How did spam evolve into phishing?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Spam started as a volume game. Send a million emails, a few people bite. By the early 2000s, filters got good at blocking that pattern. Open rates dropped, IP reputation systems flagged bulk senders, and the old spray-and-pray model stopped working.

So attackers shifted strategies. Instead of blasting everyone with the same pitch, they started mimicking trusted senders. Banks, payment processors, internal IT departments, shipping companies. The goal changed from selling to stealing. That's phishing.

The term phishing comes from "fishing" (casting bait, waiting for someone to bite) combined with phreaking, the old hacker slang for breaking into phone systems. The "ph" spelling came from 1990s hacker culture, same era that gave us "phreak" and "phreaker." Early phishing attacks (mid-to-late 1990s) targeted AOL users with fake login pages. By the early 2000s, attackers had moved to Yahoo Mail, banks, and payment processors like PayPal.

The key difference between spam and phishing is the disguise. Spam says "Buy this product." Phishing says "Your account is locked, click here to verify." One's a nuisance, the other's identity theft. Filters learned to catch spam by looking at sender reputation, volume spikes, and keyword patterns. Phishing evades those signals by sending fewer emails, using compromised accounts or lookalike domains, and mimicking legitimate transactional mail.

Why this matters if you're a sender: phishing made authentication essential. DMARC exists because attackers were spoofing trusted brands to steal credentials. If your domain isn't authenticated, mailboxes assume you might be a phisher pretending to be you. That's why banks, e-commerce sites, and SaaS companies get stricter scrutiny than newsletters. One phishing attack from a lookalike domain can tank your brand's reputation even if you never sent it.

Curious how phishing detection works today? Check out how spam filters detect phishing attempts. Or see how modern AI-driven threats are changing the game in how AI is reshaping email in the 2020s.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get Phishing-Proof Auth Help

I read this on the Email Almanac about phishing's evolution from spam: "Spam started as volume. By the early 2000s, filters blocked that pattern, so attackers shifted to deception, mimicking banks, processors, internal IT. That's phishing. The term combines 'fishing' and 'phreaking' (1990s hacker slang). Early attacks targeted AOL, then Yahoo, PayPal, banks. Spam says 'Buy this.' Phishing says 'Your account is locked.' One's a nuisance, the other's identity theft. Filters catch spam with reputation and patterns. Phishing evades that by using compromised accounts and lookalike domains." Help me understand how this affects MY sending: 1. What phishing tactics might target my industry or customers? 2. How can I protect my domain from being spoofed in phishing attacks? 3. What authentication setup do I need to prove I'm the real sender? 4. How do I educate subscribers to recognize phishing vs. my legitimate emails? --- My business context: - Industry: e.g. finance, e-commerce, SaaS, healthcare, education - Email types: transactional, marketing, internal - Domain(s): your sending domain - Current auth setup: SPF/DKIM/DMARC status if known - Concern level: have I been spoofed? am I at risk? just learning?

Edit the yellow boxes, then send to the AI of your choice.