When it comes to email communications today, phishing and spam are both unwelcome nuisances in everyone’s inbox. In order to defend against the different tactics cybercriminals are leveraging online, a variety of essential security measures are necessary–one of the most important being general awareness.
Even though the words “phishing” and “spam” are often used interchangeably, these terms actually have different meanings. This blog post will help you understand how to differentiate between phishing attacks, spam messages, and marketing emails as well as help you recognize them before they exploit you.
First, let’s talk about phishing. Please note that phishing attack vectors go beyond email, but for the sake of this comparison, I will specifically discuss phishing email attacks.
Phishing is a complex and substantial security risk to both individuals and businesses. Csoonline.com defines phishing as “a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need–a request from their bank, for instance, or a note from someone in their company–and to click a link or download an attachment.”
Phishing emails are malicious–behind every phishing message is a cybercriminal hoping to lure in and trick the victim into either revealing personal information or clicking a malicious link. The main difference between phishing and spam is the intent behind the message.
Main Goal: To acquire personal, sensitive information
When it comes to phishing, malicious actors create deceptive emails with the intent of extracting personal information from an individual or company. The information could be for identity theft, financial fraud, etc.
Examples of the sensitive information at stake include:
- Login credentials
- Payment card numbers
- Phone numbers
- Physical address
- Social security number
- Health information
- Social security numbers
SecurityMetrics has a great blog post that also provides more specific details about the top 10 types of phishing emails–check it out!
Methods of Malice: The malicious actor wants you to click things
Bottom line, check it before you click it. One of the main methods of phishing is tricking a targeted individual into clicking on a malicious attachment or website.
Examples of the “things” you should not click:
- Attachments – Attachments provide attackers with the perfect opportunity to masquerade as something legitimate, but upon a simple click they can infect a system with malware (or ransomware, worms, viruses, trojans, rootkits, adware, etc.).
- Scam Links – By persuading the victim to click on a scam link–one that redirects them to a lookalike, malicious website–the perpetrator can then request for the person to fill out forms and disclose login details. These web pages are another means of delivering malware via the web page or an attachment within, too.
Key Indicators: What you should watch out for
Phishing emails are fraudulent communications disguised as a legitimate, reputable source (e.g., individuals or entities such as government institutions, state agencies, financial companies, donation organizations, etc.).
Two key tactics to be aware of:
- Personal, specific, and targeted – These attacks are crafted to target a specific individual. This means they will be written to seem more personal and relevant to the victim.
- Emotion and urgency – Phishing emails are often designed to trigger a sense of high emotion or urgency. By using highly charged or “now or never” language, these emails tap into the type of social engineering that causes emotion to rise and logic to drop–therefore, making it easier to get a person to click.
Examples: Below you will see the breakdown of a few real-world instances of phishing emails
Again, common warning signs might include highly personalized messaging, an unknown sender, appeals to emotions and urgency, bad grammar, and a request for your password.