Back to Learning CenterSecurity

Spam vs phishing: what's the difference?

By Samuel ChenardJuly 12, 20266 min read
Spam vs phishing: what's the difference?

Spam is unsolicited bulk email — usually advertising — sent to as many inboxes as possible. Phishing is a deliberate scam that impersonates a trusted person or brand to trick you into handing over credentials, money, or data. The core difference is intent: spam wants your attention, phishing wants to defraud you.

Quick Takeaways

  • Spam is unsolicited bulk email; its goal is volume, usually to advertise or drive clicks.
  • Phishing is a social-engineering attack that impersonates a trusted sender to steal information or money.
  • All phishing is unwanted, but not all spam is phishing — much spam is merely annoying, not malicious.
  • Phishing can be highly targeted (spear phishing, business email compromise) and often slips past spam filters.
  • Spam filters catch bulk mail; stopping phishing also needs SPF, DKIM, and DMARC.
  • The defining line is intent and harm: nuisance and wasted resources versus fraud and data theft.

What is spam?

Spam is unsolicited email sent in bulk. The classic example is advertising you never asked for — cheap pharmaceuticals, dubious investments, or endless marketing from a list you never joined. The defining characteristics are that it is unsolicited (you didn't opt in) and bulk (the same message goes to huge numbers of recipients).

Most spam is a nuisance rather than an attack. It clutters inboxes, wastes storage and bandwidth, and drains attention. In many regions, commercial bulk email is regulated — senders are required to honor unsubscribe requests and avoid falsified headers — which is why legitimate marketers keep clean lists while spammers do not. For a fuller treatment, see what spam email is and how to prevent it.

Spam is not always harmless, though. When spam carries a malicious payload — a booby-trapped attachment or a link to malware — it is often called malspam. That is where spam starts to overlap with attacks; see how malspam works.

What is phishing?

Phishing is a targeted deception. The attacker pretends to be someone you trust — your bank, a supplier, Microsoft 365, or a colleague — and manufactures a reason for you to act: confirm a password, pay an invoice, open a document, or click a link to a fake login page. The goal is theft: of credentials, of money, or of sensitive data.

Unlike spam, phishing is defined by malicious intent and impersonation rather than by volume. A single, carefully crafted email aimed at one finance manager is phishing; a million identical ads are spam. Phishing comes in several flavors:

  • Bulk phishing — generic lures blasted widely, hoping a small fraction bite.
  • Spear phishing — tailored to a specific person using details about their role or company.
  • Whaling — spear phishing aimed at executives.
  • Business email compromise (BEC) — impersonating an executive or vendor to authorize a fraudulent payment, often with no link or malware at all.
For a deeper look, read what phishing is.

What is the difference between spam and phishing?

The cleanest way to separate them is by intent, targeting, and harm:

  • Intent. Spam wants to sell or drive traffic. Phishing wants to defraud or steal.
  • Targeting. Spam is always bulk. Phishing ranges from mass blasts to a single, hand-crafted message.
  • Harm. Spam wastes time and resources. Phishing can cost credentials, money, and a data breach.
  • Legality. Commercial spam is regulated but often legal when rules are followed; phishing is outright fraud.
  • Delivery. Spam is what filters are built to catch. Targeted phishing is engineered to look legitimate and evade those filters.
The categories overlap. Phishing is frequently delivered as spam — sent in bulk to strangers — and spam can be weaponized into malspam. But the two are not synonyms: a legitimate-but-unwanted newsletter is spam and not phishing, while a convincing fake invoice from your "CEO" is phishing even though it was never sent in bulk.

Why do spam filters miss phishing?

Spam filters are largely statistical. They score messages on sending reputation, known-bad content patterns, and volume — signals that work well against mass mailings. Targeted phishing defeats those signals by design: it is low-volume, personally relevant, and sent from a fresh or hijacked account with no bad reputation yet.

Worse, attackers can pass basic authentication checks and still deceive you. A message can be technically valid yet fraudulent — for example when a lookalike domain or a compromised account is used. This is exactly why phishing emails sometimes pass SPF and DKIM: those checks validate the sending path and signature, not whether the human behind the message is honest.

How do you defend against each?

Different threats call for different controls, layered together.

Against spam:

  • Use email filtering that scores reputation and content.
  • Never publish or reuse addresses on public pages that harvesters scrape.
  • Report and block persistent senders rather than engaging.
Against phishing:
  • Deploy email authentication so attackers cannot spoof your exact domain: publish SPF and DKIM, then enforce DMARC at quarantine or reject.
  • Train people to verify unexpected requests for money or credentials through a second channel.
  • Scan links and attachments, and require multi-factor authentication so a stolen password is not enough.
  • Learn the tell-tale signs — see how to spot fake emails.
DMARC is the piece most organizations miss. It stops attackers from sending mail as your domain, which is the most convincing form of phishing against your customers and staff.

Common issues telling spam and phishing apart

A message is annoying but is it dangerous?

If it is unsolicited marketing with a working unsubscribe link and no request for credentials or payment, it is almost certainly spam. Treat any message that asks you to log in, pay, or open an attachment "urgently" as potential phishing, regardless of how routine it looks.

The email passed authentication, so is it safe?

Not necessarily. Passing SPF or DKIM only proves the message took an authorized path or carries a valid signature for some domain — often a lookalike or a newly registered one. Authentication reduces domain spoofing; it does not vouch for intent.

It came from a real colleague's address

Account takeover means a genuine mailbox can send phishing. If the request is unusual — a change of bank details, a gift-card purchase, an unexpected wire — verify out of band before acting, even when the address is correct.

Frequently asked questions

Is phishing a type of spam? Sometimes. Bulk phishing is delivered as spam, so it overlaps. But targeted phishing is not bulk at all, and most spam is not phishing. They are related, not identical.

Which is more dangerous? Phishing, by a wide margin. Spam wastes resources; phishing steals credentials, money, and data and can lead to a full breach.

Can DMARC stop all phishing? No. DMARC stops attackers from using your exact domain, which is a major category of phishing. It does not stop lookalike domains, display-name tricks, or attacks from compromised third-party accounts, so pair it with training and filtering.

How do I know if my domain is being used for phishing? DMARC reporting shows you who is sending mail using your domain. Run the free Email Security Score to see whether your records are strong enough to block impersonation.

Palisade automates domain protection so your name is harder to abuse: it monitors SPF, DKIM, and DMARC, surfaces the senders using your domain, and walks you to enforcement. Start with a free scan from the Email Security Score tool.

Share this article

Samuel Chenard

Written by

Samuel Chenard

CEO & Co-Founder, Palisade

Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.

More from Samuel

Related articles