Common Attacker Motivations and What They Target

Why attacker motivation matters

Understanding why attackers act is one of the fastest ways to predict what they will do next. Motivation influences the attacker’s patience, budget, technical skill, and willingness to take risks. It also determines what they consider “success”: stealing money, gaining access, causing disruption, collecting information, or simply proving they can. For beginners, this is useful because it helps you focus your defenses on the most likely outcomes for your situation (for example, a small business is often targeted for quick financial gain, while a public-facing organization may face disruption attempts).

Motivation and targets are tightly connected. Attackers rarely “hack everything.” They choose targets that match their goals and constraints. A scammer who wants quick cash will prefer payment data and easy-to-monetize accounts. A competitor seeking advantage will prefer sensitive business documents and product plans. A political group trying to make a statement will prefer high-visibility systems and public services.

Common attacker motivations

1) Financial gain (the most common)

Financially motivated attackers want money or assets that can be converted into money. This includes direct theft (fraud), extortion (ransom), and resale (selling stolen data or access). Many of these attackers operate like businesses: they track return on investment, automate what they can, and reuse proven methods.

What they target

• Banking and payment access: online banking logins, card numbers, payment processor dashboards, mobile payment apps.
• Account takeover opportunities: email accounts (to reset other passwords), social media (for scams), e-commerce accounts (for purchases), ride-share/food delivery accounts (for resale or fraud).
• Business payment workflows: invoicing systems, accounts payable mailboxes, vendor payment details, payroll systems.
• Ransom leverage: files and systems that an organization cannot operate without, plus backups if they can reach them.
• Data that sells: customer lists, identity data, health data, credentials, API keys, session tokens.

Practical example: A criminal gains access to an employee’s email and watches invoice conversations. When a real invoice is about to be paid, they send a “bank details updated” message from a lookalike domain. The target is not “the whole company,” but specifically the payment process and the trust around it.

Continue in our app.

You can listen to the audiobook with the screen off, receive a free certificate for this course, and also have access to 5,000 other free online courses.

Or continue reading below...

Download the app

2) Espionage (stealing information for advantage)

Espionage is about gaining access to information that provides strategic, political, or competitive advantage. This can be conducted by nation-state groups, contractors, or competitors. Espionage attackers often prioritize stealth and long-term access over immediate impact.

What they target

• Intellectual property: designs, source code, formulas, research data, prototypes.
• Business strategy: pricing plans, negotiation positions, mergers and acquisitions documents.
• Government and policy information: communications, internal documents, diplomatic cables.
• Access to networks for later use: persistent access (accounts, remote access tools) that can be re-used.

Practical example: An attacker compromises a developer’s account to access private code repositories. The immediate target is not money; it is the code and the ability to quietly monitor changes over time.

3) Ideology and activism (hacktivism)

Hacktivists act to promote a cause, protest an organization, or draw attention to an issue. Their actions may include disruption, defacement, data leaks, or harassment. The “win” is often public visibility rather than financial profit.

What they target

• Public-facing websites and social accounts: to deface, post messages, or embarrass the target.
• High-visibility services: systems whose downtime is noticeable (public portals, donation pages, event registration).
• Embarrassing communications: internal emails, chat logs, documents that can be leaked to shape public opinion.

Practical example: A group targets a city’s public website during a controversial decision. The target is availability and reputation: they want the public to notice the outage and associate it with the issue.

4) Disruption and sabotage

Some attackers aim to break things: to stop operations, damage systems, or create chaos. This can be politically motivated, competitive, or personal. Sabotage can be external (an attacker) or internal (a disgruntled insider). These attackers may not care about being stealthy if the goal is immediate impact.

What they target

• Operational systems: scheduling, logistics, manufacturing control interfaces, internal tools that keep work moving.
• Critical configurations: DNS settings, identity systems, cloud admin accounts, network devices.
• Backups and recovery capabilities: to make restoration difficult and prolong downtime.

Practical example: An attacker who gains admin access deletes cloud resources and snapshots. The target is the organization’s ability to recover quickly, not the data itself.

5) Personal motives: revenge, curiosity, status

Not all attackers are professionals. Some are driven by personal conflict, curiosity, or the desire to impress peers. This includes harassment, stalking, doxxing, and “showing off.” While these attackers may be less skilled, they can still cause serious harm because they often target people directly and exploit trust.

What they target

• Personal accounts: email, messaging apps, social media, cloud photo storage.
• Private content: photos, messages, location history, contacts.
• Reputation: posting from someone’s account, leaking private information, impersonation.

Practical example: A former partner tries password resets on social accounts using known personal details. The target is control of identity and reputation, not money.

6) Insider threats (malicious or negligent)

Insiders already have some level of access: employees, contractors, vendors, or partners. Insider incidents can be malicious (intentional theft or sabotage) or negligent (accidental exposure). Motivation varies: money, resentment, convenience, or carelessness.

What they target

• Data they can already reach: customer records, internal documents, shared drives.
• Systems they administer: deleting logs, changing permissions, creating hidden accounts.
• Shortcuts that create exposure: sharing files publicly, using personal email for work documents, copying data to unmanaged devices.

Practical example: A contractor copies a client list before leaving for a competitor. The target is business advantage and future revenue.

7) Supply-chain and access brokers (selling entry)

Some attackers specialize in gaining access and then selling it. They may not care what happens after; their product is “a foothold” into a network, a set of credentials, or access to a remote management tool. This is common in criminal ecosystems where different groups specialize in different stages.

What they target

• Remote access tools and admin panels: VPN accounts, remote desktop gateways, cloud admin consoles.
• Managed service providers (MSPs) and vendors: because one compromise can lead to many downstream victims.
• Credential stores: password managers (if compromised), browser-saved passwords, shared credential spreadsheets.

Practical example: An attacker compromises a small IT provider’s remote management account and sells access to multiple client environments. The target is leverage and scale.

What attackers commonly target (a practical map)

Regardless of motivation, many targets repeat because they are valuable and often poorly protected. Think of targets in categories: identities, money flows, data, infrastructure, and trust relationships.

Identity: accounts, credentials, and sessions

Identity is the key to everything else. If an attacker controls an account, they can often act “as you,” which bypasses many technical defenses.

• Primary email accounts: because they enable password resets for other services.
• Single sign-on (SSO) accounts: one login unlocks many apps.
• Privileged accounts: admins, finance approvers, IT support accounts.
• Session tokens: stolen cookies can sometimes bypass passwords and even multi-factor prompts depending on the setup.

Beginner takeaway: If you protect only one thing well, protect your main email and any admin accounts.

Money movement: payments, invoices, and approvals

Attackers love predictable processes. Payment workflows are often time-sensitive and rely on trust, making them ideal for manipulation.

• Invoice redirection: changing bank details or payment links.
• Payroll diversion: changing direct deposit information.
• Gift card scams: targeting employees with authority or helpfulness.
• E-commerce fraud: stored cards, loyalty points, refund abuse.

Data: what can be sold, used, or leaked

Data has different value depending on the attacker’s motivation. Criminals value resale and fraud potential; espionage values uniqueness and strategic importance; hacktivists value embarrassment.

• Personally identifiable information (PII): names, addresses, government IDs.
• Authentication data: passwords, password reset questions, API keys.
• Business confidential data: contracts, pricing, customer lists.
• Regulated data: health, financial, student records (often higher extortion pressure).

Infrastructure: the systems that keep everything running

Infrastructure targets are chosen when attackers want disruption, leverage, or broad access.

• Backups and recovery systems: to prevent easy restoration.
• DNS and domain registrar accounts: to redirect traffic or take over email.
• Cloud control planes: admin consoles where resources can be created, copied, or deleted.
• Remote access gateways: VPNs, remote desktops, admin portals.

Trust relationships: vendors, partners, and shared access

Attackers frequently target the “weakest link” in a chain. If a vendor has access to your environment, compromising them may be easier than attacking you directly.

• Third-party integrations: apps connected to email, calendars, file storage.
• Shared credentials: vendor logins used by multiple people.
• Support channels: help desks and account recovery processes that can be socially engineered.

How to infer motivation from early signals (practical checklist)

You can often guess the attacker’s motivation by looking at what they do first and what they ignore. This helps you respond faster and prioritize what to secure immediately.

Step 1: Identify what was touched first

• Finance systems, invoices, payment emails often suggest financial fraud.
• Admin consoles, identity providers, remote access suggest a push for broad control (could be ransomware, sabotage, or access brokering).
• File repositories, research folders, code suggest espionage or data theft.
• Public website changes or social media takeovers suggest hacktivism or reputation attacks.

Step 2: Look for speed vs stealth

• Fast, noisy actions (defacement, immediate ransom note, mass deletion) often indicate disruption or quick extortion.
• Slow, careful actions (creating new accounts, accessing mail rules, long-term forwarding) often indicate espionage, fraud setup, or access brokering.

Step 3: Check what they tried to monetize

• Changed bank details, requested urgent transfers points to financial fraud.
• Exfiltrated large datasets points to resale, extortion, or espionage.
• Targeted backups points to extortion or sabotage.

Step 4: Assess who they impersonated

• CEO/CFO impersonation often indicates payment fraud.
• IT support impersonation often indicates credential theft or remote access setup.
• HR impersonation can indicate payroll diversion or employee data theft.

Motivation-to-target scenarios (with step-by-step attacker thinking)

The goal here is not to teach you to attack, but to help you recognize patterns. Each scenario shows how motivation shapes target selection and the sequence of actions.

Scenario A: Quick cash through account takeover

Motivation: financial gain. Likely targets: email account, then shopping or banking accounts.

How the attacker typically thinks (step-by-step)

• Step 1: Find a login that is reused or easy to guess, or trick the user into entering it on a fake sign-in page.
• Step 2: Use the email inbox to search for “receipt,” “order,” “bank,” “reset,” or “verification code” to identify valuable connected accounts.
• Step 3: Trigger password resets for high-value services and intercept the reset links or codes.
• Step 4: Lock the victim out by changing passwords and recovery options.
• Step 5: Monetize quickly: purchases, transfers, or selling the account access.

What to watch for: unexpected password reset emails, new login alerts, inbox rules that forward mail, sudden changes to recovery phone/email.

Scenario B: Extortion by encrypting what you can’t live without

Motivation: financial gain via extortion. Likely targets: shared file storage, servers, backups, admin credentials.

How the attacker typically thinks (step-by-step)

• Step 1: Get a foothold through a user account or exposed remote access.
• Step 2: Identify where important files live (shared drives, cloud storage, document management).
• Step 3: Seek higher privileges to reach more systems and disable defenses.
• Step 4: Locate backups and attempt to delete or encrypt them too.
• Step 5: Trigger maximum operational pain, then demand payment.

What to watch for: unusual file renames, mass file modifications, backup deletion attempts, new admin accounts, disabled security tools.

Scenario C: Stealing competitive intelligence quietly

Motivation: espionage. Likely targets: executives, product teams, legal, developers, research repositories.

How the attacker typically thinks (step-by-step)

• Step 1: Identify people with access to strategic documents (org charts, LinkedIn, public info).
• Step 2: Gain access to one account and avoid triggering obvious alarms.
• Step 3: Search for specific keywords (project names, “confidential,” “roadmap,” “acquisition”).
• Step 4: Exfiltrate small amounts over time or use cloud sync to blend in.
• Step 5: Maintain persistence via additional accounts or authorized app connections.

What to watch for: unusual access to sensitive folders by accounts that don’t normally use them, new OAuth/app authorizations, repeated logins from unfamiliar locations.

Scenario D: Public embarrassment and disruption

Motivation: hacktivism or personal grievance. Likely targets: public website, social media, public data stores.

How the attacker typically thinks (step-by-step)

• Step 1: Look for an easy public entry point (weak admin password, outdated plugin, exposed admin panel).
• Step 2: Change something visible (homepage content, banner images, pinned posts).
• Step 3: Amplify impact by posting stolen snippets or claiming responsibility publicly.

What to watch for: unexpected content changes, new admin users in website CMS, sudden spikes in traffic or error logs.

Turning motivation into defensive priorities (actionable exercises)

The following exercises help you connect “who would target me and why” to “what should I protect first.” They are designed for individuals and small teams and do not require advanced tools.

Exercise 1: Build a motivation profile for your situation

Step-by-step

• Step 1: List your roles and contexts (personal, freelancer, employee, small business owner, volunteer in a public organization).
• Step 2: For each context, choose the top 2 likely motivations from this chapter (financial, espionage, activism, sabotage, personal, insider, access broker).
• Step 3: Write down the top 3 assets those motivations would target in your case (for example: “my primary email,” “our invoicing mailbox,” “our cloud admin account,” “our public website”).
• Step 4: Mark which of those assets would cause the biggest immediate harm if compromised (money loss, inability to work, reputational harm, legal exposure).

Output you want: a short list of “most likely attacker goal” → “most likely target” pairs.

Exercise 2: Map your “high-leverage accounts”

High-leverage accounts are those that unlock many other things. Attackers prioritize them because one compromise leads to many.

Step-by-step

• Step 1: Identify your primary email account(s) and any work email accounts.
• Step 2: Identify accounts that can reset others (password manager, Apple/Google/Microsoft account, SSO portal).
• Step 3: Identify privileged accounts (admin dashboards, finance approvers, domain registrar, cloud admin).
• Step 4: For each, note what it can unlock (list 3–10 connected services).

Why this helps: it reveals what a financially motivated attacker would target first and what an espionage attacker would use for broad access.

Exercise 3: Identify your “public pressure points”

If you have any public presence, disruption and embarrassment targets become more relevant.

Step-by-step

• Step 1: List public-facing assets: website, blog, status page, social media, public forms, donation pages.
• Step 2: For each, list who can publish changes and how (CMS admin, social media admin, third-party agency).
• Step 3: Identify which asset would create the biggest reputational impact if altered for one hour.

Why this helps: it aligns defenses with hacktivism and personal grievance motivations, where visibility is the goal.

Common misconceptions beginners have about attacker goals

“I’m too small to be targeted”

Many financially motivated attacks are automated and opportunistic. Attackers often do not choose you personally; they choose a method that finds whoever is vulnerable. Small organizations and individuals can be attractive because they may have weaker protections and still have valuable accounts, payment methods, and identities.

“Attackers only want credit cards”

Credentials and email access are often more valuable than a single card number because they enable repeated fraud, password resets, impersonation, and access to multiple services.

“If nothing was stolen, nothing happened”

Some motivations focus on access and positioning rather than immediate theft. For example, an access broker may simply establish a foothold and leave. An espionage actor may quietly monitor communications. A sabotage actor may wait for a critical moment.

Quick reference: motivation and typical targets

• Financial gain: payment workflows, credentials, email, customer data, backups (for extortion).
• Espionage: sensitive documents, source code, research, executive communications, persistent access.
• Hacktivism: public websites, social media, embarrassing internal communications, high-visibility services.
• Sabotage: operational systems, admin consoles, backups, configurations (DNS/cloud).
• Personal motives: personal accounts, private media, identity and reputation.
• Insider: whatever their role already grants—often shared drives, customer lists, admin tools.
• Access brokers/supply chain: remote access, admin credentials, vendor tools, shared integrations.