The Difference Between the Phish and the Spam

When discussing email security, the terms spam and phishing often get thrown around interchangeably. There is good reason for this; both represent unwanted email messages and the same tactics can be used to deliver both types of email messages in mass quantities.

These traits, combined with the obvious fact that both are email borne threats, make it easy for someone to lump the two together. However as the sophistication of email borne attacks increase, and the level of threat grows higher, it is important to understand the difference between the two and end the confusion.


Spam is a junk email message whose purpose is to earn money for the sender. Popular spam messages advertise for pharmaceuticals, herbal supplements, low mortgage rates, etc. The spammer often earns money one of two ways: a pay per click model or through affiliate marketing.

The pay per click model is the most ideal for the spammer because they are paid every time someone clicks on one of their links. Nothing needs to be bought, no information needs to be handed over – as long as the recipient clicks on the link and visits the page in the link money is earned.

Affiliate marketing, on the other hand, pays out on a percentage of a sale or if the recipient joins a marketing list giving up their information as a sales lead. Spammers send thousands of emails advertising different products or services in hopes that enough people will buy.

But wait a minute, aren’t these the same methods millions of legitimate web sites use to make money? Absolutely, but the main difference is legitimate web sites promote legitimate companies. Spammers often promote shady companies that offer no customer service and no hopes of receiving an actual product.

Spammers may also promote legitimate companies, products and services. Often times those who are guilty of this bought an email list and thought this was a great way to get the word out. They later find themselves on every DNS Block List known to man and soon realize that this was not a good marketing technique.


Phishing is the practice of luring a recipient into doing one of three things:

  • Clicking on a link that takes the recipient to a malicious web page that will infect their computer with malware
  • Downloading malware that is sent as a file attachment with the email message
  • Being tricked into divulging confidential or sensitive information

The malware that infects the victim’s computer is usually one that will capture username and password combinations, steal financial information or open the computer up so that the attacker can access it again or even turn the computer into a zombie that the attacker can control.

Whatever the method used to phish a victim, the results can be devastating to the victim’s personal life or the organization that they work for.

The differences

Spam is annoying and it does cost money to people who fall for it. Many times people who buy something from an email that is spam find that the product is worthless or never even shows up. But the significant costs add up for businesses. Millions are lost every year in productivity as users are forced to deal with spam, and in resource allocation as storage space and bandwidth are used up by illicit email messages.

Phishing is much more problematic. It has been found that 91% of all advanced persistent attacks (APTs) involved phishing. Somewhere along the lines, someone fell for a phishing email and gave up enough information to allow the attackers access.

Phishing relies on two different methods for delivery, one through traditional spam. Thousands of emails are sent to arbitrary inboxes in hopes that someone falls for the bait. These are dangerous, but are more frequently used against consumers.

Businesses are more susceptible to the second method of attack, the spear phish. Spear phishing involves a bit more recon work on behalf of the attacker. They may study a particular organization and find out who is a certain level of management. From there, they craft an email that they send out to everyone who they have identified in hopes that one, or more, are tricked into giving up the goods.

Either threat, spam or phish, represents a serious problem that needs to be addressed by individuals and businesses alike.

Written by Jeff


  1. Timothy Michaels · December 11, 2012

    Yes, I think phishing is scarier than spamming because of the ulterior motives. I prefer to receive tons of spam than to deal with one or two phishing e-mails, especially since the latter are becoming craftier. Sometimes it’s hard to me to determine if they’re fake, and I really had to check out Google to see if I can find any information that will help me decide. If I can’t, then I deleted them. So there’s a good chance that I threw away some important mails. To make things worse, e-mail platforms couldn’t really detect phishing mails, so most of them still end up in the inbox.

  2. Lisa S. · December 11, 2012

    Spam is the more harmless variety, while phishing involves fraud of some kind. I think this is the easiest way to distinguish which is which.

  3. Arnold · December 16, 2012

    You are correct, Lisa. Though both are annoying and risky, phishing sounds to be more dangerous. Have you read the latest statistics? Spam is already decreasing because phishing is on the rise! So yeah, there will come a time that most of what we receive through e-mail are no longer the “harmless” type but the more aggressive and harmful ones. We’ll get mails from our bank, credit card company, and other legitimate businesses only to realize they’re fake in the first place. Well, the rise of phishing only proves one thing: scammers are becoming craftier by the day.

  4. Carter May · December 19, 2012

    You know, this is hard because it feels like I have to choose between two evils. Of course, I would say that I would prefer spam over phishing, but the most ideal should be the prevention or elimination of both. It’s also frustrating to think that because there are other more serious threats out there, spam will not be given a lot of attention. I’d say everyone who’s involved should work extremely hard to put a stop or develop stronger and more long-term solutions. Otherwise, before we know it, there will be something more sinister than phishing, and we’ll be willing to settle being phished.

  5. Easter Gray · January 2, 2013

    I don’t like to differentiate the two, simply because I don’t want to label one as less harmful than the other. Both of them are unwanted since they cost money, and they make anyone more prone to identity theft. And I think those who are in charge of finding the ways and means to end or curb IT threats should also stop making the difference and work on killing both. Otherwise, if one of them takes a backseat, then it’s like giving it the momentum to develop into a system that is much harder to beat.

Leave A Reply