www.infosecinstitute.com
Open in
urlscan Pro
2606:4700:4400::6812:259a
Public Scan
Submitted URL: https://resources.infosecinstitute.com/spam-vs-phishing-definitions-overview-examples/
Effective URL: https://www.infosecinstitute.com/resources/phishing/spam-vs-phishing-definitions-overview-examples/
Submission: On December 19 via api from AE — Scanned from DE
Effective URL: https://www.infosecinstitute.com/resources/phishing/spam-vs-phishing-definitions-overview-examples/
Submission: On December 19 via api from AE — Scanned from DE
Form analysis 1 forms found in the DOM
POST
<form action="" method="post" id="newsletterForm" class="form">
<label for="form_input_email" class="sr-only">Enter your email</label>
<input type="email" id="form_input_email" class="form__input form_input_email" placeholder="Email address..." aria-required="true" required="">
<button type="submit" class="btn btn-accent btn-block" data-url="NewsletterForm/Subscribe" title="Submit Newsletter Form"> Subscribe </button>
<p class="text-small text-light mt-20 mb-0">For information about how Cengage uses personal information, see our <a href="https://www.cengagegroup.com/privacy/" target="_blank">privacy policy</a>.</p>
<input name="__RequestVerificationToken" type="hidden" value="CfDJ8P_g_rESZIlAkrEmoO_R_bsC4tBen03w37bBlxoi40FrWmf71ekKlhINwBfOgzR3XNlSzg1E2UNihlHJI4KDK4d504m2B4Kzvs0q7sdAc-I4AadMIu0tqWIlHJc0ppZqhHcONsEXPxbDsYs2ZRxPxP8">
</form>Text Content
Skip to content
* 708.689.0131
* Contact us
* Partners
* Login
*
* Training
Go to the "Certificates"
All cybersecurity training
--------------------------------------------------------------------------------
Live Boot Camps
Infosec Boot Camps offer live, instructor-led cybersecurity and IT
certification training in-person or online.
View All Schedules Learn More
--------------------------------------------------------------------------------
Self-Paced Training
Infosec Self-Paced Training accommodates your schedule with
instructor-guided, on-demand training.
Contact Us Learn More
--------------------------------------------------------------------------------
Immersive Boot Camps
Infosec Immersive Boot Camps kickstart cybersecurity careers with tailored
training in as little as 26 weeks.
View Program Learn More
--------------------------------------------------------------------------------
Learning Paths
Infosec Skills provides on-demand cybersecurity training mapped to skill or
role paths for any level.
View Pricing Learn More
--------------------------------------------------------------------------------
Training by role
--------------------------------------------------------------------------------
* Cloud Security Engineer
* Cybersecurity Beginner
* Digital Forensics Analyst
* OT Security Practitioner
* Information Risk Analyst
* Penetration Tester
* Privacy Manager
* Secure Coder
* Security Architect
* Security Engineer
* Security Manager
* SOC Analyst
Team training
--------------------------------------------------------------------------------
Advance your team's cybersecurity skills with our customizable,
industry-recognized programs and take advantage of our team training
discounts.
Learn More
Award-winning training you can trust
--------------------------------------------------------------------------------
*
*
*
*
* Certifications
Go to the "Security Awareness"
Cybersecurity certifications View All Certifications
--------------------------------------------------------------------------------
Most popular certifications
* CompTIA Security+
* ISC2 CISSP®
* ISACA CISM
* PMI Project Management Professional (PMP)
* Cisco CCNA Associate & CyberOps Associate
--------------------------------------------------------------------------------
CompTIA
* CompTIA A+
* CompTIA Network+
* CompTIA Security+
* CompTIA CySA+
* CompTIA PenTest+
* CompTIA CASP+
* CompTIA Linux+
--------------------------------------------------------------------------------
ISC2
* ISC2 CISSP®
* ISC2 CCSP®
* ISC2 CGRC®
* ISC2 CSSLP®
* ISC2 ISSEP®
--------------------------------------------------------------------------------
ISACA
* ISACA CISM
* ISACA CISA
* ISACA CRISC
* ISACA CGEIT
--------------------------------------------------------------------------------
Other certifications
* Certified Ethical Hacking Certification (CEH)
* Infosec RHCSA
* Cyber Threat Hunting
* Microsoft Azure Dual Certification
* Certified CMMC Professional (CCP)
* AWS Certified DevOps Engineer
View All Certifications
We offer multiple ways to save when it comes to training and certifying your
team.
Learn More
* Security Awareness
Go to the "Solutions"
--------------------------------------------------------------------------------
Empower employees with knowledge and skills to stay cyber secure at work and
home with 2,000+ security awareness resources.
View Pricing Learn More
Demo Now Browse Featured Training
Security awareness training
* Prebuilt training plans
* PhishNotify and quarantine
* Phishing simulator
* Reporting and assessments
* Integrations and automation
* Global administration
* Program management
--------------------------------------------------------------------------------
Our human risk management solution, Infosec HRM, powered by Right-Hand
Cybersecurity, increases visibility into security risk and provides
alert-based training nudges to improve employee behaviors and decrease
security events.
Learn More
* Solutions
Go to the "Resources"
Enterprise solutions
--------------------------------------------------------------------------------
* Businesses and industries
Security education to the right people from IT and security staff to the
C-suite and every employee.
* Security and IT teams
* Government and contractors
* Manufacturing
* Higher education
* MSPs and resellers
--------------------------------------------------------------------------------
* Technical training and certifications
Skills and certifications your team should get next with training mapped
to NIST and NICE Frameworks.
* Subscription learning
* EdAssist Solutions Client discounts
* Affirm financing
* Training vouchers
* SmartPay
--------------------------------------------------------------------------------
* Compliance
Flexible, scalable training solutions that add value to your client
services portfolio and reduce business risk.
* DoD 8570/8140
* Security awareness
* Resources
Go to the "About Us"
Popular resources
--------------------------------------------------------------------------------
* Blog Blog
* Ebooks Ebooks
* Webinars Webinars
* Certifications
* Security awareness
* Phishing
* Professional development
--------------------------------------------------------------------------------
* Cyber Work Podcast Cyber Work Podcast
* Career series
* Quick tips
* Live events
--------------------------------------------------------------------------------
Certification hubs
Certification Hubs
* CompTIA Security+
* Certified Information Systems Security Professional (CISSP)
* Certified Information Security Manager (CISM)
* Project Management Professional (PMP)
* Cisco Certified Network Associate (CCNA)
* Certified Cloud Security Professional (CCSP)
* Certified Ethical Hacker (CEH)
* CompTIA Network+
* CompTIA CASP+
* CompTIA CySA+
--------------------------------------------------------------------------------
Free tools and downloads
Free tools and downloads
--------------------------------------------------------------------------------
* Phishing Risk Test
* Security Awareness Training Plans
* Skill Development and Certification Course Catalog
* Cybersecurity Interview Tips
* Case studies
--------------------------------------------------------------------------------
Featured webinar
* About Us
Go to the "Search"
We are the leader in cybersecurity training
--------------------------------------------------------------------------------
We help IT and security professionals advance their careers with skills
development and certifications while empowering all employees with security
awareness and phishing training to stay cyber safe at work and home.
Learn More
* Leadership
* Careers
* Partners
* Events
* Alliances
* Community
* Accelerate Awards
* Awards
Contact Us
* Find Courses
* Book a Meeting
* Award-winning training you can trust
--------------------------------------------------------------------------------
*
*
*
*
* Resource Center
* Phishing
* Spam vs. phishing: Definitions, overview & examples
Phishing
SPAM VS. PHISHING: DEFINITIONS, OVERVIEW & EXAMPLES
July 9, 2018 by
Penny Hoelscher
Spam is usually defined as unsolicited commercial e-mail, often from someone
trying to sell something. Spammers are not generally trying to get sensitive
information from you, although they may try to elicit personal information to
add to their database for future spam attempts. According to Statista, spam
messages account for 48.16 percent of email traffic worldwide. The most common
types of spam email analyzed in 2017 were healthcare and dating spam. The
estimate from Talos Intelligence is even more grim: 85 percent of email volume
in May 2018 was spam.
Phishing is not limited to email. Other types of phishing include voice
phishing, tabnabbing, SMS phishing, Evil Twins, link manipulation on websites
and other social engineering techniques. In this article, we will focus on email
phishing. This is most assuredly a malicious attack with the intent of luring a
victim into disclosing personal (preferably financial) information, with a view
to stealing their identity (e.g. passwords and user identification details), and
their money.
Phishing simulations & training
Build the knowledge and skills to stay cyber secure at work and home with 2,000+
security awareness resources. Unlock the right subscription plan for you.
VIEW PRICING
As reported by Dark Reading, PhishMe found that 91 percent of cyberattacks start
with a phish. A study by Symantec confirmed this, stating that 95 percent of all
attacks on enterprise networks are the result of successful spearphishing.
We shall see these definitions are not quite as clear-cut as they seem, nor
universally agreed on. In this article, we will examine both definitions and
provide examples of each.
But, first let’s take a look at junk mail, spam and phishing, and what to know
about each of them.
Also see: The Best Techniques to Avoid Phishing Scams
JUNK MAIL
DEFINITION
Definitions of junk mail from Business Dictionary, Market Business News and
Merriam-Webster all agree that junk mail is unsolicited, of a commercial nature,
usually sent in bulk, and can be either sent by snail or electronic mail. But is
it?
CORE CHARACTERISTICS
* Usually unintentionally solicited
* Commercial
* Not usually malicious
* Often routed to an email application’s spam folder
* Usually sent in bulk via electronic or snail mail
VARIATIONS
1. Unsolicited mail sent out usually by direct marketing or direct mail firms.
Used mainly for introducing new products, books and magazines, investment
opportunities, merchandise catalogs and similar items. Junk mail is big
business in industrialized countries. Unsolicited email is called spam
2. Third-class mail, such as advertisements, mailed indiscriminately in large
quantities
These latter definitions, particularly the characteristic of being unsolicited,
blurs the distinction between spam and junk email. To explain the difference
more clearly, the concept of graymail is more enlightening.
According to the University of Indianapolis, spam and phishing emails (graymail)
should not be confused with junk mail, although junk they are. Junk mail
includes promotional emails to which you have (sometimes inadvertently or by
omission) subscribed. That little check box at the bottom of the page when you
subscribed to Acme Clothing Bazaar’s mailing list? Unless you ticked it opting
out of future email correspondence with their business partners, Acme understood
it to mean you wanted to receive junk email from their partners too.
And the junk mail you receive from people you know? Even though it goes into the
spam folder, it is not actually spam. It’s more likely that when they entered a
competition to win a holiday, they were invited to share the opportunity with
all their friends. So while junk mail can be annoying, it’s rarely intended to
cause actual harm.
SPAM
DEFINITION
According to Indiana University, the terms junk mail and spam have evolved to
become somewhat interchangeable: “The term ‘spam’ is Internet slang that refers
to unsolicited commercial email (UCE) or unsolicited bulk email (UBE). Some
people refer to this kind of communication as junk email to equate it with the
paper junk mail that comes through the U.S.” Like the definition from the
University of Indianapolis, this definition sharpens the distinction between
junk email and spam.
CORE CHARACTERISTICS
* Unsolicited
* Commercial
* Not usually malicious but can be vicious
* Often routed to an email application’s spam folder
* Sent via electronic mail, text, in an instant message, or in comments on
websites, e.g. forums and Usenet groups
* Sometimes attempts to elicit personal details for non-nefarious purposes, or
to beg for donations to questionable causes
* A form of junk mail
* Often sent in bulk
* Recipient addresses harvested from publicly accessible sources or by
dictionary guessing email addresses, e.g. John1@aol.com, John2@aol.com and so
on
ADDITIONAL CHARACTERISTICS
* Irrelevant or unsolicited messages sent over the Internet, typically to a
large number of users, for the purposes of advertising, phishing, spreading
malware, etc. (Oxford Dictionaries)
* Spam is electronic junk mail or junk newsgroup postings. Some people define
spam even more generally as any unsolicited email. However, if a long-lost
brother finds your email address and sends you a message, this could hardly
be called spam, even though it is unsolicited. Real spam is generally email
advertising for some product sent to a mailing list or newsgroup. (Webopedia)
WHY IS IT BAD?
* May promote products with little real value, get-rich-quick schemes,
quasi-medical products, dicey legal services and potentially illegal offers
and products
* Often unethical, dishonest, and fraudulent. For instance, in 2001, Spam Abuse
reported that spammers were soliciting donations for relatives of the victims
of the 9/11/2001 terrorist attacks on the U.S. “We at spam.abuse.net do not
believe that any of these relatives will see any of that money.”
* Is a threat to Usenet and mailing groups which often receive barrages of
spam, comprising the integrity of a group’s content
* Being of dubious origin, spam is often sent from computers infected by
computer viruses
* May hijack real users’ identities to send spam to other users
WHY DO THEY DO IT?
* If just a fraction of people who receive a spam email buy the advertised
product or subscribe to a service, spammers can make a lot of money. A spam
business can be set up for very little and can be very lucrative. Speaking to
Wired Magazine, Gmail spam czar Brad Taylor says "It costs $3,000 to rent a
botnet and send out 100 million messages. It takes only 30 Viagra orders to
pay for that."
* Spammers can sell mailing lists (which is a good reason not to reply to spam,
even to give them a piece of your mind. Knowing your email address is valid
makes it even more valuable)
* If a spammer send out one million messages and gets a .01 percent response,
it equates to 100 buyers — great business for ten minutes’ work
EXAMPLES
From the Massachusetts Institute of Technology (MIT) come hosts of examples: for
instance, this unsolicited advertisement for “Eastern buddhas.” If you go to the
website, you will find it does not exist. Spammers tend to create short-lived
websites that are removed almost as fast as they spring up:
A classic reproduced by Snopes that continues to do the rounds on regular
occasions:
You should always check what you suspect may be a spam email with a reputable
site like Hoax Slayer. Remember, if it sounds too good to be true, it probably
is. Bill Gates will not pay you to forward emails to your contacts. Ever.
PHISHING
DEFINITION
According to Webopedia, phishing is the act of sending an email to a user while
falsely claiming to be an established legitimate enterprise, all in an attempt
to scam the user into surrendering private information that will be used for
identity theft. The email will typically direct the user to visit a website
where they are asked to update personal information, such as a password, credit
card, social security number or bank account numbers. The website, however, is
bogus and will capture and steal any information the user enters on the page.
CORE CHARACTERISTICS
* Unsolicited
* Commercial
* Always malicious
* Seldom routed to an email application’s spam folder as it usually appears to
come from a legitimate source
* Always attempts to elicit personal details for nefarious purposes, or to beg
for donations to questionable causes
* May be sent in bulk
* Includes link to phony website
* Recipient addresses harvested from publicly accessible sources, by dictionary
guessing email addresses, e.g. John1@aol.com, John2@aol.com, etc., by
utilizing the contacts of previously stolen identities, and from personal
information sold on the Dark Web
* Utilizes emotional social engineering techniques like intimidation, a sense
of urgency, authority, trust, and so on
ADDITIONAL CHARACTERISTICS
* A scam by which an Internet user is duped (as by a deceptive email message)
into revealing personal or confidential information which the scammer can use
illicitly. (Merriam-Webster)
WHY IT IS BAD?
* Potential identity theft
* Embarrassment, ruined reputations and harassment
* Disrupted operations of accounts
* Compromise of brand integrity for businesses and loss of data
* Any number of financial consequences, including the loss of savings, vehicle
repossession and even the loss of employment
* Spread of malware
* Theft of intellectual property
WHY DO THEY DO IT?
According to Wikipedia, “Phishing is the attempt to obtain sensitive information
such as usernames, passwords, and credit card details (and money), often for
malicious reasons, by disguising as a trustworthy entity in an electronic
communication.” Did you spot the word “often?” The website continues: “Phishing
is an example of social engineering techniques used to deceive users, and
exploits weaknesses in current web security.”
The fact is that while phishing can be described as always malicious, the aim is
not always direct financial gain. Some phishers may seek to discredit political
parties or other organizations by hijacking the credentials of workers from whom
they can steal and compromise sensitive information. Others may hijack a user’s
identity and then cyberbully or harass their contacts – for “fun.”
* By impersonating major brands like PayPal, Apple, major banking institutions
and government organizations, phishers are assured that a large percentage of
potential victims are likely to subscribe to or have an account with the
legitimate organization that is being spoofed
* Phishers can use the identities they have stolen to make illegal purchases,
or commit other types of fraud
* Make money selling personal information on the Dark Web. For instance, a
credit card number may sell for as much as $5
EXAMPLE
From Raw Info Pages, a typical example of bad spelling or grammar, and generic
salutation:
From Phishing.org, you can see that the domain name of the link address is not
related to the purported sender:
RELATED TERMS
* Email scam. A form of email fraud which includes both spamming and phishing
techniques
* Website spoofing. Fraudulent websites that masquerade as legitimate sites by
copying the design of the website as well as in some cases utilizing a URL
similar to the real site
* Brand spoofing. Where the identities of legitimate organizations are used to
create fake websites or to phish victims
* Malware – Closely related to phishing, the main difference is that not all
malware is delivered via email
WHERE TO NEXT?
Phishing scams are evolving. According to AWG, at the end of 2016 less than five
percent of phishing sites were found on HTTPS infrastructure. By the fourth
quarter of 2017, however, nearly a third of phishing attacks were hosted on Web
sites that had HTTPS and SSL certificates. The best defense against phishing and
spamming is security awareness.
Protect your family and employees with Infosec IQ security-awareness training or
test your organization's phishing susceptibility with a free Phishing Risk Test.
SOURCES
* About spam, Indiana University
* Spammers do more than spam, Spam Abuse
* Why do Spammers Spam?, MCP Mag
* Recent examples of spam that’s been sent to addresses at MIT, MIT
* FACT CHECK: Free Company Giveaways, Snopes
* Phishing for Influence: When Hackers Meddle in Politics, FraudWatch
International
* Don’t be fooled by these fake PayPal emails, learn to spot phishing, Raw
Computing
* Phishing simulations & training
Build the knowledge and skills to stay cyber secure at work and home with
2,000+ security awareness resources. Unlock the right subscription plan for
you.
VIEW PRICING
* Phishing examples, Phishing.org
Posted: July 9, 2018
Penny Hoelscher
View Profile
Penny Hoelscher has a degree in Journalism. She worked as a programmer on legacy
projects for a number of years before combining her passion for writing and IT
to become a technical writer.
In this Series
* Spam vs. phishing: Definitions, overview & examples
* The best 9 phishing simulators for employee security awareness training
(2024)
* Keeping your inbox safe: How to prevent business email compromise
* How to set up a phishing attack with the Social-Engineer Toolkit
* Extortion: How attackers double down on threats
* How Zoom is being exploited for phishing attacks
* 11 phishing email subject lines your employees need to recognize [Updated
2022]
* Consent phishing: How attackers abuse OAuth 2.0 permissions to dupe users
* The state of BEC in 2021 (and beyond)
* Why employees keep falling for phishing (and the science to help them)
* Phishing attacks doubled last year, according to Anti-Phishing Working Group
* The Phish Scale: How NIST is quantifying employee phishing risk
* 6 most sophisticated phishing attacks of 2020
* JavaScript obfuscator: Overview and technical overview
* Malicious Excel attachments bypass security controls using .NET library
* Phishing with Google Forms, Firebase and Docs: Detection and prevention
* Phishing domain lawsuits and the Computer Fraud and Abuse Act
* Phishing: Reputational damages
* Spearphishing meets vishing: New multi-step attack targets corporate VPNs
* Phishing attack timeline: 21 hours from target to detection
* Overview of phishing techniques: Brand impersonation
* BEC attacks: A business risk your insurance company is unlikely to cover
* Cybercrime at scale: Dissecting a dark web phishing kit
* Lockphish phishing attack: Capturing android PINs & iPhone passcodes over
https
* 4 types of phishing domains you should blacklist right now
* Email attack trend predictions for 2020
* 4 tips for phishing field employees [Updated 2020]
* How to scan email headers for phishing and malicious content
* Should you phish-test your remote workforce?
* Overview of phishing techniques: Fake invoice/bills
* Phishing simulations in 5 easy steps — Free phishing training kit
* Overview of phishing techniques: Urgent/limited supplies
* Overview of phishing techniques: Compromised account
* Phishing techniques: Contest winner scam
* Phishing techniques: Expired password/account
* Overview of Phishing Techniques: Fake Websites
* Overview of phishing techniques: Order/delivery notifications
* Phishing technique: Message from a friend/relative
* [Updated] Top 9 coronavirus phishing scams making the rounds
* Phishing technique: Message from the boss
* Cyber Work podcast: Email attack trend predictions for 2020
* Phishing techniques: Clone phishing
* Phishing attachment hides malicious macros from security tools
* Phishing techniques: Asking for sensitive information via email
* PayPal credential phishing with an even bigger hook
* Your 2020 tax scam training guide
* Abusing email rules
* 8 phishing simulation tips to promote more secure behavior
* Top types of Business Email Compromise [BEC]
* Be aware of these 20 new phishing techniques
* Phishing in academic environments
Unlock pricing and see how Infosec IQ can help you empower employees with
2,000+ security awareness resources to:
* Reduce security events
* Reinforce cyber secure behaviors
* Strengthen cybersecurity culture at your organization
VIEW PRICING
Phishing
The best 9 phishing simulators for employee security awareness training (2024)
July 11, 2024
Andrei Antipov
Phishing
Keeping your inbox safe: How to prevent business email compromise
October 07, 2023
Drew Robb
Phishing
How to set up a phishing attack with the Social-Engineer Toolkit
March 06, 2023
Bianca Gonzalez
Phishing
Extortion: How attackers double down on threats
February 27, 2023
Bianca Gonzalez
*
*
*
*
*
*
Products
* Infosec IQ
Security awareness, culture & phishing simulator
* Infosec Skills
Hands-on skill development & boot camps
Resources
* Blog
* Cyber Work Podcast
* Events & webcasts
Company
* Contact us
* About Infosec
* Careers
* Newsroom
* Partners
Newsletter
Get the latest news, updates and offers straight to your inbox.
Thanks! You're signed up.
Newsletter
Get the latest news, updates and offers straight to your inbox.
Enter your email Subscribe
For information about how Cengage uses personal information, see our privacy
policy.
Thanks! You're signed up.
Sorry, we're unable to load the form at the moment. Please check your browser's
settings to confirm the form is not blocked. You can contact us and report the
issue here: infosec.info@cengage.com.
Infosec, part of Cengage Group — ©2024 Infosec Institute, Inc.
* Privacy
* Terms of Use
* Regulatory Information
We use cookies to personalize content, customize ads and analyze traffic on our
site.
Manage Options Accept
PRIVACY PREFERENCE CENTER
* YOUR PRIVACY
* STRICTLY NECESSARY COOKIES
* FUNCTIONAL COOKIES
* PERFORMANCE COOKIES
* ONLINE BEHAVIOR ADVERTISING
YOUR PRIVACY
When you visit websites, they may store or retrieve information on your browser
in the form of cookies. This information might be about your preferences or your
device and is mostly used to make the site work as you expect it to. The
information does not usually directly identify you, but it can give you a more
personalized web experience. Because we respect your privacy, you can choose not
to allow some types of cookies. However, blocking some types of cookies may
impact your experience of the site and the services we are able to offer.
Infosec, a Cengage Group company.
STRICTLY NECESSARY COOKIES
Always Active
These cookies are necessary for the website to function and cannot be switched
off. They are usually only set in response to actions made by you such as
setting your privacy preferences, logging in or filling in forms. You can set
your browser to block or alert you about these cookies, but some parts of the
site will not work as a result. These cookies do not store any personally
identifiable information.
FUNCTIONAL COOKIES
Functional Cookies Inactive
These cookies enable the website to provide enhanced functionality and
personalization. They may be set by us or by third-party providers whose
services we have added to our pages. If you do not allow these cookies then some
or all of these services may not function properly.
PERFORMANCE COOKIES
Performance Cookies Inactive
These cookies allow us to count visits and traffic sources so we can measure and
improve the performance of our site. All information these cookies collect is
aggregated and therefore anonymous. If you do not allow these cookies we will
not know when you have visited our site, and will not be able to monitor its
performance.
ONLINE BEHAVIOR ADVERTISING
Online Behavior Advertising Inactive
These cookies may be set through our site by our advertising partners. They may
be used by those companies to build a profile of your interests and show you
relevant ads on other sites. They do not store directly personal information,
but are based on uniquely identifying your browser and internet device. If you
do not allow these cookies, you will experience less targeted advertising.
Back Button
BACK
Filter Button
Consent Leg.Interest
checkbox label label
checkbox label label
checkbox label label
Clear
checkbox label label
Apply Cancel
Confirm My Choices
Allow All