What’s the difference between spam and phishing?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You've probably deleted hundreds of spam emails without a second thought. But have you ever stopped to wonder if that "special offer" from an unknown sender was just annoying, or actually dangerous? That's exactly where the line between spam and phishing matters.
Spam is unsolicited bulk email. Someone got your address (or bought a list, or guessed at it) and sent you something you never asked for. Think discount codes from a store you've never heard of, weight-loss supplement ads, or cold outreach from a marketing agency halfway across the world. It's a nuisance. It clogs your inbox and wastes your time, but it's not typically trying to hurt you.
Phishing is a different animal. It's deceptive email designed to trick you into handing over something valuable. That might be your password, your credit card number, or access to your company's systems. Phishing emails impersonate people or organizations you trust, and they create urgency to make you act before you think.
Here's what each looks like in the wild:
Spam example: An email from deals@best-prices-online.net with the subject line "80% OFF today only!!" promoting a product you've never searched for. It links to a sketchy storefront. Annoying? Yes. Trying to steal your login? Probably not.
Phishing example: An email that looks like it's from your bank, using the bank's logo and colors, asking you to "verify your account" because of "suspicious activity." The link goes to a fake site designed to capture your credentials. The sender might be security@yourbank-support-alert.com (not your bank's actual domain). That's phishing.
The clearest way to remember the difference is this: spam wants your eyeballs, phishing wants your data (or your money, or your access).
Still one important note: some emails are both. A phishing campaign sent to millions of people at once is technically spam too. And some spam can carry real risks, like malware hidden in attachments or links to malicious sites. So "spam" doesn't automatically mean "harmless." It just means unwanted and bulk.
Warning signs that separate phishing from regular spam:
- The sender domain doesn't match the organization it claims to be from
- There's urgency language like "act now", "your account will be suspended", "verify immediately"
- You're asked to click a link and enter a password or payment details
- The greeting is generic ("Dear Customer") rather than your actual name
- Hovering over the link shows a URL that has nothing to do with the sender's claimed identity
If you're curious how mailbox providers actually detect and block these threats, the answer gets into how mailbox providers detect malicious messages. And if you want to understand how domain authentication fits into stopping phishing, protecting your domain from spoofing is a good next read.
Not sure if a suspicious email in your inbox is spam or something worse? Drop it into our Email Header Analyzer and it'll show you what's actually going on under the hood.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.