Proofpoint closes acquisition of Tessian.

Request a demo
Request a demo
Request a demo
Request a demo
Request a demo

Spam vs. Phishing: The Difference Between Spam and Phishing

Wednesday, December 2nd 2020
Spam vs. Phishing: The Difference Between Spam and Phishing

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

While email does make it easier for all of us to communicate both in our work and personal lives, there are two major issues with email communication: spam and phishing.


That means the average person needs to know how to spot these illegitimate emails and businesses need to know not just how to protect their employees, but how to avoid inadvertently sending spam.


In this article, you’ll learn the difference between spam and phishing, how common they are, and how to avoid each of them.

What is spam?


You may know spam as junk mail. But, what’s that? Unsolicited bulk email means that the recipient didn’t ask for it (unsolicited) and that many people were sent the email at once (bulk).


These two elements are essential to the definition of “spam.”


  • Unsolicited emails can be legitimate, e.g., job inquiries, customer service inquiries, any first-contact correspondence.
  • Bulk emails can be legitimate, e.g., newsletters, marketing to existing customers, transactional emails.


But emails that are both unsolicited and bulk are almost always spam. As well as being sent via email, spam can also be sent via SMS or instant messaging. Unsolicited sales and marketing calls (also known as nuisance calls) can also be considered spam.

“Fun fact: Why do we call unsolicited bulk email “spam?” The term comes from a famous Monty Python sketch featuring a cafe in which Spam forms part of every dish — whether the customers want it or not.”

Spam is generally commercial (meaning from businesses) but it can also serve more nefarious purposes, such as fraud. However, when a spam email uses social engineering techniques to trick the recipient, we call it a “phishing” email.


Not sure what social engineering is? Examples will help. We’ve rounded up 6 recent, real-world examples of social engineering attacks here.


What is phishing?


Phishing is essentially a more targeted version of spam. A hacker impersonates a trusted brand or person and sends a fraudulent message in an attempt to steal information or money, commit fraud, or install malware on a target’s device.


But, there are many types of phishing. Here are a few examples:


  • Spear phishing: A phishing attack on a specific individual
  • Whaling: A phishing attack targeting a company executive
  • Business Email Compromise (BEC): A phishing attack originating from a hacked or spoofed corporate email account
  • Vendor Email Compromise (VEC): A phishing attack targeting a business using one of its vendors’ email accounts


It’s important to note that a phishing attack can be delivered via several different communications channels:


  • Email: The big one — 96 percent of phishing attacks take place via email. When people say “phishing,” they’re generally referring to email-based social engineering attacks
  • Smishing: Phishing via SMS
  • Vishing: Voice-phishing, via phone or Voice over Internet Protocol (VoIP) software


Phishing attacks can also have different aims, for example:


  • Stealing credentials, e.g., social media, email, or internet banking login details
  • Installing malware, e.g., keylogger software, ransomware, or viruses
  • Stealing money, e.g., by sending fraudulent invoices (known as “wire transfer phishing”)

Now, let’s take a closer look at spam and phishing.

“Verizon’s 2020 Data Breach Investigations Report cites phishing as the most common cause of data breaches in 2019 — 22% of all data breaches involved phishing. ”

How common is spam?


According to 2019 research from PreciseSecurity:

  • Spam accounts for around 55 percent of global email activity.
  • Around 295 billion spam emails are sent and received every day.
  • China generates the most spam (20.43 percent), followed by the U.S. (13.37 percent) and then Russia (5.6 percent).


However, bear in mind that — despite these statistics — people’s experience of using email is generally improving. This is because:

  • Rates of spam are lower now than they have been previously — in 2014, data from M3AAWG estimated that spam accounted for 90 percent of email traffic.
  • Email providers are getting better at detecting spam, which means that more spam is being blocked or sent to junk folders.

How common is phishing?


Phishing is the most prevalent example of cybercrime. Let’s look at some of the best data we have covering the past few years:

  • Verizon’s 2020 Data Breach Investigations Report cites phishing as the most common cause of data breaches in 2019 —  22% of all data breaches involved phishing.
  • The FBI’s Internet Crime Complaint Centre (IC3) 2020 Internet Crime Report cites phishing as the leading cause of cybercrime complaints. Phishing complaints more than doubled between 2019 and 2020.
  • The U.K.’s National Cyber Security Centre (NCSC) Annual Review 2020 reported that 85% of U.K. businesses experienced one or more phishing attack in 2020 (up from 72% in 2017).

Risks associated with spam


While – yes – there certainly are some risks associated with receiving spam, most email providers like Gmail and Outlook have gotten pretty good at filtering these emails out. Don’t believe us? Check your spam folder!


A bigger risk – specifically to businesses – is accidentally (or negligently) sending “spam” as part of a direct-marketing campaign.


Businesses sending spam (including those who are perceived to be sending spam) run the following risks:


  • They could alienate their customers — which, ultimately, could damage their reputation and lose them business.
  • Their legitimate email correspondence could end up in people’s junk folders.
  • They could be fined or prosecuted under the various national laws regulating spam.

Consequences of phishing attacks

Phishing is one of the most damaging forms of cybercrime. But, as we’ve discussed, there are a lot of different types of phishing.


Wire transfer phishing causes direct, quantifiable losses when businesses pay fake invoices sent to them by fraudsters. The FBI’s data shows that U.S. businesses lost $1.8 billion in 2020 to wire transfer phishing via email.


Ransomware attacks are frequently delivered by email. Clicking the link in a phishing email can lead to your documents, databases, other files becoming encrypted. Emsisoft estimates that ransomware cost organizations $7.5 billion in 2019.


But what about the impact caused to individual companies? A single phishing attack can be devastating for a business.


The biggest known phishing scam of all time targeted tech giants Facebook and Google. This example of wire transfer phishing cost the companies around $121 million over two years.


But the indirect losses caused by phishing can be even greater. When Australian hedge fund Levitas Capital was defrauded for nearly $8.7 million in November 2020, the firm recovered 90% of the money. But the fund was forced to close after losing its biggest client as a result of the attack.


Unfortunately, Levitas Capital isn’t the only organization to have lost customers after a breach. After a breach, companies see an average of 3.9% customer churn. It makes sense, then, that “losing a customer/their trust” is the biggest consequence of a data breach according to security leaders.


So, how can businesses reduce the risk of being successfully targeted by a phishing attack?


How to avoid phishing attacks

Staff training


Much of the traditional guidance on phishing focuses on staff training — helping your employees to identify phishing emails and manually delete them. The classic “telltale” signs of a phishing email are often said to be:

  • Spelling mistakes
  • A sense of urgency
  • An unprofessional tone


This might have been good advice when phishing emails were sent out in “spray and pray” bulk attacks. But now, it’s unfair and unrealistic for organizations to expect their employees to be able to spot phishing attacks, especially those using advanced impersonations techniques.


Today, effective phishing emails look like any other email. They don’t carry these “telltale signs.”

  • They carry the branding and tone of voice you’re used to seeing from trusted senders.
  • They can arrive from a colleague or friend’s email address.
  • They might even look like part of an ongoing conversation (“email thread hijacking”).


That means staff training — while important — must not be your primary defense against phishing. As the National Cyber Security Centre (NCSC) says:

“Training your users… is the layer that is often over-emphasised in phishing defence. Your users cannot compensate for cyber security weaknesses elsewhere. Responding to emails and clicking on links is a huge part of the modern workplace, so it's unrealistic to expect users to remain vigilant all the time. Spotting phishing emails is hard, and spear phishing is even harder to detect. Even experts from the NCSC struggle.”
National Cyber Security Centre (NCSC)

Want to learn more about why phishing training alone just isn’t enough? Read our blog: Pros and Cons of Phishing Awareness Training.

Email security software

The only truly reliable way to root out phishing emails is by implementing an email security solution like Tessian Defender. Tessian’s platform is designed to offset the rule-based and sandbox approaches of O365 ATP to detect and stop newer and previously unknown attacks from external sources, domain / brand / service impersonations, and data exfiltration by internal actors. Here’s how Tessian protects your people and prevents inbound threats like phishing

  1. Tessian ingests historical email data from employees’ inboxes to learn what “normal” looks like and map their trusted relationships with other employees and third-parties outside the organization. This way, it automatically knows when an employee receives an email from an unexpected sender.
  2. Inbound emails are also analyzed in real-time for anomalies. Anomalies might include barely noticeable irregularities in the sender’s email address and IP address, potentially malicious links, or suspicious changes to the sender’s communication patterns.
  3. If an email is suspicious, Tessian alerts employees with contextual warnings that explain why the email has been flagged. Tessian also alerts security teams, who can quickly and easily investigate the attack and – to prevent future attacks – can add the sender’s domain to a deny list in a single click. :


Importantly, solutions like Tessian Defender prevent the most advanced attacks. Specifically, those that slip past legacy solutions, Secure Email Gateways, and spam filters.