We promised to explain everything to you on this site in plain English.

Below you’ll find a selection of the most commonly-used technical terms when talking about online security.

Just click on each to find a plain English explanation of what they mean and real-world examples of how you might come across them.


The use of two different elements to verify a user’s claimed identity.

Simply put, instead of just putting in a username and password to a site/app or service, in addition to that you would have to provide extra information (very often 5 or 6 numbers) that only you personally, physically have access to.


Most commonly this is done either through:

  • the site you’re trying to access sending you a code by SMS to your cellphone, or
  • you having an “authenticator” app on your phone or tablet that generates a new 6-digit code every 30 seconds that is invisibly and seamlessly synced-up behind-the-scenes with the site you’re trying to access (although downloading and setting-up an app may be more hassle, it does mean you don’t have to worry about being out of cellphone coverage, which would mean the SMS authentication method wouldn’t work).

Every time you go to log-in to whichever online account you’ve set up for 2FA/MFA, in addition to your username and password, you would then be asked for a unique 6-number code. Only when you successfully enter that current number are you able to access your account.


In addition to “software” 2FA and MFA, there are an increasing number of hardware “keys” that do a similar thing.


Hardware keys mean that to sign-in, that key has to be physically inserted into the device you are attempting to log-in from and then you performing an action to verify it.


Either the software or hardware method stops someone from accessing your accounts even if they have stolen or guessed your username and password, and is an extra security feature that many more sites and services are offering


Short for “ADvertising MalWARE“.


At best, adware can simply be irritating – persistent adverts that appear in every brwoser tab or infinitely popping-up windows that slow your device down and stop you from seeing the content you’re after clearly.


At its worst it can undermine your browser’s security settings, track your activities and serve-up ads in places it wouldn’t normally have access to. Once that loophole is opened, it can also allow in more sophisticated, dangerous types of malicious code that can do greater harm.


A botnet is a network of infected computers which are orchestrated to work together by the hacker that put it together.


These malicious networked machines help hackers to spread fake websites, send out annoying or dangerous spam that could trick people into handing out personal information, break into people’s online account and even shut down sites or parts of the internet.


These “zombie” machines as they are called are under the control of the “bot herder” or the “Command and Control Centre”. Under their guidance, the power of such a network is enormous and has been enough to bring utilities to a standstill, even safety networks like the traffic lights on our streets.


In terms of how a botnet might affect an everyday user, if you have allowed malware onto your device, you might now unwittingly have become one of the “zombies” supporting the network. Alternatively, if you run a website, or even if you’re simply trying to use a website while surfing, a botnet is powerful enough to slow or even stop a website, rendering it useless – this is called a DDOS attack.


Cookies are tiny in size but they are literally everywhere you have been on the internet and they are everywhere you are ever likey to go too.


They are tiny little text files (not programs or software) that are placed onto your device whenever you visit a website. They can store as little as two pieces of information – the website you’re visiting and a unique ID given to you alone – or they can be more sophisticated and track how long you’ve spent on a site, which pages you visited and so on.


The purpose of them is for websites to keep track of your visits and activity, so that sites can always serve you the most relevant and interesting content. For example, the first time you visit a site, you might want to see a landing page that explains everything about the site you’ve come to. If you kept seeing that splash-page though on every subsequent visit, you’d get pretty tired of it quite quickly. Cookies stored by the website on your device can tell that same website that you are a returning visitor (and much more besides) so don’t serve up the splash-page shown to first-time users.


So cookies can be useful.


However, wherever there is a way in for something useful, there is also a gap for something much more malicious to be spread onto your devices too. Some viruses and malware may be disguised as cookies, and even the mere thought of your surfing habits being “tracked” may be enough to worry you.


Your browser will offer you different ways of handling different types of cookie, so you should be able to manage them to suit your own preference.


Banning ALL cookies might make some websites difficult or even impossible to navigate, but controlling or limiting so-called “third-party” and “tracking” cookies is one way to reduce the risk of being hit by something more malicious.


One of the most powerful weapons a hacker can use on the internet.


You often hear about websites having been “taken down by hackers” – generally this is done by a hacker unleashing a DDoS attack.


Targeting websites and online services, a DDoS attack floods that site or service with more traffic than it can handle, overwhelming it, bringing it to its knees so it can no longer (usually temporarily) be used.


To achieve the volume of traffic required to overload a site, DDoS attacks are very often accomplished by a botnet – bearing in mind there could be thousands, or even millions of computers in just one botnet.


Encryption is the process of converting the information you type into your device, into a jumble of code that only the intended recipient of the information at the other end has a “key” to.


This happens seamlessly and invisibly for the authorised parties to the code e.g. you and whomever you’re sending and receiving information to and from, which might be your online banking service, but it means that anyone who might be “snooping” or looking-in to try and read your personal data will just find a jumble of code that is meaningless to them.


This is one of the main advantages of using VPNs as the data is automatically encrypted before it is sent and only converted back to readable content again at the other end.


Hypertext Transfer Protocol (HTTP) is the “language” your browser uses when communicating with websites.


The “S” in HTTPS indicates that it is talking to those sites in a “Secure” way. That is because the data being exchanged between your broswer and the site is being encrypted.


That encryption is being powered by Secure Sockets Layer (SSL) – the standard for ensuring privacy of data between browser and websites/servers.

The “IP” part stands for “Internet Protocol”.
Every device that connects directly to the internet is automatically assigned an IP address. That address takes the form of a long number separated by dots into 4 separate sections. For example, one of Google’s IP Addresses is Often the router that your internet service provider (ISP) gives to you has the IP address or You can see the general format.
As a home user, generally your device connects indirectly to the internet through your ISP’s own network, and the internet “sees” your device as coming from your household connection. For example, your desktop at home might have an individual IP address of but that’s on your home network. In turn, your home network has an IP address with your ISP of, say To the internet, your IP address is
The reason to point this out is because most sites (not ours) use your full IP address as just one way of tracking how you move round the internet, which sites you visit, which pages within which sites, how long you spend there, how you found it, where you went once you left it etc etc

Short for “MALicious softWARE“.


This term is used to describe any virus, worms, code, Trojans, spyware, ransomware, adware or other content that is intended to damage or impact the user.


The intended impact might be to steal your personal data, render your computer/device useless or to lock them up until you pay the hacker a ransom.


The worst thing is that malware is very hard to spot but good online security practice should minimise the chances of you accidentally downloading it to your device.


This is the software installed on your devices that enables you to use them.


For example, for many desktops, laptops and PCs, Windows from Microsoft will be the operating system. Apple desktops and laptops will use macOS.


For mobile devices like smartphones and tablets, you might find the Android OS, or Apple’s mobile device operating system iOS.


Linux is another operating system that you might find on desktops or laptops.


To complicate matters further, hardware manufacturers like Samsung, LG or Huawei might overlay the operating system with their own “skin” to make it look more like they want it to.


What all operating systems have in common is that they are there to enable the user to use the device they’re on. If a device didn’t have an OS you wouldn’t be able to load any apps or programs that allow you to browse the internet, get your email, or write a document, or create a spreadsheet.


As the name suggests, this is the practice of criminals coming “fishing” for your personal and online details so that they can use them for their own purposes later.

Why “phishing” and not “fishing”? Some of the earliest hackers were known as “phreaks” – “phreaking” refers to the practice of studying, exploring and experimenting with telecommunication systems, so when hackers started fishing for personal details, it became known as “phishing”.

Phishing is generally carried out via email, telephone or text message and involves the target being “persuaded” to give away personally identifiable information such as banking and credit card details and passwords. Normally the victim is duped into doing so because the criminal behind the email, call or text poses as a legitimate institution like a bank or government agency.

Attacks have also become so sophisticated to the point now where psychological techniques are used e.g. guilt or “social responsibility” to entice the user to give away their personal details. This is where the term “social engineering” has come from.

There are, of course, much more crude efforts which are easily identifiable and can be easily avoided.

Once personal details are obtained, the criminal goes on to access the victim’s accounts resulting in identity theft and financial loss.


Over the last few years, ransomware has taken over as today’s No1 security threat, primarily for businesses though.


It is malicious software that encrypts files on your device and then locks you out until you pay the hacker a ransom – usually in the form of Bitcoins to preserve their anonymity.


Ransomware exists in many forms – tying-up your computer by encrypting some of all of your files is the most common, however, they can also be “Lockers” which simply lock you out of your device until you pay up, “Scareware” that poses as genuine software (like an antivirus or computer cleaning tool) that claims to have found issues on your device and then demands money to fix them, through to “Doxware” or “Leakware” which threatens to publish private information it finds on your device unless you pay the ransom.


SPYing softWARE


This is one of the most dangerous forms of Malware as it is solely focused on accessing your personal identity and real-world assets.


Not everyone using spyware is necessarily a criminal though. Governments and their agencies use it to collect as much information as possible on you. Advertisers use it to work out what your likes and dislikes are so they can serve you ever-more targeted advertisements.


However, criminal organisations use spyware to try and harvest as much financial and other personal information from you, like your online bank accounts and passwords or credit card information.


Spyware comes in many forms including Trojans, keyloggers that record the letters you press on your keyboard, and even some tracking cookies can be considered as a kind of spyware as they know where you go online and tell advertisers which ads to serve-up to you.


Taken from Greek mythology, the story of the Trojan Horse tells of how an army got behind enemy lines by being hidden inside a seemingly innocent gift – a huge, hollow, wooden horse.


Computer-based Trojans use the same way to get onto and infect devices – they hide within seemingly innocent programs or apps and only get to work once they’re installed.


They can then carry out a variety of tasks once on your device. They can act as a “backdoor” that allows other malware or even a hacker in – that could be the start of a botnet. Similarly a hacker might use a Trojan to turn your device into a “zombie” or slave, bringing it under their control in a very broad-based network around the globe. Trojans can also deliver spyware, waiting for you to go online and access your banking or credit card accounts, and then sending those details back to whoever created it in the first place.


They’re also very difficult to spot – they can look like just about anything. Trojans have been known to live inside mp3 or music files, downloaded movies or games (all normally from disreputable or illicit sites it has to be said).


A “tunnel” created within the connection that you have to the internet and the site/service you are using. Any data that then flows through that tunnel is encrypted and shielded from anyone else other than you and the site/service at the other end being able to see.


VPNs can either be a piece of hardware (more for corporate systems) or software (like an app on your phone/tablet or a program on your desktop).


VPNs are used for a variety of purposes, but from an online security standpoint, they mean that nobody else can see what you are transmitting which could be things like credit card numbers, bank details and other personal information you would rather keep secret between you and the person/site you want to share it with.


More and more it’s not just cybercriminals you might be interested in protecting yourself from in this way, but your Internet Service Provider (ISP) who, in some countries, can legally view the sites you have visited and sell that data to advertisers so that they can target you for what they think might be relevant products.


As its name would suggest, a computer virus is designed spread like a flu virus as quickly and efficiently as possible.


In order to do so, just like its living counterpart, a computer virus needs a “host” – a document or file that enables it to “reproduce” and spread.


It is a piece of malicious code or program that is written to change the way a device operates causing unexpected and potentially damaging effects. At its extreme it can not just corrupt data, but render a device completely unusable.


With the volume of emails being written and read, the use of social media networks, text messages and media downloads, the number of “hosts” viruses can rely on to be transported has exploded over recent years.


A virus is just one of many types of malware.