Spam or Phish? How to tell the difference between a marketing email and a malicious spam email

Beth Osborne
September 22, 2018 by
Beth Osborne

Virtual crime is a side effect of the convenience of technology. With greater strides in technology making everything from banking to communication faster and easier, cybercriminals are also finding more creative ways to hack and scam. The most prevalent form of digital crime is currently phishing.

Phishing versus Spamming

Phishing emails are a huge threat to any network. Many phishing emails do their best to disguise themselves as a communication from a legitimate company. Many recipients have become savvy to this type of phishing; however, it’s not the only way that cybercriminals attempt to attack via the inbox.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

Spam is something the average email user sees every day. In fact, over 48% of all email is spam. Spam is really electronic junk mail. Inboxes are inundated daily with offers and content you never requested. It can be annoying, and most email setups relegate this to the junk folder.

Many times, these emails make it into the main inbox. Spam emails have common themes: the promise of something too good to be true. While many of these are scams and the person sending them is attempting to swindle the recipient, spam emails aren’t phishing emails.

Phishing and spam share the common characteristic of being something you didn’t want, but there are critical differences that make phishing emails malicious. Behind every phishing message is a cybercriminal trying to trick the recipient into revealing personal information. Thus, it’s important for everyone to know the difference between a marketing email and a malicious spam email. Remember: identifying probable phishing scams and reporting those can also be a huge help in keeping the network secure.

Let’s look at how to spot one from the other so that you don’t make the mistake of clicking on a dangerous link.

Major differences between Phishing and Spamming

While phishing and spam emails can often look the same and use similar language, the biggest differences are in what the sender seeks. Spam is flooding the Internet with the same message sent to millions. The majority of spam is commercial advertising for products that might seem rather suspicious. They want you to buy their dubious wares, access their dubious sites, or just forward their message to others.

Phishing emails want your information — your usernames, passwords, credit card details and more. Phishing emails are also usually more personalized and may seem to have some relevance. It might be from a credit card you recently opened or an organization you’ve donated to before.

It’s important to remember that phishing emails can have many different goals. A phishing email could be an attempt to hack a network or infect it with malware. Phishing emails, especially spearphishing, are attempting to acquire sensitive information: spam emails do not. That is the major difference between the two.

Phishing emails are also targeted to a person. The email likely has a salutation with the person’s name. Spam isn’t this personal; it’s broader. In fact, you may find that your email address is only in the BCC field. This is, of course, a sure sign that it’s spam.

A sense of urgency is one tell-tale sign of phishing. Language like “only the first 50 respondents” or “offer ends tomorrow” will be found in the message. Spam doesn’t typically have a timetable.

Ransomware and Phishing

Ransomware is the latest trend in phishing attacks. Its growth has been substantial, with 93% of all phishing emails being infected with ransomware. The rapid increase is due to that fact that ransomware is becoming easier to send and offers a quick return on investment.

One recent example is the CryptoLocker, which used fake emails from police about traffic violations. If victims clicked the link, ransomware was immediately downloaded to the device. A backup would render ransomware redundant, but that’s not the case for many. The best way to deal with ransomware is to avoid it. That requires education of users, so they don’t fall victim to these scams.

Spam and Spoofing

Spam, however, isn’t always innocent. It gets more complicated when someone else receives a spam message that looks as though it’s coming from you. Spoofing names is common and easy to do. Unfortunately, there isn’t anything you can do, as it’s a tactic to get a user interested enough to click and open the message.

Spoofing domain names can happen as well so that it appears to be coming from the real email address. What organizations can do to limit the ability for these spoofed messages to make it into an inbox, is for servers to be able to identify them. It won’t stop the spoofing, but it should prevent someone from trusting the message and clicking on it.

It’s all about the click

Phishing emails want you to click a malicious link. That link could then unleash malware or gain control over your computer or network. Spam links go to real websites trying to sell you something.

Some phishing emails take on the look of spam. Not all spam is dangerous. Most of it is just a nuisance that gets caught in your junk folder. These emails do get opened and clicked. But how can you tell which links are dangerous?

How Phishing emails stand out among spam

Consider these phishing email attributes:

Statements that you’ve won something like a gift card, a notice from a state agency or a company stating there are funds in your name are red flags. These type of phishing emails are trying to bait you to click to get your money then begin to ask you for personal information.

Emails that appear to be from your bank or other legitimate business are becoming more sophisticated than ever. Consider that with social media, cybercriminals can find out a lot about you. They can know your job title from LinkedIn, your travel schedule from Facebook, and so much more — that’s if you turn your settings to public.

If you received an email from a hotel you stayed in the week before, wouldn’t you open it? What if it said it had a receipt attached? That seems legitimate, right? That’s the level of detail that’s happening right now. Spam emails will never be this meticulous. This is why you need to be very cautious of anything you click.

Phishing versus Spamming review

Here is a quick review of what you’ve learned about spam vs. phishing:

  • Phishing is targeted; spam is broad
  • Phishing emails want your personal information; spam is unwanted advertisements
  • Phishing emails carry malicious links; spam links most of the time go to a legitimate website
  • Phishing has a sense of urgency; spam usually does not

The best thing your company can do to ensure the safety of its network is to regularly educate employees. Show them examples of phishing versus spam. It’s also a good idea to have a very secure email system so emails, spam or phishing, never even make it into the inbox. If they do, make sure your team is prepared to spot a phish.


Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.


Global spam volume as percentage of total email traffic, Statista

Beth Osborne
Beth Osborne