Advanced phishing

What’s the difference between spam and scam emails?

by Egress
Published on 24th Nov 2021

Repetitive, unsolicited marketing is often infuriating and a waste of time, attention, and bandwidth. However, these commercial emails are harmless, mostly looking to offer you a service or product that, in fairness, they believe may be helpful to you. A nice intention, if not exactly welcomed. Your email provider may block some or filter it into a spam email folder for you to look over and delete at your leisure.

More concerning, however, are the phishing emails that use smart social engineering tricks to scam you. These emails are a profitable enterprise for cybercriminals and a serious threat to your inbox. By tricking employees, your business is vulnerable to access denial, financial threats, and data breaches.

What is spam?

Spam email, in its simplest form, is a bulk send initiative. Companies or individuals are trying to sell you unsolicited products or services — such as a prescription you didn’t know you needed or the cryptocurrency that requires your urgent investment.

Different types of unsolicited emails

Spam has evolved over the years, and while the typical user might recognise some of these emails, others might be convincing enough to earn a click. Spam is annoying, but it’s a simple and honest enterprise. When hijacked by criminals, however, the intent is very different.

Pure spam 

Offers of marketing lists, printing services, blog posts, or advertising space are common spam emails that target business email addresses. Personal email addresses? You’re likely to receive offers for pharmaceuticals, adult content, cryptocurrency, and online casinos. 

Soup mail

Spam emails with incomprehensible word-soup content could be testing your software and filters for future spam onslaughts. 


A forgotten lottery win or family inheritance is a tempting prospect, and that’s precisely what scammers want you to think. Scam emails use emotive scenarios to engage us on a human level. These emails may seem legitimate, but their purpose is to take your money for causes, goods, or services that don’t exist.


Phishing emails are a cybercriminal’s bread and butter. Sent repetitively in their millions to hook just a few, phishing, like spoofing, tricks vulnerable recipients into sharing passwords, bank details, and other sensitive information by posing as a trusted entity.


Beware of emails that want you to open a link or download a file, as these may deliver malware to your device. Unsuspecting recipients can leave their enterprise vulnerable to ransomware, Trojan files, spyware, adware, pharming programs, data theft, and more.


A sophisticated spoof email mimics recognised brands and businesses, down to the layout, logos, and curated personal content. It could be a spoofed request that appears to be from your bank to change your password, a recommendation from Amazon, or a technical issue raised by your support department. Spoof emails make requests with a sense of urgency to steal money, business data, or confidential information.

Spear phishing 

A bespoke phishing scam into which cybercriminals are investing more time. By identifying real-life relationships or personal insecurities — perhaps by checking out LinkedIn or Twitter profiles for clues — criminals aim to steal money, ransom access, and data, or blackmail recipients. 

Why spam is annoying but not the same as phishing 

Intention matters when it comes to analysing the threat of an email. There’s a phenomenal amount of spam sent each year and its impact on global business is little more than an annoyance — especially as most email providers can filter it out. However, when the intention is to scam the recipient, you’re not just dealing with simple bulk-send spam. 

Unsolicited emails are to be expected — think of the job applications or customer queries that your business receives each day. Likewise, there are plenty of bulk emails you can expect to receive, such as monthly newsletters, conference invites, or subscription updates.

Spam emails are both; unsolicited and sent in bulk. When both markers apply, spam is easy to spot, and most email clients will filter them out. If some slip through, it’s annoying and not much more. Report, and move on. It’s the more sophisticated scams and phishing emails that could pose a real threat to your business.

What could spear phishing look like in your inbox?

A finance officer, for example, might receive an email from their boss’s Gmail account requesting an urgent transfer of funds to cover a flight back from a tech conference. Knowing the boss is at a tech conference, the request doesn’t seem unreasonable. 

But what if you’ve told your social media followers, you’re desperate to impress at work, and your boss’s latest LinkedIn post (that you commented on) is from a tech conference? That is spear phishing. It’s a simple example of how criminals use targeted information to steal money, ransom data, or blackmail recipients. 

An email from a trusted sender should undergo the same vetting and authentication process as any other. Test your skills with our spot the phish quiz.

How to stop spam

Stopping spam within your organisation comes down to a few things. Here are some tips:

  • Use the right technology to ensure spam emails are caught before they even reach the user.
  • Ensure employees attend relevant training to help them recognise spam emails that do slip through the net.
  • Strengthen your email filters.
  • Use proper encryption protocols to help recognise trusted senders.

Why phishing is harder to stop

Spam can be stopped by quite basic email filters and secure email gateways (SEGs). Phishing scams, however, are becoming increasingly sophisticated and require intelligent defence and protection strategies to counter the malicious intent of the sender.

It’s crucial that employees learn to recognise these attacks, but the right tools can help them determine if a sender is genuine. Including multiple lines of defence against malicious actors will protect your business and defend against attacks. Egress Defend uses contextual machine learning and technical analysis to identify inbound email threats. To protect against malicious actors looking to steal data in transit, Egress Protect offers advanced encryption that protects sensitive data in transit and at rest. 


How do you distinguish between spam, phishing scams, and normal emails? 

Spam emails are actually pretty easy to identify. Most unsolicited emails offering products or services from unknown senders are spam.

Supporting employees with regular IT security training will help them identify malicious phishing emails. Users should tread carefully when it comes to any email that asks for immediate attention, suggests financial transfers, or requires the sending or downloading of sensitive information, documents, or login details. 

Robust, easy-to-understand IT policies, and email platforms that use security software to authenticate senders will help to identify legitimate emails. Simple protocols, like checking full sender-headings, and using encryption as a business-wide SOP, are the easiest places to start.

What is the difference between spam and a virus?

Spam is the commonly used term for those unsolicited sales and marketing emails that clog up your email account. Most are from annoying, albeit legitimate, businesses sending out emails in bulk. 

Falling for a virus-laden email is always serious. Hidden in emails with downloads or attachments you may have felt confident opening, this is a malicious piece of code that will infect your computer, leaving you and your system vulnerable to a variety of cybercriminal attacks.

Related articles