Which category does a 'click here to confirm your shipment' SMS lure belong to?

Phishing and social engineering. Smishing is a phishing variant — Category 1. The fact that it's SMS, not email, doesn't change the category.

An MFA prompt arrives on your phone that you did not initiate. Which category is in motion?

Credential and authentication abuse — someone has your password and is trying to log in. Unsolicited MFA prompts mean credential abuse is happening. Category 2. Reset password from a clean device and report.

Why is it useful to know the attack category when reporting an incident?

Different categories have different first-30-minute playbooks; naming the category helps security respond correctly faster. Phishing response and ransomware response look very different. Quick categorisation accelerates the right playbook.

Most real-world cyber incidents are best described as:

A chain — start with one category, escalate through others. Almost every breach is a chain: phishing → credentials → malware → network movement → exfiltration. Defending each link is the strategy.

Your SaaS provider sends an unexpected 'we had a security incident, your data may have been accessed' email. Which category?

Supply chain. When a vendor's compromise affects you, you've been hit by Category 5 — supply chain. Action: read the disclosure carefully, rotate credentials specific to that vendor, audit recent activity.

The Five Attack Categories — A Map of What You'll Actually Face

Het scenario

A Dutch hospital's IT director, mid-incident at 03:00 on a Sunday, is trying to explain to the board what is happening. 'We were ransomwared,' she says. The board hears one word: ransomware. They ask why anti-virus didn't catch it. The actual story is more useful: an employee was phished (category 1) into giving credentials to an attacker, who used them to log into the VPN without MFA (category 2), then deployed ransomware across the network (category 3), pivoting through a flat internal network that hadn't been segmented (category 4). The phishing was the entry — the controls failed at every subsequent layer. Telling the board 'we were ransomwared' is technically correct but defensively useless. The story is a chain, and every category in the chain is a place to put a control. This module gives you the map.

Hoe de aanval werkt

**Category 1 — Phishing and social engineering.** Tricking a human into doing something useful for the attacker: clicking a credential link, transferring money, granting an OAuth app, reading aloud an OTP. Covered in depth in the Phishing track. **Category 2 — Credential and authentication abuse.** Reusing passwords from prior breaches, stealing session cookies, bypassing MFA via fatigue, social-engineering the helpdesk into resetting an account. Covered in the Passwords & Auth track. **Category 3 — Malware and ransomware.** Software that gives attackers control of a device or holds it ransom. Modern malware almost always arrives via Category 1 or 2 — pure 'drive-by' malware is rare in 2026. **Category 4 — Network and application exploitation.** Attacks against unpatched servers, misconfigured cloud, vulnerable web applications, or exposed services. This is what penetration testers spend most time on, and what makes news as 'CVE-2024-X' headlines. **Category 5 — Supply-chain compromise.** Attacks against a software vendor, SaaS provider, or service partner that propagate to the partner's customers. MOVEit, SolarWinds, 3CX, Okta-via-Sitel — all 2020s headline incidents. End-users rarely cause supply-chain breaches but they often discover them via unusual behaviour from a 'trusted' tool. Almost every real incident is a CHAIN — start with one category, escalate through others. The defensive job is to put a control on each link.

Waar je op moet letten

Category 1 (Phishing): unsolicited messages requesting action — credentials, money, OTPs, document approvals
Category 2 (Credentials): MFA prompts you didn't initiate, password reset emails you didn't request, unfamiliar 'sign-in from new location' alerts
Category 3 (Malware): unexpected file-encryption messages, system performance drops, programs you didn't install, browser pop-ups demanding payment
Category 4 (Network/App): security advisories from vendors about CVEs you should patch, unusual traffic alerts from IT, services suddenly accessible to people who shouldn't have access
Category 5 (Supply chain): a SaaS provider sending an unexpected 'we had an incident' email, a vendor pushing an unscheduled update, integrations behaving oddly

Wat te doen

When you spot something, name the category — it helps security respond faster'I think it's phishing' or 'I got an MFA prompt I didn't initiate' or 'a file on my desktop encrypted itself' all route to different IR playbooks.
Report — even when you're not sure what you're looking atSecurity can categorise from context. Reporting rate is the leading indicator of awareness program maturity.
Don't try to clean up yourself before reportingDeleting evidence, rebooting devices, or 'just running a virus scan' destroys forensic context.
Read the deeper-dive cluster that applies to your roleFinance teams: Phishing track. IT admins: Network/App + Credentials tracks. Everyone: Phishing + Passwords basics.

Verdediging — voor IT en beleid

Technische controles

A defensive control aligned to each category: anti-phishing, identity-bound MFA, EDR, patch management, third-party-risk and SaaS-OAuth monitoring
Layered architecture so a single-category failure does not become a full chain — network segmentation, least-privilege access, MFA on every privileged action

Beleidscontroles

An incident-response playbook that maps to each category, with a 'first 30 minutes' checklist per type
Reporting flow that doesn't require the reporter to know the category — security routes from context

Trainingsfrequentie

This module is best taught as a 30-minute briefing followed by example incidents from your own industry's recent headlines — the categories click much faster when seen in stories than in lists.

Korte check

Vijf vragen. Antwoorden en toelichting verschijnen na inzenden.

Q1.
Which category does a 'click here to confirm your shipment' SMS lure belong to?
Q2.
An MFA prompt arrives on your phone that you did not initiate. Which category is in motion?
Q3.
Why is it useful to know the attack category when reporting an incident?
Q4.
Most real-world cyber incidents are best described as:
Q5.
Your SaaS provider sends an unexpected 'we had a security incident, your data may have been accessed' email. Which category?

Bronnen & verdere lectuur

ENISA — Threat Landscape (annual)[primary]
MITRE ATT&CK — Tactics overview[primary]
NCSC-NL — Cybersecuritybeeld Nederland[primary]
Verizon DBIR — Annual breach pattern analysis[secondary]