Spam is Spam, Phishing is Phishing, but Phishing is not Spam
Problems arise when we use the terms Spam and Phishing interchangeably. At the risk of sounding persnickety, I’m going to try to build the case of why we need to stop confusing Spam and Phishing.
“We are getting mobile phishing attacks via SMS!”
“Wow, mobile phishing is incredibly rare. Can we get a sample? Our research team would love to analyze it.”
A short while later…
“We analyzed the link and the website, we couldn’t find any malware or account phishing. The only thing our research team found was a good deal on a year supply of Viagra from a Canadian pharmacy.”
“yes, a few of our employees received this phish.”
This is just one example of the confusion that comes when we use the terms spam and phishing interchangeably. I don’t expect the casual user to adhere to strict taxonomy of message classifications, but I wish information security professionals would put more effort into differentiating spam vs. phishing.
“Argh!, This Groupon.com Spam is out of control.”
“Why don’t you block them?”
“…Because I’m waiting for the next buy-one-get-one deal for a Dyson vacuum cleaner”
Labeling email you signed up for as spam is common. But technically it’s not spam, even when it’s annoying. If you don’t want these messages, unsubscribe.
“When our employees receive a suspicious email, we tell them to forward it to [email protected]”
“Who looks at those suspicious email reports?”
“[…crickets…] they go to our anti-spam vendor … who um, uh, uses magic, in the cloud to stop us from getting spam”
It’s tax return time. Your HR department is being phished for employee W-2s. Do you want them forwarding a phishing attack in progress to your anti-spam vendor’s bit bucket?
Unless you are Hormel Foods, Spam is generally understood to be an unsolicited commercial message. Phishing is the term used to describe a message attempting to lure a victim to a dangerous link, attachment, or give up a password. While an attacker may use the same bulk delivery techniques a spammer uses, a phishing attack is very different from a spam message.
Given that I’ve devoted most my professional life to anti-phishing, I probably care way too much about this than most. So, I beg you, pretty-please, let’s put an end calling phishing spam.
Co-Founder & CTO