Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

What’s the Difference between Hacking and Phishing?

2 min read
Published May 21, 2014
Last updated May 9, 2022

Because I’ve boldly assigned myself the task to explain hacking and phishing, I feel compelled to define both terms concisely because, as Einstein’s been quoted countless times, “If you can’t explain it simply, you don’t understand it well enough.”

Simply put, in my opinion:

Learn ransomware fundamentals now with our free course.

Hacking is using exploits to gain access to something you do not normally have access to.

Phishing is masquerading as a trustworthy source in an attempt to bait a user to surrender sensitive information such as a username, password, credit card number, etc.

What’s the difference?

Hacking and phishing are related in that they are both ways of obtaining information, but they differ in their choice of methods. A phish, which is ultimately a hack, occurs when a user is baited with an email, phone call, or, perhaps, a text message and tricked into “voluntarily” responding with information. The means of getting information is no more complicated than making your forged phishing email or website look official enough to trick the victim.

In a hack, information is extracted involuntarily, forcing the perpetrator to first take over your computer system, through brute force or more sophisticated methods, to access the sensitive data—that’s not the case with phishing.  Hackers can also use phishing as one vector in an attack with the goal of obtaining personal information that will help facilitate their break-in. In all fairness, there are ethical hackers—known as penetration or pen testers– who attack systems on behalf of owners to explore and document security weaknesses.  By the way, the term “hacker” is often used to describe benign tinkerers and, thanks in part to Paul Graham, has come to describe anyone who hacks on code.

Who are the victims?

Any individual, organization – small or large, across all verticals, and in any country—can be vulnerable.  Motives for these attacks can involve espionage—stealing secrets–or be monetary. A prime target for cyber thieves are an organization’s servers–that’s where the data is stored, and where the pot of gold lies in the form of sensitive data. And sadly, the latest statistics in the 2014 Verizon Data Breach Investigations Report (DBIR), Verizon’s annual survey of hacking, indicate that the time it takes for IT to detect a digital break-in can be measured in months rather than days or hours.

Examples of hacking and phishing

Remember when Gizmodo writer, Mat Honan’s entire digital life evaporated in a matter of hours?  That was ultimately a hack which was largely enabled by multiple very intricate phishing schemes.

Here’s another revealing story about a couple who experienced an email hack, surrendering all their sensitive data to the hacker.

An example of a phish was when 2 million individuals received a fake email from a retailer about an order being processed. Those who took the bait inadvertently downloaded malware that infected their personal computers.

And the one we all still can’t stop talking about – the largest retail security breach in US history, which exposed over 70 million users’ personal information—had elements of both phishing and hacking.

More about phishing

While hacking has already established a notorious reputation and long rap sheet, phishing is now a top 3 data breach threat1, worthy of further exploration and education. It’s an attack that’s becoming more common, with forged emails difficult to distinguish from real ones. I know I received multiple phish emails last year and even almost clicked on the link. According to DBIR , phishing attacks, or social engineered attacks, jumped by 52% in 2012.

Need more insights? We’ve written an ebook, Anatomy of a Phish, that helps you understand the details of this attack and what to do about them.


1 2014 DBIR, page 10

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
DSPM Deep Dive: Debunking Data Security Myths
DSPM is the leading acronym in cybersecurity. However, the recent buzz has cluttered the meaning of data security posture management. Let's demystify it.
Speed Data: Rethinking Traditional Cybersecurity Principles With Rick Howard
Rick Howard, author, journalist, and Senior Fellow at the CyberWire, chats about his new book on rebooting cybersecurity principles with Varonis' Megan Garza.
The Benefits of Threat and Data Breach Reports
Threat and data breach reports can help organizations manage security risks and develop mitigation strategies. Learn our three pillars of effective data protection and the benefits from these reports.
Three Ways Varonis Helps You Fight Insider Threats
Insider threats are difficult for organizations to combat. Varonis’ modern cybersecurity answer uses the data security triad of sensitivity, access, and activity to combat threats.