top of page

How Do Human Hackers Choose Their Targets?

Updated: Oct 21, 2022

“My organization would never be targeted by a hacker or criminal group, let alone a foreign intelligence service!” If this is your thought process, you might want to think again as this common preconceived notion can be very dangerous. While there are a variety of different types of social engineers with all sorts of motives, they all have one thing in common: they love easy prey.

How often do social engineering attacks happen?

According to a 2021 Q3 CNBC Momentive Small Business Survey, the majority of small-business owners are unconcerned about becoming the target of a security breach, with 56% saying they are not afraid about getting hacked within the following year. More alarmingly, 24% indicated they were "not at all concerned."

The reality is cyberattacks are mostly directed at small and medium-sized businesses, however, you will not always hear of this as most security breaches go unreported. Unlike bigger firms, who can more easily afford security awareness training services and upgrade their networks to keep up with the latest hacking techniques, small-businesses do not always have the proper resources nor do they always make it a top priority to defend against attacks, and hackers are well aware of this.

Many small-business owners also are under the belief they have nothing of value for a hacker to take. While they may be correct in assuming they are probably not the main target in the hacker’s agenda, they ought to rethink this rational notion that they have nothing of value a hacker could want.

Why do human hackers target small-businesses?

The organization a human hacker or social engineer will be attempting to breach can be either classified as a hard or soft target.

A hard target is one that is very challenging for the hacker to penetrate because of high security protocols. Does that mean that when a human hacker comes across a hard target that they will just give up and move on to another one? Sometimes. However, if their objective is to really penetrate that particular hard target, they are not going to give up. As a matter of fact, they might even love the challenge.

What the social engineer will do is take a closer look at those particular organizations that have an association with the hard target of choice or do business with them such as a CPA firm, IT management, staffing company, etc. Those particular entities will most likely be what is known as soft targets.

While breaching the security of these softer targets may not be the main goal, successfully breaching their security can grant cybercriminals access to a significant number of important and high-quality documents needed for attacking their hard target. For example, an external law firm conducting business with the hard target may have valuable information for the hacker such as company strategy and/or financial data.

These soft targets are going to be easier to penetrate and they likely already have some confidential information regarding the hard target. They breach the security of those softer targets and ultimately utilize them as a back door to their hard target.

Never ever consider your organization as one that would never be of interest. Just because you may not be the ultimate target, doesn’t mean you will not fall victim to a social engineering attack.


About the Counterintelligence Institute

Founded by former CIA senior intelligence officer Peter Warmka, the Counterintelligence Institute’s mission is to assist your corporations, government offices, academic institutions and non-profit organizations in protecting your sensitive information and personal data records against security breach attempts. Our online and onsite training services focus on transforming the human factor from being the weakest link in security to becoming the most effective defensive tool against security threats against your company and personal life.



bottom of page