Pagoda Blog

How a Cybercriminal Identifies Their Next Target

August 3, 2023

Have you ever wondered how cybercriminals identify their next target? Hint: It’s not just a company’s size, profits, or prestige they’re after. 


Often a cybercriminal is simply looking for vulnerabilities. They’re searching for an easy way into your network so that they can gain unauthorized access to sensitive data. Sensitive data, such as your employee’s or customer’s full names, email addresses, and credit card information can be held for ransom, sold on the dark web, or used for identity theft. Understanding how a cybercriminal identifies their next target will give your company the advantage, allowing you to prepare and strengthen your defenses. 


Below we share five places that a cybercriminal will look at when identifying their next target, and how you can improve your company’s cybersecurity in those areas. 


Your corporate network 

Your IT services provider isn’t the only one checking the security of your corporate network. Cybercriminals look for networks that offer easy access. They’re most often looking for the low hanging fruit, not the size of your company. If your network isn’t protected by a firewall or its software and security patches are out of date, a cybercriminal will flag you as a potential target. 


If you have remote workers, those devices that they use out of the office are hot spots for an attack. They are often left unprotected, making them the weakest point in your company network — and cybercriminals know to look for these weak points. 


Establishing a comprehensive BYOD policy and investing in up-to-date antivirus software is critical to protecting these weak endpoints. We also recommend requiring all employees to use a VPN when connecting to the internet so that their data is encrypted. Securing all Wi-Fi routers, both in the office and at home offices, is also a must.  


Your company website 

The information on your company website can provide invaluable insights for a successful phishing campaign. Names of employees, their positions in the company, and email addresses can be used to target individuals with convincing phishing emails


While we don’t want to discourage you from having an about page that introduces customers to your team, be careful about what information you share. One rule of thumb is to never include direct email addresses. We recommend sticking to the generic customerservice@ emails for public facing spaces like your website and social media accounts.


Last but not least, make sure sensitive information isn’t stored in your website’s metadata. Even if it’s not readily visible to the public, a hacker can access your website’s code and uncover data from inactive, hidden, or password protected web pages.   


Cybercriminals also scan websites for vulnerabilities, such as out of date software and plugins or unsecured website hosts. (If your website isn’t yet protected with HTTPS, it’s past time to make the switch.) This is why it’s always important to install the latest updates and remind your entire team to do so across devices.   


Company and personal social media accounts 

Whether you’re active on social media platforms like Facebook, Instagram, and Twitter for business or personal use, it’s important that you’re selective about what information you share. Cybercriminals scan corporate social media accounts and those of a company’s employees to find sensitive information such as email addresses, DOB’s, full names, alma maters, and other identifying information they can use in phishing campaigns or for identity theft. 


Your company should have a social media cybersecurity policy in place that clearly outlines what is safe to share and what information could put the company at risk. The policy should also specify how to create a secure account by using a strong password, implementing multi-factor authentication, and limiting who has access and how much. While you can’t control what employees post on their personal accounts, you can provide trainings around safe social media practices to encourage smart behavior. 


The dark web 

All sorts of sensitive information, from social security numbers and credit card numbers to login credentials, is up for sale on the dark web. Cybercriminals will often conduct a search on the dark web for sensitive data such as a corporate bank account number, login credentials, and security question responses, allowing them to commit identity theft and access corporate funds. 


Learn more about the dark web and how to keep your data out of this dangerous online space. 


Physical documents 

Yes, cybercriminals still hack companies using data found on old fashioned paper. Any documents you toss in the trash or recycling could be retrieved by someone with malicious intent (either an employee or unauthorized party), so always shred sensitive documents before you throw them away. Better yet, switch to a paperless office and discourage employees from printing emails or any documents that contain sensitive information.  



Preparing your employees for a cyberattack is key to preventing a data breach or at least mitigating the damage. Perhaps the most important step you can take is to establish a culture of cybersecurity at your company. 


With a strong cybersecurity culture across departments, your employees are much more likely to comply with cybersecurity policies and report suspicious activity.  Regular cybersecurity awareness trainings can teach employees how to protect company data through safe online practices and how to spot and report phishing emails. These trainings can turn your employees into your best defense against a data breach, instead of your weakest link. 


If your company needs help creating a custom cybersecurity strategy or you’d like help improving cybersecurity awareness amongst your team members, don’t hesitate to reach out for a free consultation


Feature photo by freestocks on Unsplash


Related reading: 

How to Secure Your Internet Connection: A Network Security Checklist 

What to Do If You Receive Blackmail in Your Inbox 

WordPress Security Tips to Protect Your Website from Hackers 


Want to get more posts like these once a month in your inbox? Sign up for the Pagoda newsletter and sharpen your technical skills, from cybersecurity to digital marketing



Want IT to serve you better?







About Pagoda Technologies IT services

Based in Santa Cruz, California, Pagoda Technologies provides trusted IT support to businesses and IT departments throughout Silicon Valley, the San Francisco Bay Area and across the globe. To learn how Pagoda Technologies can help your business, email us at to schedule a complimentary IT consultation.

Return to Pagoda Blog Main Page

As your trusted IT service partner, Pagoda Technologies is here to help you achieve your near and long-term business goals through reliable and affordable IT support. 

Pagoda Technologies

101 Cooper Street

Santa Cruz, CA 95060


Contact us for a free IT consultation



Get in touch 

Join our newsletter

Want IT to serve you better? 




Follow Us

Facebook LinkedIn LinkedIn