How did spam evolve into phishing?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Spam started as a volume game. Send a million emails, a few people bite. By the early 2000s, filters got good at blocking that pattern. Open rates dropped, IP reputation systems flagged bulk senders, and the old spray-and-pray model stopped working.
So attackers shifted strategies. Instead of blasting everyone with the same pitch, they started mimicking trusted senders. Banks, payment processors, internal IT departments, shipping companies. The goal changed from selling to stealing. That's phishing.
The term phishing comes from "fishing" (casting bait, waiting for someone to bite) combined with phreaking, the old hacker slang for breaking into phone systems. The "ph" spelling came from 1990s hacker culture, same era that gave us "phreak" and "phreaker." Early phishing attacks (mid-to-late 1990s) targeted AOL users with fake login pages. By the early 2000s, attackers had moved to Yahoo Mail, banks, and payment processors like PayPal.
The key difference between spam and phishing is the disguise. Spam says "Buy this product." Phishing says "Your account is locked, click here to verify." One's a nuisance, the other's identity theft. Filters learned to catch spam by looking at sender reputation, volume spikes, and keyword patterns. Phishing evades those signals by sending fewer emails, using compromised accounts or lookalike domains, and mimicking legitimate transactional mail.
Why this matters if you're a sender: phishing made authentication essential. DMARC exists because attackers were spoofing trusted brands to steal credentials. If your domain isn't authenticated, mailboxes assume you might be a phisher pretending to be you. That's why banks, e-commerce sites, and SaaS companies get stricter scrutiny than newsletters. One phishing attack from a lookalike domain can tank your brand's reputation even if you never sent it.
Curious how phishing detection works today? Check out how spam filters detect phishing attempts. Or see how modern AI-driven threats are changing the game in how AI is reshaping email in the 2020s.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.