Cybercriminals cost organizations billions of dollars annually, yet many security teams still approach defense without fully understanding who these adversaries are or how they operate. The threat extends well beyond stereotypical hackers in dark rooms.

Modern cybercriminals range from individual opportunists to sophisticated syndicates with corporate-style operations, each with distinct motivations that shape their attack strategies.

Understanding these actors (their goals, methods, and preferred targets) gives security leaders the intelligence needed to anticipate threats and build defenses that address real-world risks.

Cybercriminals are individuals or organized groups who exploit digital systems, networks, and human behavior for financial gain, data theft, or disruption. They range from lone operators running phishing campaigns to sophisticated syndicates executing multi-stage fraud schemes that unfold over weeks or months.

The common thread across all types of cybercriminals is their exploitation of trust and access rather than purely technical vulnerabilities. While some attackers do leverage software exploits and zero-day vulnerabilities, the most financially damaging attacks typically manipulate human behavior through social engineering, impersonation, and relationship exploitation.

According to Verizon's 2025 report, which analyzed thousands of real-world security incidents, the human element accounted for 60% of breaches, with the vast majority of social attacks originating via email.

This distinction matters for security strategy. Organizations that focus primarily on technical controls, such as patching systems, deploying firewalls, and hardening configurations, leave significant gaps that cybercriminals actively exploit. Effective defense requires understanding both the technical and psychological dimensions of how attackers operate.

Cybercriminals fall into several distinct categories, each with motivations that determine their attack methods and target selection.

Financially motivated actors represent the largest and most active category of cybercriminals targeting enterprise organizations. These attackers operate through business email compromise (BEC), invoice fraud, credential harvesting, and ransomware, all tactics designed to generate immediate, scalable returns.

The financial impact is staggering even for seasoned security professionals. In 2024 alone, BEC losses totaled $2.77 billion, making it one of the costliest cybercrime categories reported to the FBI IC3.

These cybercriminals specifically target billing departments, finance teams, and executives because they have direct access to payment authorization and fund transfers. The Ransomware-as-a-Service (RaaS) model has further professionalized this category, with developers providing attack infrastructure to affiliates who execute campaigns, with typical revenue splits favoring affiliates over platform developers.

Not all cybercriminals operate from outside the organization. Employees, contractors, and partners who misuse authorized access represent a distinct and particularly challenging threat category. Research shows that insider threat costs continue to escalate year over year, driven by incidents ranging from employee negligence to malicious insider acts and credential theft.

Insider threats break down into three primary categories:

• Employee Negligence: The most common category of insider incidents involves accidental data exposure or policy violations.

• Malicious Insiders: Individuals who intentionally harm the organization for financial gain or retaliation.

• Credential Theft: External actors who compromise insider credentials or coerce employees into providing access, typically generating the highest per-incident costs.

The fundamental challenge with insider threats is detection. These attackers already have legitimate credentials and established communication patterns, making malicious activity difficult to distinguish from normal work.

Organizations often require extended periods to detect and contain insider threat incidents, reflecting the inherent difficulty of identifying threats that exploit authorized access.

Nation-state actors and organized cybercriminal syndicates target intellectual property, government systems, and critical infrastructure. While these actors often pursue geopolitical objectives, their tactics frequently overlap with financially motivated cybercrime.

State-sponsored threat actors like APT41, a Chinese government-linked group, conduct both espionage operations and financially motivated attacks using identical techniques, including spear phishing, credential theft, and lateral movement through compromised accounts. Mandiant's APT41 research provides detailed documentation of this dual espionage and cybercrime operation.

Most cybercriminals initiate attacks through digital communication channels that exploit human behavior and organizational trust.

Email remains one of the most common attack vectors for cybercriminals across every category. This preference exists for practical reasons: email provides direct access to employees, carries implicit trust, and connects to financial systems, credentials, and sensitive data.

IBM X-Force research documents an 84% increase in emails delivering infostealers in 2024 compared to the prior year. Criminals then use these stolen credentials to enable further attacks, with valid account credentials and exploitation of public-facing applications representing the top initial access vectors.

Cybercriminals use several key attack types through email:

• Business Email Compromise: Impersonating executives or trusted parties to authorize fraudulent transfers or sensitive data disclosure.

• Vendor Impersonation: Exploiting established business relationships to redirect payments or harvest credentials.

• Credential Harvesting: Deploying phishing pages that capture login information for later account takeover.

• Malware Delivery: Embedding malicious payloads in attachments or links that establish persistence for future exploitation.

Cybercriminals increasingly move beyond email to exploit Slack, Microsoft Teams, Zoom, and other collaboration platforms. Threat actors now employ techniques that abuse legitimate platform functionality, with malware-free intrusions representing an increasing number modern attacks.

The Scattered Spider hacking group shows this evolution. This group infiltrates workplace collaboration platforms to monitor internal conversations, identify organizational structure, and gather information about ongoing projects. They use this collected intelligence to craft highly targeted phishing attacks and deploy ransomware variants following successful reconnaissance.

Microsoft's research documents specific techniques used against Teams, including device code phishing campaigns, OAuth application abuse, and exploitation of external user messaging capabilities. The Slack breach demonstrates how attackers systematically harvest collaboration platforms' comprehensive data repositories once they obtain access.

This expansion represents an evolution of the same social engineering playbook that made email attacks effective. Employees often assume that communications through internal collaboration tools are inherently trustworthy, creating opportunities for cybercriminals who compromise accounts or exploit external access features.

Legacy email security tools often rely on signatures, reputation checks, and known threat indicators. Cybercriminals succeed because their most effective tactics (impersonation, social engineering, and trust exploitation) often contain no malicious payloads for traditional tools to flag. The attacks look like normal communication.

SC Media's analysis notes that when next-generation solutions were deployed alongside existing secure email gateways (SEGs), they identified threats that bypassed SEGs, including highly targeted social engineering messages, and that behavioral detection capabilities identified legacy email gaps.

Rule-based systems often struggle to distinguish a legitimate executive request from a spoofed one because they lack behavioral context. A BEC message requesting an urgent wire transfer typically has no malware to scan, few malicious URLs to blocklist, and minimal attachment-based exploits. It's simply a carefully crafted social engineering message designed to exploit business processes.

The speed gap compounds this challenge. The average lifespan of phishing infrastructure has dropped significantly in recent years. By the time security vendors create and distribute signatures, attackers have already abandoned their infrastructure.

Detecting modern cybercriminal tactics requires understanding normal communication behavior: who talks to whom, how often, and what tone. Security teams must identify deviations that signal compromise or manipulation.

https://abnormal.ai/resources/... addresses the detection gap by establishing identity-aware baselines and analyzing communication patterns that signature-based tools cannot evaluate. This approach models known good behavior to identify anomalies that suggest impersonation, account takeover, or vendor compromise.

This detection methodology analyzes multiple dimensions simultaneously:

• Temporal Patterns: Unusual sending times that deviate from established norms.

• Relationship Patterns: First-time communications or unusual recipient combinations.

• Content Patterns: Language deviations or urgency indicators inconsistent with established behavior.

When a message deviates from established patterns across multiple dimensions, it generates a risk signal regardless of whether it contains any technically malicious content.

Abnormal's Behavioral AI fills the gap left by signature-based detection, analyzing identity, context, and risk signals across email and collaboration platforms. This includes protection against BEC attacks through executive communication modeling, vendor compromise detection through relationship and invoice pattern analysis, and account takeover protection through behavioral anomaly identification.

This approach complements existing security infrastructure rather than replacing it. Traditional tools continue handling volume-based threats and known malware, while behavioral analysis addresses the sophisticated social engineering that those tools were not optimally designed to detect

Abnormal helps organizations detect and stop attacks that exploit trust, relationships, and human behavior, the exact tactics cybercriminals rely on to bypass traditional defenses. Request a demo to see behavioral AI in action.