Spam vs. phishing: What are the differences?

What is spam?

Types of spam

Spam comes in many forms, each of which has individual characteristics and intended outcomes. Some of the most common types of spam are:

• Email spam. This is the oldest and most recognized form of spam — unsolicited emails sent to a large number of recipients.
• Social media spam. Social media spammers create accounts where they post endless content promoting products, services, or scams. They also use those accounts to send messages, write comments, and post on other people’s accounts.
• SMS spam. It’s similar in nature to email spam — text spammers send massive amounts of text messages to all phone numbers they can find without the users’ consent.
• Comment spam. Endless comments posted on websites, blogs, forums, and YouTube videos, usually irrelevant to the discussion, are called comment spam.

What is phishing?

Phishing is an online scam used to trick people into giving away sensitive personal information, get them to transfer money, or distribute malware that can be used for further attacks. Phishing attacks come in many forms and mediums — they can be voice messages (referred to as “vishing”), text messages (called “smishing”), emails, online comments, and even paper letters. No matter how it reaches you, phishing is always bad actors’ attempts to trick you into taking a particular action by sending messages that look like they come from a legitimate source. Phishing has been around since the early days of the internet, and it remains the most widespread form of cyberattack.

Phishing tactics and examples

Phishing scams continuously evolve and become more sophisticated and harder to detect as technology advances. Luckily, researchers are able to use the same technology to update security software and help internet users stay safe online. However, never rely on security software too much — when it comes to phishing, you should remain vigilant yourself. Phishing scams usually try to trigger people’s emotions, which clouds their judgment. When you get very scared, angry, or sad, you might forget to take a step back and evaluate the situation from a logical standpoint.

Take a look at some common phishing strategies used by bad actors:

• Spear phishing. It targets individuals or organizations with tailored messages that seem legitimate because they contain specific information that is relevant to the target. For example, attackers find out what kind of software your company uses for managing human resources. Then the criminals send out a phishing email that looks like it came from the software, asking you to update your password because of a security risk. You click the link, enter the fake website, enter your credentials, and “change” them to new ones. In reality, the attackers now have your work email address and password.
• Whaling. It is a form of phishing targeting high-profile individuals, like senior executives. The attackers often spend considerable time crafting a highly personalized attack, sending out invoices and asking for confirmation, or pretending to represent a legal entity.
• Smishing and vishing. It’s using SMS messages (smishing) and voice calls (vishing) to trick you into divulging personal information. A popular example of smishing is fake texts warning you about a package that was undeliverable. It asks you to click the link and pay the delivery fee or customs tax to get your package delivered. It’s safe to say there is no package and you would be throwing your money away.
• Clone phishing. It’s an umbrella term for phishing attacks that involve creating a nearly identical replica of a legitimate message, profile, or website and using it to distribute malware or steal credentials.
• Angler phishing. It specifically targets internet users through social media platforms. Cybercriminals create fake customer service accounts that seemingly belong to well-known companies to intercept and respond to complaints or queries posted online. Attackers offer assistance to resolve users’ issues by redirecting them to malicious websites or tricking them into giving away personal information, login credentials, or financial details.

How do spam and phishing work?

Phishing has evolved significantly over time, and while you might think that most spam has remained more or less the same since the beginning of the internet, it too saw some changes.

Initially, phishing attempts were relatively easy to spot, thanks to their poor grammar, implausible claims, and generic greetings. However, since users have become more tech savvy, so have the tactics used by cybercriminals. Modern phishing scams can convincingly replicate emails, websites, and even call centers of banks, government agencies, or popular online services. Similarly, spammers are no longer only concerned about bypassing email filters — today, they can mimic legitimate marketing emails to a T.

The technology driving spam and phishing has also advanced. Bots and automated systems can now send out spam at an unprecedented scale. Phishing kits available on the dark web allow even inexperienced cybercriminals to launch sophisticated phishing campaigns.

Advanced phishing scams

In recent years, we have seen an uptick in the sophistication of phishing scams. Thanks to AI and machine learning algorithms, attackers can now analyze a user’s online behavior and tailor phishing messages that are incredibly personalized and compelling. The deepfake technology is even more concerning. It allows attackers to create realistic video or audio recordings of individuals, like your company CEO, a popular actress, or a government official. These can be used both for phishing attacks or as a sort of self-distributing spam, where internet users send the videos to each other themselves, not realizing they are fake.

However, the most effective scams are always those that rely on people’s emotions, particularly fear. A good example of this type of scam appeared during the Covid-19 pandemic. In the beginning of the pandemic, cybercriminals launched a slew of phishing attacks leveraging the widespread fear and uncertainty people felt. These included emails that were designed to look like they were from state health organizations offering information about the virus or early vaccine access, only to install malware on victims’ devices or steal personal information stored there. Why was it so effective? People were scared, desperate for a solution, and easily riled up and influenced. Most importantly — the attackers never had to pick their targets because everybody in the world was affected by the pandemic.

Difference between spam and phishing

Understanding the distinction between spam and phishing will help improve your digital hygiene. While both are unwanted and potentially harmful, their objectives, methods, and impacts vary significantly. Here are the main differences between spam and phishing:

Objective

• Spam is primarily aimed at advertising. It is sent in bulk to promote products and services or spread malware without specifically targeting the recipient’s personal information.
• Phishing is designed to steal money or sensitive information. It targets individuals or organizations with the intent of tricking them into revealing personal details, financial information, or login credentials.

Content

• Spam content is usually promotional and meant to advertise legitimate products or services, but it can also include scams.
• Phishing messages mimic those from legitimate sources, like banks or reputable companies, and often create a sense of urgency or rely on fear to encourage the recipient to take immediate action.

Targeting

• Spam targets large numbers of email addresses or phone numbers without any personalization.
• Phishing attacks are more targeted and often personalized to the recipient to increase the likelihood of success. Advanced tactics like spear phishing or whaling specifically target individuals or organizations with highly tailored messages.

Detection and prevention

• Spam can be stopped with email filters that recognize and block content based on certain criteria.
• Phishing requires more sophisticated detection techniques because these messages often bypass traditional spam filters by appearing to be from legitimate sources. Users must be vigilant and able to recognize phishing tactics to avoid these threats.

Consequences

• Spam can clutter inboxes and waste time, but it typically doesn’t result in direct financial loss or identity theft, unless it involves malicious software.
• Phishing poses a significant risk of financial loss, identity theft, and reputational damage, making it a more severe threat to both individuals and organizations.

How to spot and prevent spam and phishing threats

In the face of increasingly sophisticated spam and phishing attempts, staying informed and vigilant is extremely important. Here are detailed tips for identifying and preventing these threats.

Spotting spam and phishing

Spotting spam or phishing attacks is not difficult if you know what to look for:

• Examine the sender’s information: Check the sender’s email address or phone number for slight changes. Phishing attempts often mimic legitimate addresses by using “rn” instead of “m,” or uppercase “I” instead of lowercase “l.” You can check the spelling by copying the text and changing the font to see the difference.
• Look for generic greetings: Phishing and spam emails may use generic phrases like “Dear customer” instead of your name.
• Check for spelling and grammar mistakes: While not as common in more sophisticated attacks, poor spelling and grammar can be a telltale sign of spam or phishing.
• Be wary of unexpected attachments or links: Anything that is not plain text in an email can contain malware. Links are particularly dangerous — URL phishing is the most common type of phishing. Use a URL checker tool to see if the links are safe before clicking.
• Be suspicious of urgency: Phishing attempts often create a sense of urgency, pressuring you to take quick action to avoid negative consequences.
• Ignore requests for personal information: Real government organizations or service providers do not ask for sensitive information via email or text message.

Preventing spam and phishing attacks

Cybersecurity education and general knowledge of how the internet and the tech you use works are the best ways to ensure you’re safe online. The same goes for businesses and government agencies — regular training sessions, updated security protocols, and informed users will help create an environment where these scams are no longer a massive threat.

Here are some more actions you can take to prevent spam and phishing:

• Use spam filters. Most major email providers have their own spam filter in place, but you can set up your own to help sift out potential spam messages. You can also block the emails manually.
• Block the spammers. Go to your phone’s settings and block the numbers that are sending you spam text messages.
• Be careful with your email. Just because a website wants to have it, it doesn’t mean you should provide your main email address. It’s best to have a second email address that you use to sign up for websites, apps, or services. If that email address gets sold or leaked, your main inbox won’t be stuffed with spam.
• Verify requests. If an email or message asks you for sensitive information or to make a bank transfer, verify the request by contacting the company or the person directly through other channels.
• Use security software. Enable NordVPN’s Threat Protection feature to make your browsing safer. It will block your access to malicious websites, scan the files you’re downloading, and delete them if malware is found.