Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

What’s the Difference between Hacking and Phishing?

2 min read
Last updated May 9, 2022

Because I’ve boldly assigned myself the task to explain hacking and phishing, I feel compelled to define both terms concisely because, as Einstein’s been quoted countless times, “If you can’t explain it simply, you don’t understand it well enough.”

Simply put, in my opinion:

Learn ransomware fundamentals now with our free course.

Hacking is using exploits to gain access to something you do not normally have access to.

Phishing is masquerading as a trustworthy source in an attempt to bait a user to surrender sensitive information such as a username, password, credit card number, etc.

What’s the difference?

Hacking and phishing are related in that they are both ways of obtaining information, but they differ in their choice of methods. A phish, which is ultimately a hack, occurs when a user is baited with an email, phone call, or, perhaps, a text message and tricked into “voluntarily” responding with information. The means of getting information is no more complicated than making your forged phishing email or website look official enough to trick the victim.

In a hack, information is extracted involuntarily, forcing the perpetrator to first take over your computer system, through brute force or more sophisticated methods, to access the sensitive data—that’s not the case with phishing.  Hackers can also use phishing as one vector in an attack with the goal of obtaining personal information that will help facilitate their break-in. In all fairness, there are ethical hackers—known as penetration or pen testers– who attack systems on behalf of owners to explore and document security weaknesses.  By the way, the term “hacker” is often used to describe benign tinkerers and, thanks in part to Paul Graham, has come to describe anyone who hacks on code.

Who are the victims?

Any individual, organization – small or large, across all verticals, and in any country—can be vulnerable.  Motives for these attacks can involve espionage—stealing secrets–or be monetary. A prime target for cyber thieves are an organization’s servers–that’s where the data is stored, and where the pot of gold lies in the form of sensitive data. And sadly, the latest statistics in the 2014 Verizon Data Breach Investigations Report (DBIR), Verizon’s annual survey of hacking, indicate that the time it takes for IT to detect a digital break-in can be measured in months rather than days or hours.

Examples of hacking and phishing

Remember when Gizmodo writer, Mat Honan’s entire digital life evaporated in a matter of hours?  That was ultimately a hack which was largely enabled by multiple very intricate phishing schemes.

Here’s another revealing story about a couple who experienced an email hack, surrendering all their sensitive data to the hacker.

An example of a phish was when 2 million individuals received a fake email from a retailer about an order being processed. Those who took the bait inadvertently downloaded malware that infected their personal computers.

And the one we all still can’t stop talking about – the largest retail security breach in US history, which exposed over 70 million users’ personal information—had elements of both phishing and hacking.

More about phishing

While hacking has already established a notorious reputation and long rap sheet, phishing is now a top 3 data breach threat1, worthy of further exploration and education. It’s an attack that’s becoming more common, with forged emails difficult to distinguish from real ones. I know I received multiple phish emails last year and even almost clicked on the link. According to DBIR , phishing attacks, or social engineered attacks, jumped by 52% in 2012.

Need more insights? We’ve written an ebook, Anatomy of a Phish, that helps you understand the details of this attack and what to do about them.

 


1 2014 DBIR, page 10

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
6-prompts-you-don't-want-employees-putting-in-copilot
6 Prompts You Don't Want Employees Putting in Copilot
Discover what simple prompts could expose your company’s sensitive data in Microsoft Copilot.
generative-ai-security:-preparing-for-salesforce-einstein-copilot
Generative AI Security: Preparing for Salesforce Einstein Copilot
See how Salesforce Einstein Copilot’s security model works and the risks you must mitigate to ensure a safe and secure rollout.
dspm-buyer's-guide
DSPM Buyer's Guide
Understand the different types of DSPM solutions, avoid common pitfalls, and ask questions to ensure you purchase a data security solution that meets your unique requirements.
speed-data:-preparing-for-the-unknown-in-cybersecurity-with-ian-hill
Speed Data: Preparing for the Unknown in Cybersecurity With Ian Hill
Ian Hill, the Director of Information and Cybersecurity for Upp Telecommunications, offers his take on AI and the future of tech, shares his tricks for a good cyber defense, and explains why the best-laid plans of mice and security professionals often go astray.