Equifax was eventually forced to pay $575 million in damages. 

That is only one example of the many times companies have to pay these insane amounts of money.

How about their reputation?

They could lose many customers within a matter of days!

9. How DNS Tunneling Could Affect You

I like to see DNS tunneling as a type of “spy” like you would watch in movies.

Why?

It’s dangerous and through it, attackers can remain undetected. They are there, but even your firewalls can’t spot them.

Now, that’s troubling. 

Hackers use DNS tunneling to sidestep network security measures by tunneling other forms of traffic through DNS queries and responses. 

This enables the attacker to send and receive data while remaining undetected by firewalls.

During a DNS tunneling attack, hackers will typically insert malicious code within DNS queries and responses – which are ignored by most security programs.

DNS tunneling attacks are especially dangerous because they frequently go unnoticed for days, weeks, or even months.

This enables cybercriminals to steal sensitive data, change code, install new access points, and engage in other nefarious activities until they are detected. 

DNS spoofing or DNS poisoning is a related type of cyber attack.

When an attacker injects false DNS data into a DNS server’s cache in order to redirect traffic to a malicious website, this occurs.

Let’s discuss examples in case any of this is unclear.

Just like you would on any other day, you could type “google.com” into your web browser, but a different page chosen by the attacker loads.

But you’re sure you typed the wrong address. At that point, you don’t know.

So, you just continue using the bogus site, leading to significant consequences.

10. Cross-site Scripting (XSS) Attacks

If any of these names sound too technical, you don’t have to remember their names.

There isn’t an exam coming. The most important thing is to be familiar with what these attacks look like.

So, once you see them, you can identify them immediately.

XSS is a type of code injection attack in which an attacker inserts malicious code in a legitimate website, usually through a vulnerable input field such as the search bar, contact form, or comment section.

The malicious code is executed when you visit the website, allowing attackers to steal your sensitive information or hijack your account.

You’ll typically see XSS attacks on message boards, web forums, or any other site that allows User-Generated Content (UGC).

An example of this happened in 2018.

A group of hackers used an XSS attack to steal the personal data of Ticketmaster customers. 

The attackers inserted malicious code into Ticketmaster’s payment page, allowing them to steal the payment card details of their customers.

Unfortunately, the attack affected up to 40,000 customers, and Ticketmaster was slapped with a hefty $1.65 million fine.

11. Cryptojacking

If you thought your car was the only thing that could be hijacked, I am about to convince you otherwise.

We all know how popular cryptocurrency has become lately.

And unsurprisingly, cyber-criminals have found a way to commit fraud through it.

No, this isn’t committing fraud and using crypto to collect the money.

Cryptojacking is a little different. It is when attackers use a victim’s device to mine cryptocurrency without their consent or knowledge.

Typically, the cybercriminal injects malicious code into the application or website and uses the victim’s computer or mobile device to mine cryptocurrency in the background.

Cryptojacking attacks have increased recently.

Another attack like this happened in 2018.

Hackers were able to mine Monero cryptocurrency with the processing power of more than 4,200 websites, including government websites. 

12. Password Attacks

This is exactly what it sounds like; “passwords” and “attacks.”

Simply put, hackers are trying to guess, crack, or trick you into sharing your passwords.

Did you say “Good luck with that”? I wish it weren’t so easy for these scammers.

They’ve got many tricks up their sleeves and you shouldn’t be dismissing their techniques.

Let’s do a breakdown of these attacks below:

The most effective way to protect yourself from password attacks is to use a strong password. 

Make sure your passwords are at least 15 characters with a combination of numbers, letters, and symbols. Ensure you don’t reuse passwords across multiple accounts and change your passwords every three months.

Because I always generate unique passwords for my many accounts, I struggle to remember them. That’s why I use a secure, open-source password manager called Bitwarden. Many antivirus programs and identity theft protection services also include some form of password manager/vault.

You should also enable multi-factor authentication because it adds an extra layer of security against password attacks.

✎ Read: How To Protect Your Password From Being Hacked ➔

13. Identity Attacks

Identity-driven attacks comprise various cyber attacks that compromise your identity. 

These attacks aim to commit identity theft, sell your ID on the dark web, or use your account on a platform after it has been hijacked. 

When a valid user’s login details have been compromised, and an attacker is masquerading as that user, traditional security measures and tools can make it hard to differentiate between the user’s typical behavior and that of the hacker.

Common identity attacks include silver tickets, credential stuffing, kerberoasting, and pass-the-hash attacks. These types of cyber attacks all aim to steal a user’s identity and access their accounts.

For instance, credential stuffing occurs when an attacker uses a list of compromised login credentials to access user accounts across multiple websites or systems.

✎ Read: Identity Theft Protection Guide: Does It Really Work? ➔

14. Insider Threat

Insider threat is exactly what it sounds like.

It is a cyber attack that’s carried out by someone with legitimate access to a company’s systems or data. 

This could be employees, contractors, or even business partners.

Phillip Cummings worked for a software company in Long Island as a help desk consultant. 

After quitting the job, he took a spreadsheet containing the login credentials of the company’s customers.

He then sold the customers’ credit reports for about $30 each, netting between $50 to $100 million from 33,000 customers.

At the time, it was the largest identity theft case in US history.

Recently, a former Tesla employee allegedly hacked into the company’s manufacturing operating system to steal sensitive data.

Although he had been fired by Tesla, he still had access to the company’s systems and exploited the privilege.

Martin Tripp, the employee, was ordered to pay $400,000 in damages.

15. Drive-By Attacks

Drive-by attacks occur when cybercriminals use malicious code on a website to infect a visitor’s device. 

If the website you visit has certain vulnerabilities and your device isn’t adequately protected, hackers can exploit it.

In most cases, the security vulnerability will be within a web browser or a plugin. 

It’s important to always protect yourself with a strong firewall, use a VPN, and enable antivirus software on your device.

16. Watering Hole Attacks

What comes to mind when you hear a “watering hole attack”?

It is similar to spear phishing but not quite. 

Let’s say I (Mr. G) am the attacker, for instance.

I could check to see a website that my target audience usually visits. For example, I could be targeting government employees or contractors.

It could also be a particular company’s employees.

If there’s a place these people go to regularly, that website is where I will attack.

Once I compromise the website, I’ll typically infect it with malware that exploits any security vulnerability. 

Then, I’ll wait for visitors to arrive.

As soon as people start visiting the site, the malware I injected into it will be downloaded into their device without them knowing.

To them, they’re just on a site they visit practically every day. But, they don’t know there’s malware on their phones or computers already.

As the attacker, I can use the malware to gain access to the visitor’s network or collect sensitive information like login credentials or financial information.

In 2021, Google’s Threat Analysis Group (TAG) discovered prevalent watering hole attacks targeting visitors to Hong Kong media and pro-democracy websites. The malware infection would create a backdoor that would give hackers access to their targets’ Apple devices.

Another watering hole attack happened in 2015 when hackers believed to be associated with the Chinese government targeted the US government’s Office of Personnel Management.

The attackers infected a website used by government employees with malware. They stole sensitive information, including the PII of government employees, such as addresses, social security numbers, and financial information.

17. SIM Swapping

SIM swapping or port-out scam is a relatively new cyber attack.

Here, an attacker contacts your mobile phone’s carrier and convinces them to transfer your phone number into a SIM card that the attacker controls. 

Before an attacker can convince your mobile phone carrier, they usually already have some information about you already. 

You may be wondering how they got your information, right?

Well, I can think of many examples.

For instance, they could have bought your information from the dark web. Or maybe you’re someone who likes posting lots of personal information or life updates. So, they could have also collated it from your social media posts.

Your carrier only needs the right information to believe you’re the one.

So, as soon as they can do that, the carrier transfers your phone number to the new SIM card.

Once this happens, the scammer now controls your phone number. You will no longer receive calls or texts on your phone as they’ll be redirected to the scammer’s SIM.

This may seem like too much work. Why would a scammer go through so much stress just to do this?

Well, they swap SIMs to bypass two-factor authentication.

This means they probably have your username and password already. 

They just need the One-Time Password (OTP) sent to your device.

Rather than SIM authentication, I recommend using authenticator apps like Google Authenticator, Authy, or Microsoft Authenticator.

You should also keep logins and passwords safe, especially those you use to access credit card accounts or online banking.

Other types of cyber attacks include trojans, Cross-Site Request Forgery (CSRF), scareware, keystroke loggers, and Rootkits.

How Individuals Can Prevent Cyber Attacks?

Cyber attacks always seem like a company’s problem at first – until you become the victim. And, even then, many people fail to take action, which can be disastrous.

About 1 in 10 organizations in the US have no insurance against cyber attacks. So, relying on a company alone to protect you from cyber attacks isn’t safe. 

Here are ways to protect yourself from cyber attacks.

How Companies Can Prevent Cyber Attacks?

Cyber attacks affect companies and individuals alike. Here’s how a business can prevent the different types of cyber attacks I’ve listed above:

Conclusion

Identifying a potential cyber attack can save you from severe financial and reputational damage.

I’m sure you don’t want to pay someone else’s debts, expose private information, or even spend time in jail.

Why would anyone want to do that?

Don’t underestimate the intelligence of scammers. Plus, they’re desperate. 

They will go to any length to scam you.

These simple steps are proactive and preventative. And they can save you from dire consequences.

Related Articles About Securing Your Devices: