How a Cyber Attack Starts

(Before anyone knows there’s a problem)

Target Selection

“Attackers choose who to go after”

• Scan the internet for exposed systems.
• Identify organisations using vulnerable software.
• Target industries, company sizes, or regions.
• Select targets of opportunity — not always specific victims.

Most attacks aren’t personal. They’re opportunistic.

 

Information Gathering (Reconnaissance)

“Attackers learn how you work”

• Collect publicly available information.
• Review company websites, job postings, and social media.
• Identify technologies, suppliers, and email formats.
• Find employee names and roles.

Every public detail helps attackers build a picture.

 

Finding a Weakness

“One small gap is enough”

• Unpatched or outdated software.
• Weak or reused passwords.
• Exposed services or misconfigurations.
• Overly broad access permissions.

Attackers don’t need everything — just one opening.

 

Initial Contact

“The first interaction happens”

• Phishing emails or messages.
• Fake login pages.
• Malicious links or attachments.
• Attackers test stolen passwords against company accounts.

This is often the only moment a human is involved.

Exploitation

“The weakness is used”

• A user clicks a malicious link.
• A vulnerability is triggered.
• Stolen credentials are accepted.
• Malware is silently downloaded.

To the user, nothing looks wrong.

 

First Foothold

“The attacker gets inside”

• Access is gained to a single system or account.
• Malware runs in the background.
• A remote connection is established.
• Activity blends in with normal behaviour.

At this stage, the attack is already underway.

 

Hidden Setup

“Staying unnoticed”

• Tools are installed quietly.
• Access is tested and confirmed.
• Basic persistence is established.
• Activity is kept low and slow.

The longer attackers stay hidden, the more successful they become.
 

Most attacks succeed because of one of these things:
Unpatched systems, weak credentials, or human error