top of page

Predicted top attack vectors to look out for in 2022

It’s the Christmas list that no one wants: from phishing to APIs to the Internet of Things, it could be a bleak midwinter if your business has to deal with anything from this naughty list!

Threat actors are continuously leveraging new ways to increase their attack surface in exchange for higher success rates. Threat actors include nation-state actors, advanced persistent threats (APTs), hacktivists, organised crime, and insider threats.

Each have varying motivations for targeting an organisation, ranging from disruption, financial gain, and political reasons.

Although they have differing motivations, there are more than often commonalities in the attack vectors used. SecurityAffairs have compiled a list of the top five attack vectors to look out for in 2022. They are:

Threat actors are continuously searching for better ways to ensure the success rate of a cyber-attack. To achieve this, they will often employ new attack methods or leverage existing exploits which may be reliant on vulnerable technology or social engineering tactics.

Phishing is expected to continue to be the top attack vector in 2022. Phishing techniques are known to use social engineering to manipulate victims into taking action that they wouldn’t normally take, with the end goal of compromising a network or gaining access to sensitive data. The most common form of phishing is email, often using manipulation techniques to trick recipients into providing sensitive information, such as login credentials or bank details.

In second place is stolen credentials. A 2021 report on data breaches by Verizon identified that stolen credentials were the initial attack vector used in 61% of all breaches. Threat actors can purchase bulk lists of stolen credentials from DarkWeb forums to target organisations.

Data breaches often stem from poor password hygiene and access management controls. Employees regularly re-use passwords across multiple applications and services, increasing the risk of further compromise.

API (Application Programming Interfaces) exploits is in third place. APIs are now a significant way for organisations to integrate their applications and services with other resources within the digital realm by facilitating communication between different apps and services via third party vendors.

Traditional security tactics cannot detect API attacks, so organisations remain at higher risk of a breach or data exfiltration via API technology.

In fourth place is remote technology, given the recent increase in the use of remote access technology, organisations are now heavily reliant on a hybrid workforce which places greater strain on protecting networks and systems, with threat actors seeking to exploit Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) connections.

A report by Malwarebytes found that 20% of organisations experienced a security breach due to remote work.

Finally, in fifth place is Internet of Things (IoT) devices. Many organisations don’t have clear visibility of their IoT devices, and it is very common for IoT products to use default credentials that threat actors can either easily guess or access websites like or the Google Hacking database to identify lists of vulnerable devices with publicly known access credentials. An attack on an IoT device could also be the initial entry point into a wider network and could lead into further activities such as the installation of ransomware.



Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).



The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.


EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page