Because I’ve boldly assigned myself the task to explain hacking and phishing, I feel compelled to define both terms concisely because, as Einstein’s been quoted countless times, “If you can’t explain it simply, you don’t understand it well enough.”
Simply put, in my opinion:
Hacking is using exploits to gain access to something you do not normally have access to.
Phishing is masquerading as a trustworthy source in an attempt to bait a user to surrender sensitive information such as a username, password, credit card number, etc.
What’s the difference?
Hacking and phishing are related in that they are both ways of obtaining information, but they differ in their choice of methods. A phish, which is ultimately a hack, occurs when a user is baited with an email, phone call, or, perhaps, a text message and tricked into “voluntarily” responding with information. The means of getting information is no more complicated than making your forged phishing email or website look official enough to trick the victim.
In a hack, information is extracted involuntarily, forcing the perpetrator to first take over your computer system, through brute force or more sophisticated methods, to access the sensitive data—that’s not the case with phishing. Hackers can also use phishing as one vector in an attack with the goal of obtaining personal information that will help facilitate their break-in. In all fairness, there are ethical hackers—known as penetration or pen testers– who attack systems on behalf of owners to explore and document security weaknesses. By the way, the term “hacker” is often used to describe benign tinkerers and, thanks in part to Paul Graham, has come to describe anyone who hacks on code.
Who are the victims?
Any individual, organization – small or large, across all verticals, and in any country—can be vulnerable. Motives for these attacks can involve espionage—stealing secrets–or be monetary. A prime target for cyber thieves are an organization’s servers–that’s where the data is stored, and where the pot of gold lies in the form of sensitive data. And sadly, the latest statistics in the 2014 Verizon Data Breach Investigations Report (DBIR), Verizon’s annual survey of hacking, indicate that the time it takes for IT to detect a digital break-in can be measured in months rather than days or hours.
Examples of hacking and phishing
Remember when Gizmodo writer, Mat Honan’s entire digital life evaporated in a matter of hours? That was ultimately a hack which was largely enabled by multiple very intricate phishing schemes.
Here’s another revealing story about a couple who experienced an email hack, surrendering all their sensitive data to the hacker.
An example of a phish was when 2 million individuals received a fake email from a retailer about an order being processed. Those who took the bait inadvertently downloaded malware that infected their personal computers.
And the one we all still can’t stop talking about – the largest retail security breach in US history, which exposed over 70 million users’ personal information—had elements of both phishing and hacking.
More about phishing
While hacking has already established a notorious reputation and long rap sheet, phishing is now a top 3 data breach threat1, worthy of further exploration and education. It’s an attack that’s becoming more common, with forged emails difficult to distinguish from real ones. I know I received multiple phish emails last year and even almost clicked on the link. According to DBIR , phishing attacks, or social engineered attacks, jumped by 52% in 2012.
Need more insights? We’ve written an ebook, Anatomy of a Phish, that helps you understand the details of this attack and what to do about them. Tablet-centric folks can download the ePub format, which will directly display in an iBooks or Kindle app, and traditionalists have their PDF version. If you need a few quick nuggets of information, you can browse through some of the highlights in the condensed web-version below.
1 2014 DBIR, page 10