The Threat Landscape
Who wants your data, why, and how they get it.
Why You Are a Target
The most common reaction to "you should improve your security" is "I have nothing worth stealing." That belief is the attacker's best friend. You have plenty.
| What You Have | Value to Attackers |
|---|---|
| Email account | Gateway to reset all other passwords |
| Bank accounts | Direct financial theft |
| Social Security Number | Identity theft, fraudulent credit |
| Personal photos | Extortion, blackmail |
| Social media accounts | Spread scams to your contacts |
| Computer resources | Cryptocurrency mining, botnets |
| Home network | Launch attacks on others |
Most attackers do not care who you are. They cast a wide net and keep whoever falls in.
Types of Attackers
Opportunistic Attackers
Most attacks are automated and untargeted:
| Attacker Type | Motivation | Methods |
|---|---|---|
| Script kiddies | Fun, bragging rights | Pre-made tools, easy exploits |
| Automated bots | Mass exploitation | Scanning, credential stuffing |
| Low-level criminals | Quick money | Phishing kits, ransomware-as-a-service |
These attackers go for easy targets. Basic security is enough to stop them.
Targeted Attackers
Rarer, harder to defend against:
| Attacker Type | Motivation | Targets |
|---|---|---|
| Professional criminals | Large financial gain | High net worth individuals |
| Stalkers/abusers | Control, harassment | Specific individuals |
| Corporate espionage | Trade secrets | Business owners, executives |
| Nation states | Intelligence | High-value targets |
Most people only ever face opportunistic attackers. Defend against those first.
Common Attack Vectors
How Attackers Get In
| Attack Vector | How It Works | Your Defense |
|---|---|---|
| Phishing | Trick you into revealing info | Verify before clicking/responding |
| Weak passwords | Guess or crack your password | Use password manager + long passwords |
| Password reuse | Use leaked password on other sites | Unique password per account |
| Malware | Malicious software installation | Don't run untrusted programs |
| Social engineering | Manipulate you psychologically | Verify unexpected requests |
| Unpatched software | Exploit known vulnerabilities | Update everything |
| Unsecured networks | Intercept your traffic | Use VPN on public WiFi |
Attack Chain Example
A typical end-to-end compromise:
- Reconnaissance. Attacker finds your email in a data breach.
- Initial access. Sends a phishing email about "account security".
- Credential theft. You enter your password on a fake login page.
- Account takeover. Attacker logs into your email.
- Lateral movement. Uses the email to reset other accounts.
- Financial theft. Accesses your bank, makes transfers.
- Covering tracks. Deletes sent mail, changes passwords.
The Underground Economy
Your data has actual market value:
| Data Type | Approximate Value |
|---|---|
| Credit card with CVV | $5-25 |
| Full identity (SSN, DOB, address) | $30-100 |
| Bank login credentials | $50-200 |
| Email account password | $1-10 |
| Medical records | $250-1000 |
| Passport scan | $10-50 |
This data is bought and sold on dark web marketplaces. Your record may be sold many times to many buyers.
Data Breaches
How Breaches Happen
| Cause | Example |
|---|---|
| Poor security by companies | Unencrypted database exposed |
| Insider threats | Employee sells customer data |
| Third-party compromise | Vendor gets hacked |
| Misconfiguration | Cloud storage left public |
| Software vulnerabilities | Unpatched server exploited |
Notable Breaches and Impact
| Breach | Records Exposed | Data Leaked |
|---|---|---|
| Yahoo (2013-2014) | 3 billion accounts | Names, emails, passwords |
| Equifax (2017) | 147 million | SSN, addresses, credit data |
| Facebook (2019) | 540 million | Phone numbers, IDs |
| LinkedIn (2021) | 700 million | Email, phone, employment |
| National Public Data (2024) | 2.9 billion | SSN, addresses, names |
Your data is probably already out there. Check haveibeenpwned.com to confirm.
Emerging Threats
Current Trends
| Threat | Description | Personal Impact |
|---|---|---|
| AI-powered phishing | More convincing, personalized | Harder to spot fake messages |
| Deepfake scams | Fake audio/video | "Grandparent scams" with cloned voices |
| SIM swapping | Hijack your phone number | Bypass SMS two-factor auth |
| QR code phishing | Malicious QR codes | Links to fake sites |
| Smart home attacks | IoT device exploitation | Privacy invasion, network access |
Social Media Threats
| Risk | How It's Exploited |
|---|---|
| Oversharing location | Burglars know when you're away |
| Personal details | Password reset questions answered |
| Friend connections | Social engineering, impersonation |
| Photos with metadata | Location, device info exposed |
| Children's information | Identity theft, predators |
Threat Assessment for Individuals
Your Personal Risk Level
Risk varies. Look at your situation honestly:
| Risk Factor | Higher Risk If... |
|---|---|
| Financial | High net worth, cryptocurrency holdings |
| Professional | Executive, access to sensitive data |
| Personal | Public figure, activist, journalist |
| Family | High-conflict custody, domestic abuse |
| Online presence | Large following, controversial opinions |
Prioritize Your Defenses
| Everyone Should | Higher-Risk Individuals Should Also |
|---|---|
| Use password manager | Use hardware security keys |
| Enable 2FA everywhere | Freeze credit at all bureaus |
| Keep software updated | Use separate devices for sensitive work |
| Be skeptical of messages | Consider identity theft protection |
| Back up important data | Use encrypted communications |
The Human Factor
Technology is half of it. Most attacks succeed by manipulating people, not machines:
| Psychological Trigger | How It's Exploited |
|---|---|
| Fear | "Your account will be closed!" |
| Urgency | "Act now or lose access!" |
| Authority | Fake emails from "CEO" or "IRS" |
| Curiosity | "See who viewed your profile" |
| Greed | "You've won $1 million!" |
| Helpfulness | "I'm from IT, I need your password" |
The best defense is slow down. Verify through an independent channel.
Building Your Security Mindset
Questions to Ask Yourself
Before acting on any unexpected request:
- Who is asking? Verify identity through a known channel.
- Why now? Urgency is suspicious by default.
- What is the worst case? Imagine being wrong.
- Does this make sense? Trust the gut feeling.
- Can I verify? Call the company on a known number.
Healthy Paranoia vs. Anxiety
| Healthy Paranoia | Unhealthy Anxiety |
|---|---|
| Verify unexpected requests | Fear all technology |
| Use strong unique passwords | Change passwords obsessively |
| Be cautious with links | Refuse to use internet |
| Check account activity | Check accounts constantly |
| Stay informed about threats | Doom-scroll security news |
Security should make your life work better, not narrower.
Key Takeaways
- Everyone is a target. Automated attacks do not care who you are.
- Most attacks are opportunistic. Basic hygiene blocks most of them.
- Your data has market value. Email, identity, and bank access all sell.
- Phishing leads the field. Human manipulation is still the primary vector.
- Breaches are inevitable. Assume your data is already out there.
- Psychology drives the rest. Fear, urgency, and trust are the levers.
- Slow down. Most mistakes happen when you are rushing.
- Verify on a separate channel. Phone the company on a known number.
- Stay current. Threats shift; your habits should shift with them.
- Start with the basics. A password manager and 2FA stop most attackers.
Next Steps
Continue to 02-passwords.md for the foundation that stops most of these attacks: strong, unique passwords managed somewhere safe.