Cofense Logo - Email Security Solutions

Spam is Spam, Phishing is Phishing, but Phishing is not Spam

Share Now


Problems arise when we use the terms Spam and Phishing interchangeably. At the risk of sounding persnickety, I’m going to try to build the case of why we need to stop confusing Spam and Phishing.

Cofense - Email Phishing Defense Solutions

“We are getting mobile phishing attacks via SMS!”

“Wow, mobile phishing is incredibly rare. Can we get a sample? Our research team would love to analyze it.”

A short while later…

“We analyzed the link and the website, we couldn’t find any malware or account phishing. The only thing our research team found was a good deal on a year supply of Viagra from a Canadian pharmacy.”

“yes, a few of our employees received this phish.”

This is just one example of the confusion that comes when we use the terms spam and phishing interchangeably.  I don’t expect the casual user to adhere to strict taxonomy of message classifications, but I wish information security professionals would put more effort into differentiating spam vs. phishing.

“Argh!, This Spam is out of control.”

“Why don’t you block them?”

“…Because I’m waiting for the next buy-one-get-one deal for a Dyson vacuum cleaner”

Labeling email you signed up for as spam is common. But technically it’s not spam, even when it’s annoying. If you don’t want these messages, unsubscribe.

“When our employees receive a suspicious email, we tell them to forward it to [email protected]

“Who looks at those suspicious email reports?”

“[…crickets…] they go to our anti-spam vendor … who um, uh, uses magic, in the cloud  to stop us from getting spam”

It’s tax return time. Your HR department is being phished for employee W-2s. Do you want them forwarding a phishing attack in progress to your anti-spam vendor’s bit bucket?

Unless you are Hormel Foods, Spam is generally understood to be an unsolicited commercial message. Phishing is the term used to describe a message attempting to lure a victim to a dangerous link, attachment, or give up a password. While an attacker may use the same bulk delivery techniques a spammer uses, a phishing attack is very different from a spam message.

Given that I’ve devoted most my professional life to anti-phishing, I probably care way too much about this than most. So, I beg you, pretty-please, let’s put an end calling phishing spam.

Thank you!

Aaron Higbee

Co-Founder & CTO



We use our own and third-party cookies to enhance your experience by showing you relevant content, personalizing our communications with you, and remembering your preferences when you visit our website. We also use them to improve the overall performance of our site. You can learn more about the cookies and similar technology we use by viewing our privacy policy. By clicking ‘Accept,’ you acknowledge and consent to our use of all cookies on our website.

This site is registered on as a development site.