Top 10 Common Cyber Attacks and How They Work

Anagh EshaanAnagh Eshaan
7 min read

Introduction

  • We live in a world where almost everything is online like shopping, banking, work, even our social lives.

  • But with all that convenience comes a not-so-fun side: cyber attacks.

  • Hackers don’t always need to “break in” using fancy tools. A lot of the time, they just trick people into opening the door for them.

  • In this post, I’ll walk you through 10 of the most common cyber attacks, explain how they actually work, and share why knowing about them can help you protect yourself (and maybe even your friends and family) from falling for them.

Phishing

  • Phishing is like a digital con job.

  • Attackers send fake emails, texts, or messages that look like they’re from someone you trust , say your bank, a delivery company, or even your boss.

  • The goal? To trick you into clicking a link or giving away personal information like passwords or credit card numbers.

  • They often create a sense of urgency: “Your account will be suspended unless you act now!” — which pushes people to react without thinking.

  • Tip: Always double-check the sender’s email address and hover over links before clicking. If something feels off, it probably is.

Malware

  • Think of malware as unwanted software with bad intentions.

  • It sneaks onto your device, often through suspicious downloads, infected email attachments, or malicious websites, and then gets to work causing trouble.

  • Malware can steal your data, spy on you, lock your files for ransom, or even take control of your device entirely. It comes in various forms : viruses, worms, trojans, spyware, each having a different effect on your system.

  • Tip: Keep your operating system and antivirus software updated, and never download software from sketchy sources.

Ransomware

  • Ransomware is like a digital hostage-taker. Once it gets into your system, it encrypts your files so you can’t access them and then demands a ransom (usually in cryptocurrency) to unlock them.

  • It often spreads through phishing emails, malicious links, or exploiting security flaws in outdated systems.

  • The worst part? Even if you pay, there’s no guarantee you’ll get your files back.

  • Tip: Keep regular offline backups of important files, and be extra careful when opening unexpected attachments or clicking unfamiliar links.

Denial Of Service

  • A DoS attack is like flooding a shop with fake customers so the real ones can’t get in.

  • In the digital world, attackers overwhelm a server or network with massive amounts of traffic, making it slow or completely unavailable to real users.

  • When multiple machines are used, it becomes a Distributed Denial of Service (DDoS) attack, which is even harder to stop.

  • Tip: Businesses often use load balancers, traffic filtering, and specialized anti-DDoS services to defend against these attacks.

SQL Injection

  • Imagine asking a waiter for a sandwich, but instead, you sneak in extra instructions telling the chef to give you the entire kitchen inventory. That’s SQL Injection in a nutshell.

  • Websites store data (like usernames, passwords, or transactions) in databases.

  • If input fields (like login boxes) aren’t properly secured, attackers can insert malicious SQL commands instead of normal input.

  • This can let them read, change, or delete data they shouldn’t have access to.

  • Tip: Developers can prevent SQLi by using prepared statements, parameterised queries, and proper input validation.

Cross-site Scripting (XSS)

  • Think of XSS like slipping a fake sign into a store’s window that tricks customers into giving you their credit card details.

  • Except here, the “store” is a website, and the “sign” is malicious code.

  • With XSS, attackers inject malicious JavaScript into a web page that other users visit.

  • When those users load the page, the script runs in their browser and performs operations like stealing cookies, hijacking sessions, or redirecting them to phishing sites.

  • Tip: Developers can defend against XSS by sanitising user inputs, escaping outputs, and using Content Security Policy (CSP) headers.

Man-In-The-Middle (MITM)

  • Imagine having a private conversation with a friend, but someone quietly sits between you two, listening and occasionally changing the words. That’s a MITM attack in the digital world.

  • In a MITM, attackers intercept the communication between two parties (like you and your bank’s website) without either side knowing.

  • They can eavesdrop, steal data, or inject malicious content into the conversation.

  • Public Wi-Fi hotspots are a common hunting ground for this.

  • Tip: Use HTTPS everywhere, avoid untrusted Wi-Fi for sensitive transactions, and consider a VPN for an extra shield.

Password Attacks

  • Think of your password as the key to your house, if someone gets it, they can walk right in.

  • Password attacks are when hackers try to guess, steal, or crack that key to access your accounts or systems.

    They might use:

    • Brute force – Trying every possible combination until they get in.

    • Dictionary attacks – Cycling through common passwords (like 123456 or password).

    • Credential stuffing – Using stolen passwords from one breach to try on other accounts.

  • Tip: Use long, unique passwords and enable multi-factor authentication (MFA). A password manager makes this much easier.

Zero-Day Exploits

  • A zero-day exploit targets a software flaw that the vendor doesn’t even know exists yet. Meaning there’s no patch or fix available.

  • Hackers strike before the vulnerability is discovered and fixed, making it especially dangerous.

  • Think of it like finding an unlocked back door to a building before the owner even realises the door exists.

  • Why it’s scary:

    • There’s no defense in place when the attack happens.

    • It often targets widely used software, potentially affecting millions.

  • Tip: While you can’t directly stop a zero-day, you can reduce your risk by keeping software up to date, using layered security tools, and monitoring systems for unusual behavior.

Insider Threats

  • Not all cyber threats come from shadowy hackers on the internet.

  • Sometimes, the danger is already inside your organization.

  • Insider threats come from employees, contractors, or business partners who have legitimate access to systems but misuse it, either intentionally (malicious insiders) or accidentally (careless insiders).

  • Example: An employee leaking sensitive company data to a competitor, or clicking on a phishing email from their work account.

    Why it’s tricky:

    • The person already has access, so many traditional defenses won’t flag them.

    • It can be motivated by money, revenge, ideology — or just simple negligence.

  • Tip: Use the principle of least privilege, monitor access logs, and build a strong security culture so employees are aware of risks.

BONUS : Social Engineering

  • Sometimes, the easiest way for attackers to get in isn’t by hacking a computer. It’s by hacking a person.

  • Social engineering is all about manipulating people into revealing information, clicking malicious links, or granting access they shouldn’t.

  • Example: A scammer pretending to be IT support calls you, saying they need your password to “fix an urgent issue.”

    Why it’s dangerous:

    • It bypasses technical defences entirely.

    • Plays on human emotions like trust, fear, or urgency.

  • Tip: Always verify identities before sharing sensitive information, and train yourself (and your team) to recognise common manipulation tactics.

Final Thoughts

  • Cyber attacks come in many shapes and sizes , from technical exploits like SQL injection to purely human tricks like social engineering.

  • While each attack has its own unique mechanics, they all share a common goal: to compromise systems, data, or trust.

  • The good news? Awareness is your first and strongest line of defense, which is what this blog intends to provide.

  • By understanding how these attacks work, you’re already taking a step toward protecting yourself and your organization.

  • Combine that knowledge with good security habits, ongoing training, and the right tools, and you’ll be far harder to target.

  • Cybersecurity isn’t about being 100% invincible, it’s about staying one step ahead.

What’s Next ?

  • My next blog will cover "Internet Protocols 101: What They Are and Why They Matter.”

  • This is the 5th blog of the series where I document my path from beginner to cybersecurity professional, one certification, one tool, one lab and one concept at a time.

0
Subscribe to my newsletter

Read articles from Anagh Eshaan directly inside your inbox. Subscribe to the newsletter, and don't miss out.

#cybersecuritycyberattack

Written by

Anagh Eshaan
Anagh Eshaan

An aspiring cybersecurity engineer.