Lesson 2: Types of Cyber Threats — From Phishing to Ransomware

What You Will Learn in This Lesson

• How to classify cyber threats into distinct categories and understand their mechanics
• Why phishing remains the number-one initial access vector for attacks on financial institutions
• How ransomware operations have evolved from opportunistic encryption to double-extortion models
• What insider threats, supply-chain attacks, and advanced persistent threats (APTs) look like in a Saudi banking environment

The Threat Landscape Is Not Abstract — It Is Targeting You Right Now

If you work in IT or information security at a Saudi financial institution, your organization is not a hypothetical target — it is an active one. Threat actors range from lone phishing operators buying kits off Telegram channels to state-sponsored groups running multi-month intrusion campaigns. The first step in defending any environment is understanding exactly what you are defending against. That means moving beyond vague awareness ("hackers are out there") and learning the specific tactics, techniques, and procedures (TTPs) each threat category uses.

This lesson walks through the six threat categories you will encounter most frequently. For each one, we will cover how the attack works mechanically, what the attacker's goal is, and what a real scenario looks like in the context of a Saudi financial institution regulated by SAMA.

1. Phishing and Social Engineering

Phishing is the art of tricking a human into doing something they should not — clicking a link, opening an attachment, entering credentials on a fake page, or approving a fraudulent wire transfer. It remains the dominant initial access vector globally, and Saudi organizations are no exception. Attackers craft emails that impersonate regulators (a fake SAMA circular), vendors (a spoofed invoice from a payment processor), or internal executives (CEO fraud requesting an urgent transfer). Spear-phishing — targeted phishing aimed at specific individuals — is particularly effective against finance teams and C-suite assistants who handle sensitive transactions daily.

Practical Example: A finance officer at a Riyadh-based investment firm receives an email that appears to come from the CFO's personal address. The email references a real acquisition the firm is working on and requests a "confidential" wire transfer to a new beneficiary account. The email passes a quick visual check — the display name is correct, the tone matches the CFO's style. But the actual sender address is one character off: cfo@companyy.com instead of cfo@company.com. Without a verification process (such as a mandatory callback for transfers above a threshold), the transfer goes through. This is business email compromise (BEC), and it is a subset of social engineering that costs organizations billions annually.

2. Ransomware

Ransomware encrypts your files and demands payment — usually in cryptocurrency — for the decryption key. Modern ransomware operations have evolved far beyond simple encryption. Today's groups like LockBit, BlackCat (ALPHV), and Akira run affiliate programs: they build the malware and infrastructure, then recruit operators who carry out the actual intrusions and split the ransom payment. Many groups now practice double extortion — they exfiltrate sensitive data before encrypting it, then threaten to publish the data on leak sites if the ransom is not paid. Some have moved to triple extortion, adding DDoS pressure or contacting the victim's customers directly.

The typical ransomware kill chain in a financial institution starts with initial access (often phishing or exploiting a VPN vulnerability), followed by lateral movement through the network using tools like Cobalt Strike or Impacket, privilege escalation to domain administrator, data exfiltration to an attacker-controlled server, and finally mass encryption of systems — often timed for a Thursday evening or holiday weekend when response teams are at minimum capacity.

3. Insider Threats

Not every threat comes from outside. Insider threats include malicious employees who steal data intentionally (a disgruntled database administrator exporting customer records before resignation), negligent employees who cause breaches through carelessness (sending a spreadsheet of customer PII to the wrong email address), and compromised insiders whose credentials have been stolen by an external attacker. In the Saudi financial sector, where organizations often rely on a mix of employees and third-party contractors with varying levels of access, the insider threat surface is significant.

Practical Example: A contract IT administrator at a Saudi bank has privileged access to production databases as part of their daily work. They are offered money by an external party to extract a specific list of high-net-worth customer accounts. Because the bank has not implemented proper privileged access management (PAM) with session recording, and database activity monitoring is not in place, the extraction goes undetected for weeks. SAMA CSCC Domain 3 (Information Asset Management) and Domain 4 (Human Resources Security) specifically address controls to mitigate this scenario — including background checks, access reviews, and monitoring of privileged accounts.

4. Supply-Chain Attacks

Your security is only as strong as the weakest link in your supply chain. Supply-chain attacks compromise a trusted vendor, software provider, or service partner to gain access to the actual target. The SolarWinds attack of 2020 is the textbook example: attackers compromised SolarWinds' build system and injected malicious code into a legitimate software update, which was then distributed to approximately 18,000 customers including government agencies and Fortune 500 companies. For Saudi financial institutions, the supply chain includes core banking system vendors, payment processors, cloud service providers, managed security service providers (MSSPs), and even the HR or payroll software you use.

Evaluating third-party risk is not optional — it is a regulatory requirement. Both SAMA CSCC and NCA ECC include specific controls around vendor risk management, requiring organizations to assess the security posture of their critical suppliers and enforce contractual security obligations.

5. Advanced Persistent Threats (APTs)

APTs are long-duration, targeted intrusion campaigns typically conducted by well-resourced groups — often with nation-state backing. Unlike ransomware operators who want quick monetization, APT groups prioritize stealth and persistence. They may sit inside a network for months, slowly expanding their access, exfiltrating data, and maintaining multiple backdoors so they can return even if one access point is discovered. Financial institutions are targeted for economic intelligence, customer data, and access to payment systems. Groups tracked under designations like APT33, APT34, and MuddyWater have historically targeted organizations in the Middle East, including the Gulf region.

Detecting APTs requires capabilities beyond basic antivirus: you need network detection and response (NDR), endpoint detection and response (EDR) with behavioral analysis, threat intelligence feeds mapped to your industry, and a Security Operations Center (SOC) staffed with analysts who actively hunt for indicators of compromise rather than waiting for alerts.

6. Distributed Denial of Service (DDoS)

DDoS attacks flood your systems with traffic to make them unavailable. While they do not steal data directly, they can cause significant operational disruption — imagine your online banking portal going down during peak hours, or your payment gateway becoming unreachable during salary processing week. DDoS attacks are also used as a smokescreen: the attacker launches a DDoS to overwhelm your SOC while simultaneously conducting a more targeted intrusion through another vector. Modern DDoS attacks can exceed 1 Tbps and use amplification techniques (DNS reflection, memcached amplification) to multiply the attacker's bandwidth.

Connecting to the Saudi Regulatory Context

Understanding threat types is not just an academic exercise — it directly maps to your compliance obligations. SAMA CSCC Domain 2 (Cybersecurity Risk Management) requires organizations to maintain a current threat landscape assessment and use it to inform their risk register. NCA ECC Control 2-2 mandates threat intelligence capabilities appropriate to the organization's risk profile. When you conduct your annual risk assessment (required by both frameworks), each of the six threat categories above should be evaluated for likelihood and impact specific to your institution. The PDPL adds another dimension: if any of these attacks result in a personal data breach, you face notification obligations to SDAIA and potentially to affected individuals. Knowing your threats is the foundation for everything else — from control selection to incident response planning to budget justification.

Common Mistakes to Avoid

• Treating phishing as a user problem only: Yes, awareness training matters. But if your email security gateway is not filtering malicious attachments, you have no DMARC enforcement, and you lack an easy reporting mechanism for suspicious emails, you are relying entirely on humans to be perfect — and they will not be. Layer technical controls on top of awareness.
• Assuming ransomware only targets large enterprises: Ransomware affiliates are opportunistic. They scan for exposed RDP ports, unpatched VPN appliances, and weak credentials regardless of organization size. A mid-size fintech or insurance company with lax patching is actually a more attractive target than a hardened Tier-1 bank because the effort-to-payout ratio is better.
• Ignoring insider threats because "we trust our people": Trust is not a security control. Privileged access management, separation of duties, database activity monitoring, and regular access reviews are controls. You can trust your people and still implement proper safeguards — in fact, those safeguards protect your employees by providing an audit trail that proves their innocence if a breach occurs.

Lesson Summary

• The six primary threat categories facing Saudi financial institutions are: phishing/social engineering, ransomware, insider threats, supply-chain attacks, APTs, and DDoS — each with distinct mechanics, goals, and required defenses.
• Modern attacks rarely use a single technique. Ransomware starts with phishing; APTs leverage supply-chain compromise; DDoS provides cover for data theft. Defense must be layered accordingly.
• Your threat landscape assessment is a living document required by SAMA CSCC and NCA ECC — it should be updated at least annually and after any significant incident or change in your environment.

Next Lesson

In the next lesson, we will cover: The CIA Triad — Confidentiality, Integrity, and Availability — the foundational security model that underpins every control, every framework, and every security decision you will ever make. We will break down each principle with concrete examples from the Saudi banking sector.

Ready to apply these concepts in your organization? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment.