Is ransomware a separate category from malware?

Ransomware is a type of malware with encryption and a ransom demand.

What makes phishing different from “hacking”?

Phishing is deception of people; hacking can involve technical exploitation, though they can be combined.

Does a DDoS attack always cause financial fraud?

No, but it can create disruption and sometimes be used as a distraction for other crime.

Why does CISI CFC include cyber topics?

Because cyber methods commonly enable fraud, account takeover, and illicit fund movements.

Can phishing be done by phone?

Yes, phishing can occur via calls or texts as well as email.

What is spyware used for?

To monitor a user/device and capture data such as credentials.

How do cyber attacks connect to money laundering?

Stolen funds can be moved through multiple accounts and intermediaries to hide origin.

Do I need deep IT knowledge for the exam?

Usually no; focus on definitions, typical methods, and control implications in the syllabus scope.

CISI Combating Financial Crime: Cyber Attacks and Computer Hacking (Phishing, Malware, Ransomware, DDoS)

CISI Combating Financial Crime increasingly reflects the reality that modern fraud is often cyber-enabled. Even when the end goal is simple (steal money), the method may involve phishing messages, malware on devices, or disruptive attacks that create operational chaos.

For exam purposes, you must be able to define core cyber terms and explain how they connect to fraud and money laundering risks. For real-world work, these definitions support effective escalation: an incident may start as “IT security” but quickly becomes a financial crime event if accounts are compromised or payments are diverted.

This lesson focuses on the key cyber attack categories covered in the workbook segment and how to apply them to scenario questions.

Where this topic sits inside CISI Combating Financial Crime

This sits under Types of Fraud and supports later understanding of identity fraud, account takeover, and authorised push payment fraud. It also links to the broader point that cybercrime can generate proceeds that criminals attempt to launder—so cyber risks and AML controls often meet in practice.

The concept explained in plain English

A cyber attack is an assault using one or more computers to target other systems, often to steal data, gain access, or disrupt services. In the context of financial crime, common cybercrime tools include:

Malware: harmful software (eg, viruses, worms, Trojans, spyware) designed to damage, spy, or enable unauthorised access.
Phishing: fake communications (email/text/calls) pretending to be legitimate to trick victims into revealing credentials or sensitive information, often via a link to a fake website.
Ransomware: malware that encrypts files/devices and demands payment to restore access.
DDoS: flooding a target system with traffic from multiple systems to disrupt normal service.

In many financial crime scenarios, fraud crystallises when money is taken or moved, but the cyber stage is the enabling step. In exams, do not confuse “disruption” (DDoS) with “credential theft” (phishing/spyware).

How it works step-by-step

Reconnaissance: attacker identifies targets (customers, employees, vendors) and weaknesses.
Delivery:
- Phishing email with a fake login page
- Malicious attachment/install
- Network attack leading to malware deployment
Compromise: credentials harvested, malware installed, or access gained.
Action on objectives:
- Account takeover and unauthorised payments
- Data exfiltration to enable identity fraud
- Ransomware encryption + payment demand
- DDoS disruption to distract from other activity
Monetisation and laundering: funds moved through mules, multiple accounts, or cross-border rails.

Practical examples

Phishing: An employee receives an “urgent password reset” email, enters credentials on a cloned page, and the attacker logs into corporate systems to initiate payments.
Spyware (malware): A customer’s laptop is infected and keystrokes are captured, enabling account takeover.
Ransomware: A firm’s shared drive is encrypted, halting operations and pressuring payment; fraud risk increases if attackers also steal data.
DDoS: Online services are overwhelmed, preventing customers from accessing accounts while criminals attempt parallel social engineering.

Exam focus: how this is tested

Term recognition: match the definition to the label (phishing vs ransomware vs DDoS).
Link to outcomes: which cyber method most directly leads to credential theft? (phishing/spyware).
Control logic: what should firms strengthen? (CDD, monitoring, screening, alerts—conceptually).
Scenario traps: DDoS is primarily disruption; ransomware encrypts files and demands payment.

Common pitfalls and how to avoid them

Pitfall: Treating malware and ransomware as unrelated. Avoid: Ransomware is a type of malware.
Pitfall: Thinking phishing is always email. Avoid: It can be texts or calls (social engineering) too.
Pitfall: Confusing DDoS with data theft. Avoid: DDoS aims to disrupt availability; theft may happen separately.
Pitfall: Ignoring “what happens next”. Avoid: Always connect cyber compromise to fraud or laundering pathways.

Self-test (original questions)

Question: What is the main purpose of a DDoS attack?
Answer: Disrupt availability of a service by flooding it with traffic.
Explanation: It targets service uptime rather than directly stealing credentials.
Question: Which threat most directly aims to trick a person into revealing login details?
Answer: Phishing.
Explanation: It uses fake communications and often a hoax login page.
Question: Ransomware is best described as:
Answer: Malware that encrypts files and demands payment to restore access.
Explanation: Encryption + ransom demand are key features.
Question: Name two types of malware.
Answer: Virus and Trojan (others may include worm or spyware).
Explanation: Malware is a broad category.
Question: True/False: Phishing can be delivered via text messages or phone calls.
Answer: True.
Explanation: The channel varies; the deception is the constant.
Question: A customer’s device logs keystrokes and sends them to an attacker. What type of malware is this?
Answer: Spyware.
Explanation: Spyware monitors activity to capture sensitive data.
Question: Why might cybercrime be relevant to AML risk?
Answer: It can generate illicit proceeds that need laundering through accounts and transactions.
Explanation: Fraud proceeds can be layered and integrated.
Question: In a vignette, what clue suggests ransomware rather than “ordinary” malware?
Answer: Files are encrypted and a payment is demanded to restore access.
Explanation: The ransom demand is the differentiator.
Question: What is a common post-compromise fraud outcome after phishing?
Answer: Account takeover and unauthorised payments.
Explanation: Stolen credentials enable access.

Note for candidates in Riyadh

For CISI Combating Financial Crime Riyadh candidates, treat cyber definitions as a memorisation + application task. Create a one-page glossary (phishing, malware, ransomware, DDoS) and then write one scenario example for each—this locks in recall under time pressure. Plan short daily sessions (20–30 minutes) rather than long weekly blocks, because cyber terms are easy to confuse if you don’t revisit them. For exam booking and rules (remote vs centre-based, ID, rescheduling), verify the latest requirements directly with CISI and/or the exam provider.

FAQs

Is ransomware a separate category from malware?
Ransomware is a type of malware with encryption and a ransom demand.
What makes phishing different from “hacking”?
Phishing is deception of people; hacking can involve technical exploitation, though they can be combined.
Does a DDoS attack always cause financial fraud?
No, but it can create disruption and sometimes be used as a distraction for other crime.
Why does CISI CFC include cyber topics?
Because cyber methods commonly enable fraud, account takeover, and illicit fund movements.
Can phishing be done by phone?
Yes, phishing can occur via calls or texts as well as email.
What is spyware used for?
To monitor a user/device and capture data such as credentials.
How do cyber attacks connect to money laundering?
Stolen funds can be moved through multiple accounts and intermediaries to hide origin.
Do I need deep IT knowledge for the exam?
Usually no; focus on definitions, typical methods, and control implications in the syllabus scope.

Next step

Keep building your exam-ready understanding with the full CISI Combating Financial Crime pathway and practise timed recall on www.TadawulExams.com.

For additional resources and logistics: Free Access | FAQ | Shop.

About Tadawul Academy
Tadawul Academy supports CISI learners with structured lessons, concise revision notes, and realistic exam practice.

Disclaimer
Always verify exam rules, pass marks, and booking steps with the official CISI syllabus and the exam provider.

Quick Quiz

Which term best fits “flooding a server to disrupt service”?
- A. Phishing
- B. DDoS
- C. Ransomware
- D. Insider dealing
Which cyber method most commonly tricks a user to enter credentials on a fake site?
- A. DDoS
- B. Phishing
- C. Stabilisation
- D. Buyback programme
Ransomware is best described as malware that:
- A. Prints fake invoices
- B. Encrypts files and demands payment
- C. Screens for sanctions
- D. Confirms source of funds

Answers

1: B
2: B
3: B