Awareness
Phishing vs spam: what's the difference?
Both clutter your inbox, but only one is actively trying to breach you. Here's how to tell phishing and spam apart — and why the distinction matters.
People use 'spam' and 'phishing' interchangeably, but they're different threats with very different stakes. Knowing which is which changes how you respond.
Spam: annoying, not targeted
Spam is unsolicited bulk email — ads, newsletters you never signed up for, dubious offers. It's a nuisance and occasionally a delivery mechanism, but most spam just wants your attention, not your credentials. The right response is usually to unsubscribe, block, or let your filter handle it.
Phishing: built to breach you
Phishing is a targeted social-engineering attack. It impersonates someone you trust to steal credentials, money, or data, or to plant malware. Unlike spam, phishing is engineered to get a specific action out of you — and a single successful one can compromise an entire organization.
How to tell them apart
- Intent — spam sells; phishing steals or deceives.
- Targeting — spam is bulk; phishing often references you, your role, or your company.
- The ask — phishing wants credentials, payment, or a click; spam usually wants a sale.
- Risk — ignore spam; report phishing.
When in doubt, treat it as phishing and report it. It's far better to flag a harmless newsletter than to wave through a credential-stealing lookalike.