When I was younger, I thought hacking meant sitting in a dark room, typing furiously while green text scrolled down a black screen. Films made it look like computers were constantly being outsmarted by people who could somehow bypass every security system in under thirty seconds. If someone said they were a hacker, I assumed they knew something the rest of us didn’t.

The reality is much less cinematic.

The longer I’ve worked in software, the more I’ve realised that most successful attacks have very little to do with breaking systems. They’re about understanding timing, context, and people. A phishing email works because it arrives at exactly the right moment, not because it is clever or sophisticated.

You’re waiting for a parcel, and a delivery company emails you about an issue. You’ve just made a payment, and your bank appears to need confirmation. You’re expecting a document, and a login page arrives that looks almost identical to the real thing. The message doesn’t need to be perfect. It just needs to overlap with something that is already happening in your head.

And it only needs to work once.

Most of us like to think we would spot these things immediately, but attackers aren’t trying to fool everyone. They’re relying on the small number of people for whom the message happens to land at exactly the right time. It becomes a numbers game shaped around behaviour rather than technology.

The National Cyber Security Centre’s guidance on phishing (opens in new tab) focuses just as much on recognising suspicious behaviour as it does on technical controls. That’s because the weak point usually isn’t encryption or infrastructure, it’s decision-making under uncertainty.

In practice, most of what I end up talking about as a lead developer has very little to do with hacking. It’s password managers, multi-factor authentication, and slowing down long enough to check whether something feels right before acting on it.

At work, we push for password managers and unique credentials everywhere. At home, I say the same thing to friends and family. If something looks even slightly off, pause before doing anything else. If I ever receive an email that looks like it’s from my bank, I don’t use the number or links in the message. I go to the official website and call the published telephone number instead. It’s slower, but it removes the assumption that the email is telling the truth.

The Verizon Data Breach Investigations Report (opens in new tab) consistently shows how often breaches involve human interaction rather than technical exploitation. Not because systems are weak, but because people are persuadable at scale.

The interesting part is that the technology has improved significantly. Browsers warn us about unsafe sites, password managers generate credentials no one could realistically remember, banks monitor unusual activity, and multi-factor authentication has become standard. The systems are, in many ways, more secure than they have ever been.

Attackers have simply adapted.

It is often easier to persuade one person than to break through all of that infrastructure.

That is probably why the films still get it wrong. They make hacking look like someone breaking into a computer.

Most of the time, it’s just someone convincing someone else to open the door.