I’ve run into confusion around these terms lately, so let provide a quick explainer. I think you’ll find this useful.
There are two related but separate things: phishing and hacking. They can happen independently or in tandem.
Phishing is when someone pretends to be a trusted source—a person or organization like a bank—in an attempt to access private information like a social security number or account password. These often use emails or websites that look very similar to legitimate ones. Phishing is a form of “social engineering” in that it’s not a technical problem. It’s people trying to trick other people, usually communicating over the internet or phone.
The only real solution to phishing is careful internet use and education. Two examples of ways to protect against phishing are looking at the sender’s email address and directly going to your bank’s website rather than clicking a link in an email.
Hacking is any means by which a person or bot bypasses one or more layers of security to access private information or systems. This is a technical issue where proactive security measures like strong and unique passwords, updated websites, and dual-factor authentication are all useful. Technical maintenance along with user education is how we combat this.
Phishing and hacking can be combined when someone hacks a trusted source’s email account and then sends emails to other people asking for their information. An email might also use private information obtained from a hack to make the email appear more trustworthy.
Phish is a popular 90s jam band lead by guitarist Trey Anastasio. I’ve never been a huge Phish fan, but I do like this song:
For info on combating phishing and useful real world examples (both phishing and hacking + phishing), the NTEN forums have some good stuff!
- Advice on phishing attack
- Attempted hack
- Fellow Office 365 users: how do you deal with spam/phishing emails?
- Sharing and Feedback – Phishing PHAQ
- Phishing Email Tests
Bonus: Spearphishing & Spearfishing
Spearphishing is when a specific person or group of people is actively targeted rather than indiscriminately sending generic phishing emails. In these cases, spearphishing emails are often much more tailored, for instance pretending to be from a fellow board or staff member.
Spearfishing is where you hold your breath and stab fish. This guy is unbelievable at it: