Phishing, Spam, & Marketing Emails: What’s the Difference?

By |Published On: March 9th, 2021|Tags: |

When it comes to email communications today, phishing and spam are both unwelcome nuisances in everyone’s inbox. In order to defend against the different tactics cybercriminals are leveraging online, a variety of essential security measures are necessary–one of the most important being general awareness. 

Even though the words “phishing” and “spam” are often used interchangeably, these terms actually have different meanings. This blog post will help you understand how to differentiate between phishing attacks, spam messages, and marketing emails as well as help you recognize them before they exploit you.

Phishing 

First, let’s talk about phishing. Please note that phishing attack vectors go beyond email, but for the sake of this comparison, I will specifically discuss phishing email attacks. 

Phishing is a complex and substantial security risk to both individuals and businesses. Csoonline.com defines phishing as “a cyber attack that uses disguised email as a weapon. The goal is to trick the email recipient into believing that the message is something they want or need–a request from their bank, for instance, or a note from someone in their company–and to click a link or download an attachment.” 

Phishing emails are malicious–behind every phishing message is a cybercriminal hoping to lure in and trick the victim into either revealing personal information or clicking a malicious link. The main difference between phishing and spam is the intent behind the message. 

Main Goal: To acquire personal, sensitive information

When it comes to phishing, malicious actors create deceptive emails with the intent of extracting personal information from an individual or company. The information could be for identity theft, financial fraud, etc. 

Examples of the sensitive information at stake include:
  • Login credentials
  • Payment card numbers
  • Phone numbers
  • Physical address
  • Social security number
  • Health information 
  • Social security numbers 

SecurityMetrics has a great blog post that also provides more specific details about the top 10 types of phishing emails–check it out! 

Methods of Malice: The malicious actor wants you to click things

Bottom line, check it before you click it. One of the main methods of phishing is tricking a targeted individual into clicking on a malicious attachment or website.

Examples of the “things” you should not click:
  • Attachments – Attachments provide attackers with the perfect opportunity to masquerade as something legitimate, but upon a simple click they can infect a system with malware (or ransomware, worms, viruses, trojans, rootkits, adware, etc.). 
  • Scam Links – By persuading the victim to click on a scam link–one that redirects them to a lookalike, malicious website–the perpetrator can then request for the person to fill out forms and disclose login details. These web pages are another means of delivering malware via the web page or an attachment within, too. 

Key Indicators: What you should watch out for

Phishing emails are fraudulent communications disguised as a legitimate, reputable source (e.g., individuals or entities such as government institutions, state agencies, financial companies, donation organizations, etc.). 

Two key tactics to be aware of: 
  • Personal, specific, and targeted  These attacks are crafted to target a specific individual. This means they will be written to seem more personal and relevant to the victim. 
  • Emotion and urgency – Phishing emails are often designed to trigger a sense of high emotion or urgency. By using highly charged or “now or never” language, these emails tap into the type of social engineering that causes emotion to rise and logic to drop–therefore, making it easier to get a person to click.  

Examples: Below you will see the breakdown of a few real-world instances of phishing emails

Again, common warning signs might include highly personalized messaging, an unknown sender, appeals to emotions and urgency, bad grammar, and a request for your password.

Phishing example images courtesy of Cofense.

Spam

In comparison to the malicious intent of phishing attacks, spam–which is any unsolicited bulk electronic message sent for the promotion of a commercial product, service, or website content–is more annoying than anything. According to Malwarebytes, spam is “any kind of unwanted, unsolicited digital communication, often an email, that gets sent out in bulk.”

Main Goal: To promote the sale (or share) of products or services

The intent of these emails are for lots of people to receive the communication and to buy their product, visit their websites, or share the message with others.

Topics that might appear in spam emails include: 
  • Prayer chain forwards
  • Coupons
  • Adult content
  • Donation solicitations
  • Unwanted newsletters

Methods of Malice: Unsolicited, bulk commercial email that tries to get consumers to click and buy

Phishing emails are usually very sophisticated, but spam emails aren’t so meticulous. Since spam is an unsolicited junk email that’s sent to mass numbers of people, there isn’t the same level of attention given to detail and it isn’t typically targeted. 

Key Indicators: What you should watch out for

  • Too good to be true – Spam emails appeal to people’s wants and needs. They typically have the promise of selling you something that feels too good to be true, but typically this is in a commercial sense not in an attempt to extract information. 
  • Unsolicited and annoying – Unlike phishing, spam isn’t personalized to individuals because it’s more broad and typically being sent to hundreds or thousands of people at a time. You won’t see any of the targeted, sophisticated messaging you might see in a phishing attack. 
  • Links – Spam links typically take you to websites trying to sell you something and are commercial in nature–often the products or services seem suspicious.

Examples: Below are some recent spam examples pulled from one of my old email addresses

The first one has all the classics: sending from an email contact I don’t know and/or didn’t sign up for, the messaging has that “too good to be true” feeling–yes, of course, I’d love to magically get rid of all my aches and pains!–and it incorporates some push for me to click and buy.

If you have as horrible a sense of humor as me, you may find this next example to be at least mildly funny. As you can see, everything about the email–the sender, the content, the various enticing links–smells a little bit funky…  

Marketing

Email marketing is an effective way to help businesses and organizations reach their audience or customers. The main difference between email marketing and spam is that spam is unsolicited. 

Email marketing differentiates itself from spam by following certain guidelines, including: 

  • Getting permission–or opt in/subscription–from the receiver. Approval is required to be part of the database. 
  • Having a clear subject line that accurately reflects the contents of the message. Deceptive subject lines are typical indicators of spam. 
  • Providing a way to unsubscribe or opt out from the email list is a must. If this is not made clear, there’s a good chance that it is a spam email. 

Email marketers also have legal frameworks they must abide by, including FTC’s CAN-SPAM Act, that set them apart from spam.

Conclusion 

Overall, there are a variety of key differences to be aware of when it comes to the dangers of phishing versus spam including:

Phishing
  • Targeted
  • Fraudulent emails
  • Use of social engineering techniques
  • Want personal/private information
  • Carry malicious links
  • Sense of urgency
Spam
  • Broad
  • Junk email
  • Form of commercial advertising
  • Unwanted ads
  • Links go to legitimate–yet fishy–websites
  • Doesn’t include a timetable

Hopefully this blog post helps you better understand what you should be on the lookout for in your inbox. Stay safe and secure out there, everyone!

About Hurricane Labs

Hurricane Labs is a dynamic Managed Services Provider that unlocks the potential of Splunk and security for diverse enterprises across the United States. With a dedicated, Splunk-focused team and an emphasis on humanity and collaboration, we provide the skills, resources, and results to help make our customers’ lives easier.

For more information, visit www.hurricanelabs.com and follow us on Twitter @hurricanelabs.