How Attackers Think — The Mindset Behind Every Modern Cyber Attack

On a Wednesday afternoon a junior accountant at a 60-person Dutch logistics firm posts a photo on LinkedIn of her new desk: 'Excited to start at FastFreight BV! 🚚'. Visible behind her: a sticky note with her temporary password, a printed list of internal IBAN numbers, and the back of her laptop showing the company VPN client. By Thursday morning an attacker — who has never heard of FastFreight before — has scraped the photo via an automated LinkedIn watcher that flags new-hire posts at SME companies. The password is in clear text. The IBANs feed a targeted invoice-fraud lure. The VPN brand tells the attacker which off-the-shelf exploit kit to run. By Friday a €38,000 wire has been redirected from a real supplier payment. None of this was personal. It was assembly-line work — and the assembly line found her photo first.

Most cyber attacks follow a four-step pattern. Step one is reconnaissance: the attacker collects public information about people and organisations from LinkedIn, company websites, leaked breach data, press releases, social media, GitHub, news articles. Tools like Maltego and theHarvester automate this, processing thousands of targets per hour. Step two is the lure: based on the recon, the attacker writes a credible pretext — an email, a phone call, a fake LinkedIn message — that names real people, real projects, real suppliers. Step three is exploitation: the lure gets the victim to do something useful for the attacker — click a credential-stealing link, transfer money, install software, give up an MFA code. Step four is monetisation: stolen credentials get sold on dark-market forums, stolen money gets routed through mule accounts, ransomware gets paid, intellectual property gets resold. The whole pipeline is industrialised. Generic mass-attacks (NotPetya, WannaCry) hit millions of systems indiscriminately. Targeted attacks (BEC, APT) target specific organisations only after the recon shows enough public information to make the lure work. Either way, the attacker rarely knows you personally — they know your role, your patterns, your suppliers, and your most-likely vulnerabilities, all assembled from public sources.

• Your own public footprint — LinkedIn, public posts, company-bio pages, photo backgrounds with sensitive info visible
• Information about your colleagues that any stranger could see online and use to impersonate them to you
• Any unsolicited contact that mentions real internal context — that context came from somewhere public
• Unexpected attention paid to your role specifically — the more useful you are to an attacker, the more reconnaissance you'll attract

1. Audit what you publish about your workEvery LinkedIn post, every team photo, every 'first day at X' announcement is reconnaissance fuel. Default to less.
2. Assume the attacker already knows your name, role and reporting lineThose are basically public. Don't rely on 'they wouldn't know who I am' as a defence.
3. Apply the verify-out-of-band reflex to any unusual requestIf the attacker is running an industrial pipeline, your single act of verification breaks their economics for this target.
4. Report unusual contact — it tells security where the attacker has reconnaissanceOne report identifies a campaign that is also targeting your colleagues.

• NCSC-NL — Cyberweerbaarheid voor medewerkers[primary]
• ENISA — Annual Threat Landscape[primary]
• MITRE ATT&CK — Reconnaissance (TA0043)[primary]
• Krebs on Security — Long-form coverage of attacker economics[secondary]

• The Five Attack Categories — A Map of What You'll Actually Face

  7 min read

• Spotting Phishing — The Four Red Flags You Can Always Trust

  6 min read