Phishing, Spam, & Marketing Emails: What’s the Difference?

Written by: Kelsey Clark

When it comes to email communications today, phishing and spam are both unwelcome nuisances in everyone’s inbox. In order to defend against the different tactics cybercriminals are leveraging online, a variety of essential security measures are necessary–one of the most important being general awareness.

Even though the words “phishing” and “spam” are often used interchangeably, these terms actually have different meanings. This blog post will help you understand how to differentiate between phishing attacks, spam messages, and marketing emails as well as help you recognize them before they exploit you.

Phishing

First, let’s talk about phishing. Please note that phishing attack vectors go beyond email, but for the sake of this comparison, I will specifically discuss phishing email attacks.

Phishing is a complex and substantial security risk to both individuals and businesses. Csoonline.com defines phishing as “a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need–a request from their bank, for instance, or a note from someone in their company–and to click a link or download an attachment.”

Phishing emails are malicious–behind every phishing message is a cybercriminal hoping to lure in and trick the victim into either revealing personal information or clicking a malicious link. The main difference between phishing and spam is the intent behind the message.

Main Goal: To acquire personal, sensitive information

When it comes to phishing, malicious actors create deceptive emails with the intent of extracting personal information from an individual or company. The information could be for identity theft, financial fraud, etc.

Examples of the sensitive information at stake include:

  • Login credentials

SecurityMetrics has a great blog post that also provides more specific details about the top 10 types of phishing emails–check it out!

Methods of Malice: The malicious actor wants you to click things

Bottom line, check it before you click it. One of the main methods of phishing is tricking a targeted individual into clicking on a malicious attachment or website.

Examples of the “things” you should not click:

  • Attachments — Attachments provide attackers with the perfect opportunity to masquerade as something legitimate, but upon a simple click they can infect a system with malware (or ransomware, worms, viruses, trojans, rootkits, adware, etc.).

Key Indicators: What you should watch out for

Phishing emails are fraudulent communications disguised as a legitimate, reputable source (e.g., individuals or entities such as government institutions, state agencies, financial companies, donation organizations, etc.).

Two key tactics to be aware of:

  • Personal, specific, and targeted — These attacks are crafted to target a specific individual. This means they will be written to seem more personal and relevant to the victim.

Examples: Below you will see the breakdown of a few real-world instances of phishing emails

Again, common warning signs might include highly personalized messaging, an unknown sender, appeals to emotions and urgency, bad grammar, and a request for your password.

Phishing example images courtesy of Cofense.

Spam

In comparison to the malicious intent of phishing attacks, spam–which is any unsolicited bulk electronic message sent for the promotion of a commercial product, service, or website content–is more annoying than anything. According to Malwarebytes, spam is “any kind of unwanted, unsolicited digital communication, often an email, that gets sent out in bulk.”

Main Goal: To promote the sale (or share) of products or services

The intent of these emails are for lots of people to receive the communication and to buy their product, visit their websites, or share the message with others.

Topics that might appear in spam emails include:

  • Prayer chain forwards

Methods of Malice: Unsolicited, bulk commercial email that tries to get consumers to click and buy

Phishing emails are usually very sophisticated, but spam emails aren’t so meticulous. Since spam is an unsolicited junk email that’s sent to mass numbers of people, there isn’t the same level of attention given to detail and it isn’t typically targeted.

Key Indicators: What you should watch out for

  • Too good to be true — Spam emails appeal to people’s wants and needs. They typically have the promise of selling you something that feels too good to be true, but typically this is in a commercial sense not in an attempt to extract information.

Examples: Below are some recent spam examples pulled from one of my old email addresses

The first one has all the classics: sending from an email contact I don’t know and/or didn’t sign up for, the messaging has that “too good to be true” feeling–yes, of course, I’d love to magically get rid of all my aches and pains!–and it incorporates some push for me to click and buy.

If you have as horrible a sense of humor as me, you may find this next example to be at least mildly funny. As you can see, everything about the email–the sender, the content, the various enticing links–smells a little bit funky…

Marketing

Email marketing is an effective way to help businesses and organizations reach their audience or customers. The main difference between email marketing and spam is that spam is unsolicited.

Email marketing differentiates itself from spam by following certain guidelines, including:

  • Getting permission–or opt in/subscription–from the receiver. Approval is required to be part of the database.

Email marketers also have legal frameworks they must abide by, including FTC’s CAN-SPAM Act, that set them apart from spam.

Conclusion

Overall, there are a variety of key differences to be aware of when it comes to the dangers of phishing versus spam including:

Hopefully this blog post helps you better understand what you should be on the lookout for in your inbox. Stay safe and secure out there, everyone!

Just a bunch of infosec nerds with a knack for Splunk. Comic book and Nerf gun fanatics.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store