A reference classification of cyber attacks that target people rather than enterprises. Forty attack types are organised into six threat domains and mapped across four dimensions — the attacker's goal, the delivery vector, the target asset, and the primary harm to the victim.