How does phishing differ from spam?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably heard the two terms used interchangeably. People say "phishing" when they mean "spam" and "spam" when they mean "phishing." They're not the same thing, and treating them as one problem can leave your inbox (or your whole organization) dangerously exposed.
Spam is bulk, unsolicited email sent mostly for commercial reasons. Someone wants to sell you a product, promote a service, or just get eyeballs on something. The main harm is annoyance. It wastes your time. It clutters your inbox. But it's generally not trying to steal from you or break into your accounts.
Phishing has a completely different goal. It's designed to trick you into handing over something valuable: a password, credit card number, login credentials, or access to a system. The email might look like it came from your bank, your CEO, or a service you actually use. That's the whole point.
Three key differences that matter in practice
Intent. Spam wants your attention. Phishing wants your credentials, your money, or your trust. That shift from "annoying" to "actively harmful" is what makes phishing a security threat, not just a nuisance.
Targeting. Spam is scattered. It goes to hundreds of thousands of addresses hoping a few will bite. Phishing can be just as broad, but the dangerous kind is targeted. Attackers research a specific person or organization, then craft a message designed to fool that specific target. The more tailored it is, the harder it is to spot.
Urgency and manipulation. Spam tends to be promotional in tone ("Buy now!", "Limited offer!"). Phishing tends to trigger fear or urgency ("Your account has been suspended.", "Verify your identity immediately or lose access."). That emotional pressure is a tool. It's designed to make you act before you think.
How to tell them apart in your inbox
Spam usually has a real unsubscribe link, a recognizable brand (even if you didn't ask to hear from them), and a commercial offer. It's annoying, but it's honest about what it wants.
Phishing tends to have a few tells worth knowing:
- The sender domain doesn't quite match the brand it's impersonating (paypa1.com, amazon-support.net, and similar tricks)
- The email creates urgency around account access, payment, or identity verification
- Links in the email go somewhere different from what they display (hover before you click)
- It asks you to download something, enter credentials, or confirm sensitive details
- The greeting is generic ("Dear Customer") even though the brand should know your name
One thing to keep in mind: brand impersonation phishing has gotten genuinely convincing. Some messages pass visual inspection easily. That's why the habit of checking the actual sender domain matters more than the logo or formatting.
Now if you're building defenses at an organizational level, it's worth understanding that spam filters and phishing defenses solve different problems. Spam filters look at volume, reputation, and content patterns. Phishing detection needs to look at sender authentication, domain spoofing, and social engineering signals. Relying on a spam filter alone to catch phishing is a gap worth closing.
Curious what a real phishing setup looks like under the hood? The mechanics behind phishing kits are worth understanding if you're training a team or building policy.
And if you think phishing is happening through your domain (someone spoofing your brand), check your DMARC setup. Our free DMARC Generator can help you get the right record in place.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.