Target Hardening
November 2, 2025
When your friend says they got “hacked,” your first instinct might be concern. Someone broke into their computer. A criminal targeted them specifically. This sounds serious.
But here’s the thing: they probably weren’t hacked at all.
We tend to use “hacked” as a catch-all for anything bad that happens online. Someone got into my email? Hacked. Weird posts on my Facebook? Hacked. Fraudulent charge on my credit card? Must have been hacked.
This isn’t just semantics. These terms describe different problems with different causes and different solutions. If you think you were hacked when you were actually phished, you’ll focus on the wrong things. You’ll worry about your computer being compromised when the real issue is that you clicked a bad link and typed your password into a fake website.
Understanding what actually happened helps you respond appropriately. Some of these situations require immediate action. Others just need a password change. And some aren’t even your fault—they’re the result of a company you trusted failing to protect your information.
Let’s break down what these terms actually mean.
Real hacking is someone exploiting a technical vulnerability to gain unauthorized access to a system. This requires skill. The attacker finds a flaw in software, a misconfigured server, or a weakness in a network and uses it to get in.
Here’s the truth: if you’re an average person with an iPhone and a Facebook account, you’re almost certainly not worth hacking. Real hacking takes time and expertise. Criminals don’t spend hours breaking into your personal laptop when they can send a million phishing emails and catch a thousand people in an afternoon.
When you hear about major hacks in the news—a company losing millions of customer records, a government agency breached—that’s hacking. Someone found a way into their systems.
When your aunt says she got hacked because there’s a weird post on her Facebook, that’s almost certainly not hacking.
This is probably what actually happened to your aunt.
Phishing is a trick. Someone sends you an email, text, or message pretending to be someone you trust—your bank, Netflix, Amazon, the IRS—and asks you to click a link. That link takes you to a fake website that looks real. You enter your password. Now they have it.
No technical wizardry. No breaking into systems. They just asked, and you told them.
Phishing works because it targets human nature, not computer systems. The email looks legitimate. The request seems reasonable. You’re busy, you’re not paying close attention, and you click.
Spear phishing is the targeted version. Instead of blasting millions of generic emails, the attacker researches you specifically. They know your boss’s name, your company’s vendors, your recent Amazon order. The email references real details about your life, making it far more convincing.
Spoofing is impersonation at the technical level. The attacker makes something appear to come from a source it didn’t.
Caller ID spoofing is why you get calls that appear to come from your own area code, or even from a number similar to yours. The caller isn’t actually using that number—they’re faking it to make you more likely to answer.
Email spoofing is why you might receive an email that appears to come from your bank’s actual email address. The “from” field in an email is surprisingly easy to fake. Just because it says it’s from [email protected] doesn’t mean it is.
Spoofing is often part of a phishing attack. The spoofed caller ID or email address makes the trick more believable.
Social engineering is the broad category that includes phishing, but it’s bigger than that. It’s any attack that manipulates people rather than technology.
The “tech support” caller who says they’re from Microsoft and your computer has a virus? Social engineering. The email from your “CEO” urgently requesting you buy gift cards? Social engineering. The person who calls your company’s help desk pretending to be an employee who forgot their password? Social engineering.
These attacks exploit trust, authority, urgency, and helpfulness. They work because most people want to be cooperative, especially when someone seems to be in a position of authority or claims there’s an emergency.
A data breach is when a company that has your information loses control of it. Their database gets stolen. Their servers get compromised. Your data—email, password, maybe credit card numbers, maybe your social security number—ends up in criminal hands.
This is important: a data breach isn’t something that happened to you. It’s something that happened to a company you trusted with your information. You did nothing wrong.
But the consequences land on you. If your email and password from a 2019 data breach are floating around the internet, and you use that same password for your bank account, criminals don’t need to hack anything. They just try the stolen password and walk right in.
This is why the advice to use different passwords everywhere matters. Not because you’ll get hacked, but because companies get breached, and when they do, you don’t want one stolen password to unlock your entire digital life.
These terms describe malicious software—programs designed to harm you or your computer.
Malware is the umbrella term. Any software with malicious intent is malware.
Viruses are a specific type of malware that spreads by attaching to other programs or files. The term gets used loosely to mean any malware, which isn’t technically accurate but isn’t worth arguing about with your relatives.
Ransomware is malware that encrypts your files and demands payment to unlock them. This has become a massive problem for businesses and hospitals, but individuals get hit too, usually by downloading something they shouldn’t have or clicking a malicious link.
Next time someone tells you they got “hacked,” you can probably make an educated guess about what really occurred:
“Someone got into my email” — Most likely they reused a password that was exposed in a data breach, or they fell for a phishing email.
“There are weird posts on my Facebook” — They probably clicked a malicious link that asked them to log in, giving away their password. Or they granted access to a sketchy app.
“I got a virus” — They may have downloaded something untrustworthy or clicked a bad link. Could also just be an aggressive popup ad making them think they have a virus when they don’t.
“Someone stole my credit card number” — Most likely a data breach at a company they shopped with, or they entered their card info on a fake website.
The real answer is rarely “a sophisticated hacker targeted me personally.”
Understanding these terms helps you calibrate your response. Phishing means you gave away your password—change it everywhere you used it, and be more cautious about what you click. A data breach means a company failed you—monitor your accounts and consider a credit freeze. Actual hacking is rare for individuals and usually means something is seriously wrong at a technical level.
Most importantly, knowing the difference helps you avoid the wrong kind of worry. You don’t need to fear elite hackers. You need to watch out for convincing emails, reused passwords, and the assumption that “it won’t happen to me.”
Next in the Target Hardening series: “Your Digital Footprint” — what a stranger can find out about you in 15 minutes with nothing but Google.