Sidebar Sidebar
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.

Phishing vs social engineering

sk1wbw

sk1wbw

Suspended
Original poster
May 28, 2011
3,483
1,011
Williamsburg, Virginia
I figure this is a good spot to ask ...

I was about halfway through a degree in information systems security before I moved... and just haven't gotten back yet. We were taught the difference between phishing and social engineering. The company I am working for now seems to think that phishing is anything related to trying to get information illegally, either via mail or the phone or whatever.

I'm trying to tell them that the method of using email is phishing and doing stuff like calling a support center on the phone or something like that is called social engineering, but they don't seem to grasp the concept of two different terms being used this way.

I know for a fact that in class we were taught that phishing is an email posing as coming from a trusted source, aka the Bank Of America graphics with URLs routing to a hostile server, whereas someone calling over the phone to try to get information about someone is called social engineering, but these guys here at this company think that phishing is everything.
 
What's got me pissed off about the whole thing is a question on a quiz had the wrong answer. the question was dealing with someone calling to try to get information about someone else, and the correct answer was phishing and that's not what I chose.

Even the instructor said that phishing can be done over the phone and that's not what phishing is.
 
If it's voice, then it's social engineering. According to the people who taught me at school, professors with doctorates, phishing is an email and that's what I was taught and that's what I'm sticking with. :)
 
sk1wbw said:
Even the instructor said that phishing can be done over the phone and that's not what phishing is.
Click to expand...
If it sounds like a duck, looks like a duck, its a duck.

Why should the medium dictate the title you call it. Most people now a days will call it phishing because that's what they know. If someone tries to get info out of me, whether its via email, or phone there's really no difference.

Besides, it seems the linked wiki states that is a phising attempt using social engineering, so it uses both of the concepts you bring up.
 
maflynn said:
If it sounds like a duck, looks like a duck, its a duck.

Why should the medium dictate the title you call it. Most people now a days will call it phishing because that's what they know. If someone tries to get info out of me, whether its via email, or phone there's really no difference.
Click to expand...

The jargon is important when one works in a specific industry. Like how we classify different DVD discs: DVD-ROM, DVD-RAM, DVD-R, DVD+R, DVD-RW, DVD+RW and so on. To regular folks they're all just DVD's.

Economy of words matters to the specific few who works in those industries. When a general contractor tells his crew he wants a load bearing wall, his crew knows exactly how to make the top plate without him going into details.
 
sk1wbw said:
I'm trying to tell them that the method of using email is phishing and doing stuff like calling a support center on the phone or something like that is called social engineering, but they don't seem to grasp the concept of two different terms being used this way.

I know for a fact that in class we were taught that phishing is an email posing as coming from a trusted source, aka the Bank Of America graphics with URLs routing to a hostile server, whereas someone calling over the phone to try to get information about someone is called social engineering, but these guys here at this company think that phishing is everything.
Click to expand...

I'm with you, more or less - my idea of phishing is via email, website, etc., but definitely not social. If there's a social aspect to it, using live communication (including text/IM/chat), I would call it social engineering.

maflynn said:
If it sounds like a duck, looks like a duck, its a duck.

Why should the medium dictate the title you call it.
Click to expand...

Because to the people using these methods, they're different, and they have different names. Like "hacking" correlates with computers, but in the days of POTS, using a telephone was "phreaking," not "hacking" - even though you're doing more or less the same thing.
 
You must log in or register to reply here.
Register on MacRumors! This sidebar will go away, and you'll see fewer ads.
Top Bottom
Back