56.51% of all emails are spam (Kaspersky), and 65% of U.S. organizations faced successful phishing attacks in 2019 (Proofpoint)! But are they different? Let’s explore spam vs phishing in laymen’s terms!
Spam vs phishing — although people use the words “spam” and “phishing” interchangeably, the terms have related but different meanings. They’re both terms that describe pesky, unsolicited communications that try to manipulate targets into doing something. This could be providing some type of information about yourself — personal info, login credentials, etc. — or engaging with a malicious link or file.
But what is the meaning of spam and what does phishing mean? In this article, we’ll talk about spam vs phishing in detail. We’ll also explore the difference between spam and phishing in terms of email, phone calls, and text messages.
Spam vs Phishing: Origins and Meanings of the Terms
What Is Spam?
Any unsolicited or unwanted commercial message is generally considered spam. According to Digital Trends, the term “spam” itself is thought to date back to the 1980s in reference to a Monty Python skit that referenced the canned meat Spam. Research by Brad Templeton (founder of the world’s first internet-based business) shows that the term “spam” means “something that keeps repeating and repeating to great annoyance.”
The purpose of a spam is to inundate as many people as possible with messages that market and publicize products and services. It’s basically the digital equivalent of all of those junk mail envelopes and postcards that the mail person delivers to your home’s mailbox. IBM’s X-Force Threat Intelligence Index 2020 report describes spam as a numbers game: “with sufficient volume, even a small success rate is enough to generate value for threat actors.”
Basically, if you send out enough emails, someone, somewhere will eventually buy into the scams. This is why spam messages aren’t targeted and reach out to the masses. There are three common ways scammers use spam:
- Email messages,
- Phone calls (telemarketing and robo calls), and
- SMS phishing messages (text messages).
Although spam isn’t necessarily as dangerous as phishing, users still need to beware when it comes to these messages. They frequently try to get you to provide personal information that they can use in future spam attempts. And, sometimes, they can be malicious in nature (although it’s less frequent than phishing emails).
What Is Phishing?
Phishing is a way for scammers and cybercriminals to impersonate a legal entity or to use other methods to defraud their targets. Phishing messages are typically more dangerous than spam because they’re designed to look legitimate but have the intention of hurting, manipulating, or tricking people into doing something they normally wouldn’t or shouldn’t. Hence, when we talk about spam vs phishing, the difference lies between the sender’s intentions and the messages’ contents.
The goal of phishing emails is to get users to share information, click on links, or engage with malicious attachments. With the links, they’ll try to steal your credentials or get you to download malicious software inadvertently. With the attachments, they’ll also try to get you to install malware. Either way, it’s bad news for you.
The most common types of phishing include
- Phishing emails (including whale phishing, spear phishing),
- Phone calls (vishing),
- SMS (smishing),
- Wi-Fi port phishing (evil twin),
- HTTPS Phishing and
- Angler phishing (cloning social media posts and profiles).
Spam vs Phishing in Emails
Emails are the most popular spamming and phishing techniques. And that’s why we are going to talk about how you can differentiate spam emails from phishing emails.
What Is Spam in the Context of Email?
Any electronic messages sent out for the commercial advertisement or promotion of the product, service, or website content are considered spam. Email spamming is a legal activity under the Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, which is known as the CAN-SPAM act.
These are some key CAN-SPAM rules that the sender must comply with:
- Email must have an active and visible unsubscribe link or button. The sender gets 10 days to act on the unfollow request and to cease emailing the recipient.
- Sender’s email address must be accurate. The “from” line not misleading and the subject of the message must be relevant to the body of the message.
- Sender’s physical address must be mentioned. A physical address (or P.O. Box number) of the sender (company, individual sender, advertiser, or the third-party marketing agency) must be present in the email.
- Recipients must be warned if the email has adult content. If the content is adult in nature, it must be labeled as “SEXUALLY EXPLICIT.”
- Sender should send email from multiple email addresses. The sender should not send spam messages to the same recipient from different email addresses.
- Emails must not contain malware: The spam messages must not contain malware (viruses, worms, trojan horses, etc.) or redirect users to malicious websites.
When companies send emails to the current customers or to the business leads (people who have inquired about products/services) for follow up, feedback, suggestions, or any other type of communications, such messages are also not considered to be spam. These messages are classified as relationship messages under CAN-SPAM. Even political and religious emails are also except from the SMAP’s definition in CAN-SPAM.
Spam emails are not harmful in nature. They’re just unwanted and occupy unnecessary space in your inbox. But SPAM emails are known for capitalizing on security vulnerabilities; hackers can exploit to break into the recipient’s email client and spread the malware or phishing emails. For example, according to IBM’s X-Force Threat Intelligence Index 2020 report, security vulnerabilities named CVEs 2017-0199 and 2017-11882 have accounted for “nearly 90 percent of the vulnerabilities hackers attempted to exploit via spam campaigns.”
Spam is all about the numbers. When you hit enough people with your spam messages, even minimal success rates pay off in the long run.
Most of the email clients automatically detect spam emails and dump them in the spam/junk folder. All the attachments and images are also blocked in such an email. But if you’re still getting unwanted spam emails in your inbox, you can unsubscribe from them. (Just be careful to check the unsubscribe link first to ensure it’s not a phishing or malicious link.) Also, you can right-click on the email in your inbox to move it to the spam folder. You can also block the sender.
Here’s an example of a typical spam email:
This is a spam email I got from a logo designing website. The content in the subject line matches the content of the email. You can also see the email has an unsubscribed tab and the physical address of the company. That means it is a spam email that is following all the SPAM-CAN’s guidelines.
What Is Phishing in the Context of Email?
Scammers send phishing emails posing as a company or person that the recipients trust. These emails are deceptive in nature. Phishing emails are crafted in a way that they look like coming from your bank, ecommerce site, university, government, employer, relatives, or colleagues. 96% of phishing attacks occur via email, Verizon’s 2020 Data Breach Investigations Report (DBIR) shows.
These emails might contain malware-laden attachments, malicious links, or redirects to spammy websites. Sometimes the attackers try to trigger an emotional response from the recipients and indulge in sharing their confidential information such as:
- Payment card numbers,
- Phone numbers,
- Physical address,
- Social security number (SSN),
- Tax-related information, and
- Health information
The general motives behind phishing emails include:
- Financial fraud,
- Identity theft,
- Login credentials theft,
- Spreading malware (worms, viruses, trojans, rootkits, adware, etc.), and
- Redirecting recipients to malicious websites.
Below is an example of a typical phishing email. The email looks like coming from PayPal, but if you check the sender’s email address carefully, you would see that it is coming from a scam artist, and the benign-looking PDF attachment might contain dangerous malware.
Many U.S. states have different laws for phishing. There is no federal law that directly criminalizes phishing, but the federal criminal laws apply to financial fraud and identity theft crimes done via phishing.
The Difference Between Spam and Phishing Emails
To help you better understand the difference between spam and phishing, we thought it might be useful to see them laid out side by side in table.
|Purpose||To promote and market products and services||To defraud recipients|
|Nature||Unwanted commercial emails that are typically benign in nature but can sometimes be malicious||Misleading messages that appear to come from legit entities but are designed to be malicious in nature.|
|Contain||Product/service advertisements, coupon codes, deals, discounts, inquiry or survey forms||Malware-loaded attachments, infected links, links that redirect to spammy websites, deceptive messages that make recipients share their PII/financial information|
|Legislation||The U.S. Non-Solicited Pornography and Marketing Act of 2003 For other countries: Anti-Spam laws||Various state laws, the U.S. federal criminal law|
Spam vs Phishing: Voice Messages and Phone Calls
Perpetrators use phone calls to spam and phish targets.
If you receive an unsolicited phone call for marketing purposes, especially from a company you’ve never dealt with before, it can be categorized as a spam call. The definition of marketing calls and spam calls can be blurred.
For example, if you suddenly get a phone call to apply for a credit card from a card company you never dealt with before, it is considered to be a spam call. But if someone calls you to sell the new card or insurance policies from the bank you already have an account with, it’s considered a mere marketing call to sell additional products. In the U.S., the Telephone Consumer Protection Act (TCPA) and the Federal Communications Commission (FCC) place restrictions on spam calls and telemarketing messages.
Voice Phishing (Vishing)
When the perpetrators make phone calls impersonating someone else with the purpose of defrauding you, it is known as voice phishing or vishing. For example, a cheater calls you posing as a bank manager and asking you to provide the last four digits of your social security number and some other personal details to send you a new credit card.
Sometimes, attackers use a leaked database or utilize their social engineering skills to do a little research about the potential victims before calling. For example, they call college students impersonating as a bank employee who handles student loans or a representative from the state/federal student aid department that wants more information regarding their scholarship application. In short, instead of cold calling random numbers, scammers make a phone call understanding their target audience so that they sound legit to the potential victims.
Spam vs Phishing: Text Messaging
There are websites and tools available these days that can send bulk text messages at unbelievably low costs. That’s why spammers and phishing scammers love to send their messages via text messages, too! You’re able to reach users on their cell phones wherever they are.
Spam Text Messages
When companies send unsolicited bulk text messages for commercial, non-malicious purposes, they’re known as spam text messages or spam SMS messages. These messages may contain product information, details of special deals/discounts, offers, schemes, coupon codes, etc. They might also have links to the product/service website.
Some spam SMS texts are sent as a survey to gain more information about potential customers. The purpose of such text messages can be selling a product or service, branding, collecting more information (such as demographics, buying habits, purchasing power, like/preferences, etc.) of the recipients. Text spamming is also covered under The Telephone Consumer Protection Act (TCPA).
SMS Phishing (Smishing)
Here, scammers send text messages while impersonating legitimate organizations. The nature and purpose of such phishing SMS messages are the same as phishing emails — i.e., to defraud the recipients. The attackers try to trick or manipulate you into:
- Sharing your personal or financial information,
- Completing financial transactions,
- Downloading malware-laden attachments, or
- Clicking on the links in the SMS texts that lead you to malicious websites.
Wrapping Up on Spam vs Phishing
The topic of spam vs phishing, or more specifically the difference between spam and phishing, can be confusing. But by now, we can safely assume that you know spam is the annoying yet more benign type of message, whereas phishing facilitates cybercrime. But the fine line between phishing and spam gets blurred when the spammer violates some of the CAN-SPAM’s (or your country’s laws related to SPAM) guidelines. For example, the email’s content or sender’s email address is deceptive in nature, or the email/text messages contain malware (or links to malicious websites).
Spamming can sometimes be so annoying that you feel like changing your phone number or email address! On the other hand, phishing can lead you into becoming a cybercrime victim. So, educate yourself and your employees further about phishing scams and how to recognize them successfully.