17 Types of Cyber Attacks Commonly Used By Hackers

Share this:

J.R. Tietsort

Chief Information Security Officer at Aura

In this article:

    Identity theft and fraud protection for your finances, personal info, and devices.

    See pricing
    Share this:

    Can You Defend Yourself Against Hackers?

    The average American household contains at least 22 connected devices, including laptops, phones, and smart devices [*]. And every single one of those devices is an entryway for a cyber attack. 

    Cyber attacks have not only become more prevalent, they’ve also become easier to pull off. Hackers can buy “subscription-based” malware attacks on the Dark Web as easily as you sign up for a Netflix or Spotify account. 

    According to a NETSCOUT Threat Intelligence report, there were ~6 million cyber attacks in the first half of this year alone [*]. 

    The good news is that you don’t need to be a cybersecurity expert to shut out most cyber attacks. In this guide, we’ll explain how cyber attacks work, the common attacks you should be aware of, and how to protect yourself and your family. 

    How Do Cyber Attacks Happen?

    Cyber attacks occur when an individual, group, or organized gang attempts to maliciously breach the security system of another person or organization. 

    While this might prompt you to envision hackers breaking into an online banking system to steal billions, the most common example of a cyber attack is a data breach.

    Data breaches take place when hackers bypass a company or organization’s security and steal sensitive information. They use this information for extortion, to commit other frauds, or to sell it on the Dark Web. 

    In the first quarter of 2022, the number of data breaches rose by a 14% compared to the same period in 2021 [*].

    But data breaches are only one of the consequences caused by cyber attacks. 

    Attacks can be used to gain personal information and allow cybercriminals to commit identity theft. Or, they could be used by malicious groups to cripple an organization’s networks. 

    Recently, you’ve probably even heard about full-on cyber warfare. This is when nation-backed hackers attempt to leak sensitive data, destroy computer networks, and even shut down banking and power infrastructure.

    The damage from these attacks can be severe. On average, data breaches cost companies over $4 million. Individuals, too, could potentially lose everything if a hacker gets access to their online accounts and sensitive information such as Social Security numbers and birthdays. 

    Emerging cybersecurity threats and cybercrime are only going to get worse in the near future. So, what types of attacks should you be aware of? And how can you protect yourself? 

    Take action: If your computer or phone is compromised by a cyber attack, your bank account, email, and other online accounts could also be at risk. Try Aura’s identity theft protection free for 14 days to secure your devices and identity against hackers.

    Here’s How To Keep Your Devices Safe from Cyber Attacks

    With the sheer number of possible cyber attacks, it can feel like there’s no way to stay safe. But there are a few essential steps that you can take to secure your devices and protect your sensitive files from cyber criminals: 

    • Install antivirus software with malware protection. Protect your devices from hackers using modern antivirus software. This ensures that even if you accidentally click on a link or download an attachment, hackers won’t be able to install malware, ransomware, or other viruses on your device.
    • Use complex passwords and enable multi-factor authentication. Passwords are often your first — and only — layer of protection against cyber attacks. Use strong passwords that are at least eight characters long and combine letters, numbers, symbols, and cases. Whenever possible, enable multi-factor authentication on your accounts using an authenticator app (not SMS).
    • Learn the warning signs of a phishing attack (scam emails, texts, and calls). Beware of unsolicited emails, messages, and calls; and look for the signs of a scam email. Don’t click on links you don’t recognize or respond to messages you don’t trust. If someone calls, ask for their name and then hang up and call back on the organization’s official number.  
    • Regularly check your credit report and bank statements. Hackers are almost always after your financial accounts. Check for the warning signs of identity theft — such as strange charges on your bank statement or accounts you don’t recognize. An identity theft protection service like Aura can monitor your credit and statements for you and alert you to any signs of fraud.
    • Don’t ignore software or OS updates. Hackers use vulnerabilities in outdated software to stage their attacks. Keep your devices and software up-to-date and secure.
    • Use a VPN when using public Wi-Fi. Public Wi-Fi is easily hacked. Whenever you’re using it for anything sensitive — even checking your email — use a VPN to protect your data.
    • Avoid oversharing on social media and other sites. Everything you share becomes a part of your online footprint, which hackers can use to guess your passwords and security questions or launch social engineering attacks. Avoid oversharing, and protect your privacy on social media.
    • Sign up for identity theft protection. Aura protects your devices and networks with military-grade encryption and antivirus. We also constantly monitor your online accounts and sensitive information like your SSN, and we alert you if your accounts have been breached. Plus, every member of an Aura plan is covered by a $1,000,000 insurance policy for eligible losses due to identity theft. Try Aura’s 14-day free trial for immediate protection while you’re most vulnerable.

    📚 Related: Have I Been Hacked? How To Recognize & Recover From a Hack

    17 Different Types of Cyber Attacks

    1. Malware-based attacks (Ransomware, Trojans, etc.)
    2. Phishing attacks (spear phishing, whaling, etc.)
    3. Man-in-the-middle attacks
    4. Denial of Service attacks (DOS and DDoS)
    5. SQL Injection attacks
    6. DNS Tunneling
    7. Zero-day exploits and attacks
    8. Password attacks
    9. Drive-by download attacks
    10. Cross-site scripting (XSS) attacks
    11. Rootkits
    12. DNS spoofing or “poisoning”
    13. Internet of Things (IoT) attacks
    14. Session hijacking
    15. URL manipulation
    16. Cryptojacking
    17. Inside threats

    1. Malware-based attacks (Ransomware, Trojans, etc.)

    Malware refers to “malicious software” that is designed to disrupt or steal data from a computer, network, or server. 

    Hackers trick you into installing malware on your devices. Once installed, a malicious script runs in the background and bypasses your security —  giving hackers access to your sensitive data, and the opportunity to even hijack control. 

    Malware is one of the most commonly used cyber attacks. And there are multiple variations that you should be aware of:

    • Ransomware: This type of malware encrypts files on your system so you can’t access them until you pay a “ransom” (usually in cryptocurrency). There was a 80% increase year-over-year in ransomware attacks worldwide in 2022 [*].
    • Spyware: As the name suggests, this type of malware spies on your activities and sends data back to the hacker. This could include bank details, logins, and passwords.
    • Keyloggers: Keyloggers are similar to spyware, except that they track your activities. Everything you type (and the site you type it in) is sent to the hacker and can be used for blackmail or identity theft.
    • Trojans: Named after the famous Trojan horse, these types of malware “hide” inside a legitimate piece of software. For example, you might download what you think is antivirus software — only to have your device infected. 
    • Viruses: Viruses attach to programs and files and are triggered when you open them. Once active, a virus can self-replicate without your knowledge and slow down your device or destroy data. There are also "worms", which are viruses that move throughout your network from one infected computer to the next, giving hackers remote access to your entire system.

    Malware attacks can happen to individuals — like when you open a link in a phishing email. But they’re also used to attack businesses and organizations.

    In May 2021, JBS USA, the world’s largest meat supplier, was hit with a ransomware attack that shut down production at many of its plants. The company ended up paying a ransom of $11 million in Bitcoin to prevent further damage [*].

    Pro tip: Install antivirus with malware and phishing protection on your devices. Aura protects your devices and networks from malware and other cyber threats. Try 14-days free below!

    2. Phishing attacks (spear phishing, whaling, etc.)

    A phishing attack occurs when a cybercriminal sends you a fraudulent email, text (called “smishing”), or phone call (called “vishing”). These messages look like they’re from someone official or a person or business who you trust – such as your bank, the FBI, or a company like Microsoft, Apple, or Netflix. 

    In actuality, these messages are sent from imposters. If you reply with sensitive information such as your password, they can use it to take over your accounts. 

    Phishing and smishing messages may also instruct you to click on a link or open an email attachment that will either download malware to your device or send you to a phishing site designed to steal your information. 

    In many cases, phishing attacks cast a wide net and don’t target specific individuals (this makes them easier to identify). However, there are a few new phishing cyber attacks that are more targeted and harder to spot. These include:

    • Spear phishing attacks: These attacks are usually sent via email and target a specific individual. The hacker will use your personal information that they have bought on the Dark Web (or found in your online footprint and on social media) to make it sound more believable and get you to click on the link. 
    • Whaling: A whale phishing attack occurs when a hacker targets high-profile individuals, like CEOs and executives. The goal is to steal their credentials and get backdoor access to their company’s network. CEO fraud is now a $26-billion-a-year scam [*].
    • Angler phishing attacks: An Angler attack is a new type of phishing scam in which a hacker “baits” users on social media by pretending to be a well-known company’s customer service account. Scammers create accounts like “@AmazonHelp$” and then auto-respond to relevant messages by providing a link for you to talk to a “rep.” But really, it’s a scam designed to steal your information.

    Scammers are getting more sophisticated with phishing attacks which makes it harder to identify when you’re a target. 

    An example of a phishing email claiming to be from the IRS
    An example of a phishing email claiming to be from the IRS. Source: Verified.org

    A good rule of thumb is to always question unsolicited messages — especially from anyone claiming to be from a government agency or large corporation. If they call or message you, contact the company directly by obtaining contact information from their website instead of engaging with the message.

    📚 Related: The 11 Latest Telegram Scams To Watch Out For

    3. Man-in-the-middle attacks

    A man-in-the-middle attack (MitM) occurs when attackers intercept data or compromise your network to “eavesdrop” on you. These attacks are especially common when using public Wi-Fi networks, which can easily be hacked. 

    For example, let’s say you’re using the Wi-Fi at Starbucks and need to check your bank account balance. When you log in, a hacker can intercept your data and capture your username and password (and drain your account later). 

    MitM attacks can also be used to “spoof” conversations. Hackers insert themselves into your conversation and pretend to be the person you think you’re talking to. 

    In one extreme example, a hacker intercepted communications between a Chinese investor and a startup founder and got them to change the destination of a $1 million wire transfer [*].

    📚 Related: The 15 Types of Hackers You Need To Be Aware Of

    4. Denial of Service (DOS) and Distributed Denial of Service (DDoS)

    Many cyberattacks are meant to overwhelm servers, forcing services to shut down. 

    A denial of service (DOS) attack occurs when hackers use false requests and traffic to overwhelm a system and shut it down. A distributed denial of service (DDoS) attack is the same type of attack, except the hacker uses multiple breached devices at the same time. 

    The goal of these cyber attacks isn’t usually to steal data, but to halt or even shut down business operations. DDoS attacks have shut down sites like Twitter, SoundCloud, and Spotify, and even severely damaged Amazon’s AWS [*].

    5. SQL injection attacks

    Most websites use SQL databases to store sensitive information like logins, passwords, and account information. Hackers use an SQL injection attack to “trick” the database into giving up this information. 

    These attacks are a bit technical, but they come down to a hacker entering predefined SQL commands into a data-entry box (like a login or password field). Those commands can read sensitive data, modify database data, or even trigger executive functions (such as shutting down the system).  

    Just last year, 70 gigabytes of data was stolen from Gab — a far-right website — through an SQL injection attack [*].

    6. DNS tunneling

    DNS tunneling is a type of cyber attack that hackers use to bypass traditional security systems like firewalls to gain access to systems and networks. Hackers encode malicious programs within DNS queries and responses (that most security programs ignore). 

    Once the program is inside, it latches onto the target server, giving the hackers remote access. 

    DNS tunneling attacks are especially dangerous as they often go unnoticed for days, weeks, or months. During that time, cybercriminals can steal sensitive data, change code, install new access points, and even install malware. 

    In one example, cybercriminals used DNS tunneling to attack Air India and other airlines and steal passport details and credit card numbers. The “backdoor” was open for more than two months [*]. 

    Take action: If hackers gain access to your devices, they could break into your online bank account or take out loans in your name. Try an identity theft protection service to monitor your finances and alert you to fraud.

    7. Zero-day exploits and attacks

    Zero-day exploits are cybersecurity vulnerabilities that exist in a software or network without the manufacturer’s knowledge. For example, Apple might release a new version of iOS that accidentally contains a way for hackers to steal your iCloud information. Once they discover the flaw, the attacked company has “zero days” to fix it, as they’re already vulnerable. 

    A zero-day attack occurs when hackers use those vulnerabilities to get into a system to steal data or cause damage. In the first few months of 2022, Microsoft, Google, and Apple all had to patch zero-day bugs [*]. 

    One of the most dangerous zero-day vulnerabilities was discovered late last year when researchers found a vulnerability in “Log4J” — a Java-based utility that is used in everything from Apple’s iCloud to the Mars Rover.

    8. Password attack

    Password attacks comprise any cyber attacks in which hackers try to guess, brute force, or trick you into giving up your passwords. 

    There are a few different password-based cyber attacks you need to be aware of: 

    • Password spraying: This is when hackers attempt to use the same password across many accounts. For example, over 3.5 million Americans use the password “123456”.
    • Brute force: A brute force attack occurs when hackers create software that tries different combinations of usernames and passwords until finding one that works. They’ll often use logins leaked to the Dark Web because many people reuse passwords across accounts (this is also called the “Dictionary” method).
    • Social engineering: Social engineering attacks occur when hackers use psychology to trick you into giving up your password. For example, they might use a phishing email pretending to be from your bank and fool you into “confirming” your account details. 

    📚 Related: The Worst Instagram Scams Happening Right Now

    9. Drive-by download attacks

    Most cyber attacks require some action from you — like clicking on a link or downloading an attachment. But a drive-by attack (or drive-by download) occurs when you just browse an infected website. 

    Hackers take advantage of vulnerabilities in plug-ins, web browsers, and apps to install malware on your device without your knowledge.  

    Back in 2016, a drive-by download attack used vulnerabilities in Adobe Flash Player to install crypto-ransomware [*]. Once installed, victims were redirected to a site demanding 0.05 bitcoin to return access to their device.

    10. Cross-site scripting attacks

    A cross-site scripting (XSS) attack allows hackers to gain unauthorized access to an application or website. 

    Cybercriminals take advantage of vulnerable websites and cause them to install malicious JavaScript to users. When the code executes in your browser, the hacker is able to masquerade as your account and do anything you can do. 

    Sites vulnerable to XSS include message boards, forums, and web pages. These pages depend on user input that is not screened for malicious codes. But even larger sites are at risk. 

    For example, in 2014, a site vulnerability on eBay led to customers being redirected to malicious sites upon clicking on product links [*]. The sites displayed fake eBay login pages, prompting users to enter their details which were then stolen.

    11. Rootkits

    Rootkits are a type of malware that give hackers control and administrator-level access to the target system. Rootkits hide deep inside your device’s operating system, making them hard to detect but also incredibly dangerous. 

    A rootkit could allow hackers to steal sensitive information, install keyloggers, or even remove antivirus software. For example, in July 2022, Kaspersky uncovered a rootkit that can persist on a victim's machine even after a reboot or reinstallation [*].

    📚 Related: What To Do if Your SSN Is on the Dark Web

    12. DNS spoofing or “poisoning” 

    Domain Name System (DNS) spoofing allows hackers to send online traffic to a “spoofed” website. These sites look nearly identical to your destination (for example, the login page for your bank or a social media account). But any information you submit goes straight to the hackers, giving them access to your accounts. 

    Hackers can also use DNS spoofing to sabotage companies by redirecting their site visitors to a poor-quality site with obscene content. 

    In one famous example, Google’s homepage was spoofed in Romania and Pakistan [*], sending users to an unfamiliar site. Thankfully, in this case, the hacker did not seem to have malicious intent other than redirecting visitors. 

    13. Internet of Things (IoT) attack

    Internet of Things (IoT) devices, such as your smart speakers, TVs, and toys can also be the targets of cyber attacks. An IoT attack occurs when hackers steal data from a device — or string together multiple IoT devices into a botnet — that can be used for DDoS attacks. 

    IoT devices usually don’t have antivirus software installed, making them easy targets for hackers. Many of the world’s largest DDoS attacks used “bot armies” composed of IoT devices. It may seem unlikely, but even your “smart fridge” could be an unwitting soldier in a cyber attack.  

    14. Session hijacking

    Session hijacking is a type of man-in-the-middle attack in which the attacker “takes over” a session between a client and the server. The attacker’s computer swaps its IP address for the client’s address and continues to access the server, without needing any sort of authentication. 

    Once they’ve hijacked a session, hackers can do anything the client’s account could do. For example, let’s say you’re accessing your company’s internal database while on a work trip. If a hacker hijacks your session, they’ll gain access to all of your company files.

    Pro tip:
    Use a VPN to hide your location and protect your network from hackers. Aura uses military-grade encryption to ensure that hackers can’t intercept your messages or data.

    15. URL manipulation

    URL manipulation occurs when hackers alter the parameters in a URL address to redirect you to a phishing site or download malware. 

    For example, many people use URL shorteners to help remember long web addresses or specific pages. If hackers “poison” that shortened URL, they can send you to a phishing site designed to steal your personal information. 

    In other situations, hackers manipulate the URL to get the server to show pages they shouldn’t have access to. For example, they might enter “www.yoursitename.com/admin” to find your login page or enter “www.yoursitename.com/.bak” to get access to backup files. 

    16. Cryptojacking

    Cryptojacking is a cyber attack that secretly uses your computer’s processing power to mine for cryptocurrencies like bitcoin and Ethereum. This will severely slow down your computer systems and cause other potential vulnerabilities. 

    While not necessarily an “attack,” Norton is facing harsh criticism after revelations that their latest update quietly installed a cryptominer inside its antivirus software. 

    Take action: Protect yourself from the risks of identity theft and fraud with Aura’s $1,000,000 in identity theft insurance. Try Aura free for 14 days to see if it’s right for you.

    17. Inside threats

    Cyber attacks often come from an external threat like a hacking group. But there’s also the possibility of insider threats. 

    Inside threats occur when someone who works for a company purposefully steals data, gives someone unauthorized access, or leaks passwords.  

    For example, at the start of the COVID-19 pandemic, a disgruntled former staff member of a medical device packaging company used his administrator access to wipe over 100,000 company records [*].

    Don't Let Hackers Outsmart You. Aura Can Help

    The FBI’s Internet Crime Complaint Center received nearly 850,000 reports of cyber crime in 2021, with victims losing $6.9 billion to scammers [*]. 

    Cyber attacks aren’t slowing down anytime soon. But that doesn’t mean you can’t protect yourself from criminals who want to access your data or compromise your devices. 

    Learn how to recognize the warning signs of a cyber attack and the ways in which criminals come after your devices. And for added protection, consider signing up for Aura. 

    Ready for ironclad identity theft protection? Try Aura free for 14 days.

    Related Articles

    Illustration showing a warning symbol on top of a phone
    Internet Security

    How To Know if Your Phone Is Hacked (and What To Do)

    Scammers know your phone is a goldmine of sensitive accounts and personal information. Here’s how to know if your phone is hacked and what to do about it.

    Read More
    October 7, 2022
    Synthetic identity theft: Header image
    Identity Theft

    What Is Synthetic Identity Theft? (and How To Protect Yourself)

    Synthetic identity theft is the fastest-growing financial crime — and a hard one to detect. Learn how it works and how to stay safe.

    Read More
    January 23, 2023

    Try Aura—14 Days Free

    Start your free trial today**

    This is some text inside of a div block.

    Lorem ipsum dolor sit amet, consectetur adipiscing elit. Suspendisse varius enim in eros elementum tristique. Duis cursus, mi quis viverra ornare, eros dolor interdum nulla, ut commodo diam libero vitae erat. Aenean faucibus nibh et justo cursus id rutrum lorem imperdiet. Nunc ut sem vitae risus tristique posuere.

    1. Financial identity theft and fraud
    2. Medical identity theft
    3. Child identity theft
    4. Elder fraud and estate identity theft
    5. “Friendly” or familial identity theft
    6. Employment identity theft
    7. Criminal identity theft
    8. Tax identity theft
    9. Unemployment and government benefits identity theft
    10. Synthetic identity theft
    11. Identity cloning
    12. Account takeovers (social media, email, etc.)
    13. Social Security number identity theft
    14. Biometric ID theft
    15. Crypto account takeovers