What’s the Difference between Hacking and Phishing?

Because I’ve boldly assigned myself the task to explain hacking and phishing, I feel compelled to define both terms concisely because, as Einstein’s been quoted countless times, “If you can’t...
Michael Buckbee
2 min read
Last updated May 9, 2022

Because I’ve boldly assigned myself the task to explain hacking and phishing, I feel compelled to define both terms concisely because, as Einstein’s been quoted countless times, “If you can’t explain it simply, you don’t understand it well enough.”

Simply put, in my opinion:

Learn ransomware fundamentals now with our free course.

Hacking is using exploits to gain access to something you do not normally have access to.

Phishing is masquerading as a trustworthy source in an attempt to bait a user to surrender sensitive information such as a username, password, credit card number, etc.

What’s the difference?

Hacking and phishing are related in that they are both ways of obtaining information, but they differ in their choice of methods. A phish, which is ultimately a hack, occurs when a user is baited with an email, phone call, or, perhaps, a text message and tricked into “voluntarily” responding with information. The means of getting information is no more complicated than making your forged phishing email or website look official enough to trick the victim.

In a hack, information is extracted involuntarily, forcing the perpetrator to first take over your computer system, through brute force or more sophisticated methods, to access the sensitive data—that’s not the case with phishing.  Hackers can also use phishing as one vector in an attack with the goal of obtaining personal information that will help facilitate their break-in. In all fairness, there are ethical hackers—known as penetration or pen testers– who attack systems on behalf of owners to explore and document security weaknesses.  By the way, the term “hacker” is often used to describe benign tinkerers and, thanks in part to Paul Graham, has come to describe anyone who hacks on code.

Who are the victims?

Any individual, organization – small or large, across all verticals, and in any country—can be vulnerable.  Motives for these attacks can involve espionage—stealing secrets–or be monetary. A prime target for cyber thieves are an organization’s servers–that’s where the data is stored, and where the pot of gold lies in the form of sensitive data. And sadly, the latest statistics in the 2014 Verizon Data Breach Investigations Report (DBIR), Verizon’s annual survey of hacking, indicate that the time it takes for IT to detect a digital break-in can be measured in months rather than days or hours.

Examples of hacking and phishing

Remember when Gizmodo writer, Mat Honan’s entire digital life evaporated in a matter of hours?  That was ultimately a hack which was largely enabled by multiple very intricate phishing schemes.

Here’s another revealing story about a couple who experienced an email hack, surrendering all their sensitive data to the hacker.

An example of a phish was when 2 million individuals received a fake email from a retailer about an order being processed. Those who took the bait inadvertently downloaded malware that infected their personal computers.

And the one we all still can’t stop talking about – the largest retail security breach in US history, which exposed over 70 million users’ personal information—had elements of both phishing and hacking.

More about phishing

While hacking has already established a notorious reputation and long rap sheet, phishing is now a top 3 data breach threat1, worthy of further exploration and education. It’s an attack that’s becoming more common, with forged emails difficult to distinguish from real ones. I know I received multiple phish emails last year and even almost clicked on the link. According to DBIR , phishing attacks, or social engineered attacks, jumped by 52% in 2012.

Need more insights? We’ve written an ebook, Anatomy of a Phish, that helps you understand the details of this attack and what to do about them.


1 2014 DBIR, page 10

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Generative AI Security: Preparing for Salesforce Einstein Copilot
See how Salesforce Einstein Copilot’s security model works and the risks you must mitigate to ensure a safe and secure rollout.
Einstein's Wormhole: Capturing Outlook & Google Calendars via Salesforce Guest User Bug
If your organization uses Salesforce Communities and Einstein Activity Capture, you might have unknowingly exposed your administrator's Outlook or Google calendar events to the internet due to a bug called...
Watch: Varonis ReConnect!
Office 365 and Teams make sharing information and collaborating with distant colleagues a breeze. But if you’re not careful, you’ll open yourself up to considerable risk. That’s because securing your...
The Federal Trade Commission Likes the NIST Cybersecurity Framework (and You Should Too)
Remember the Cybersecurity Framework that was put together by the folks over at the National Institute of Standards and Technology (NIST)?  Sure you do! It came about because the US...