Who is out there¶

Attacks against home users come from a surprisingly wide range of actors. Understanding who they are is less about threat intelligence and more about calibrating expectations: not every attack is targeted, not every attacker is sophisticated, and the tools used by advanced groups increasingly reach unsophisticated ones.

Nation-state actors¶

State-sponsored groups operate with significant resources, legal cover, and long time horizons. Their primary targets are governments, critical infrastructure, and high-value individuals, but their tools and techniques percolate outward. Malware developed by state groups eventually appears in criminal hands. Zero-day exploits purchased by one government get rediscovered by another. The relevance to home users is mostly indirect: the techniques that hit enterprises this year tend to reach home networks within a few years, usually via criminal adoption of the same approaches.

Organised crime¶

Criminal groups have professionalised considerably. Many operate with dedicated development teams, affiliate networks, customer support for ransomware victims, and revenue-share models that allow low-skill operators to deploy sophisticated tools. The financial motive is straightforward and the economics favour volume: targeting many individuals with automated tools is more reliable than targeting fewer with manual effort.

Insiders¶

An insider with legitimate access and a grievance, a bribe, or a lapse in judgement represents a different kind of risk. In a home context, this usually means someone with physical access to devices or knowledge of credentials: a family member, a former partner, or someone with prolonged access to an account.

Low-skill opportunists¶

The availability of Malware-as-a-Service, crimeware kits, and detailed tutorials has made it possible to launch credential-stuffing campaigns, phishing operations, and ransomware attacks without significant technical skill. This is now the most common category. The barrier to entry is low and the automation is high.

The common thread¶

Social engineering runs through nearly all of these categories. It works not because people are naive but because it targets how people respond under time pressure, apparent authority, and emotional load. A convincing urgent message from a bank, a spoofed call from a carrier, a prompt appearing at an inconvenient moment: these exploit patterns in human decision-making that are consistent and predictable. The technical layer of a threat is often the easier part to address; the social layer is the one that keeps working. The conditions it exploits are not edge cases. They are Tuesday.