You've probably heard of both Spam and Phishing Emails, but you may be wondering: what’s the difference? Good Question! Both are types of unwanted emails, but the way they can be harmful differs, and one of them is always a genuine threat.

A spam email (also known as a junk email) technically just refers to an unsolicited email. In most cases, spam is a method of advertising. It's more of an annoyance than a danger. However, spam emails can potentially contain harmful links, malware, or deceptive/malicious content, so you always want to be cautious about following links in unsolicited emails. Most spam comes from multiple computers on networks infected by a virus or worm. These compromised computers send out as much bulk email as possible. 

Phishing is a form of fraud. Cybercriminals use email, instant messaging, or other social media to try to gather information such as login credentials by masquerading as a reputable institution or individual. The end goal of phishing is to obtain sensitive information such as a social security number or bank account information or to trick the message's recipient into installing malware. Phishing occurs when a malicious party sends a fraudulent email disguised as one from an authorized, trusted source. For example, a phishing scam may attempt to imitate a genuine email from your bank, asking you to log in to verify something on your account.

If you're ever in doubt, you can always log in to the account the email is regarding directly or call the institution to verify the legitimacy of the email.

So, that's the difference between spam and phishing. Is there anything else you need to be on the lookout for? Unfortunately, yes: you also need to be aware of spoofing.

Spoofing is when criminals pretend to be someone or something else to win a person’s trust. The motivation is usually to gain access to systems, steal data, steal money, or spread malware.

Spoofing typically relies on two elements – the spoof itself, such as a faked email or website, and the social engineering aspect, which nudges victims to take action. For example, spoofers may send an email that appears to come from a trusted senior co-worker or manager, asking you to transfer some money online and providing a convincing rationale for the request. Spoofers often know what strings to pull to manipulate a victim into taking the desired action – in this example, authorizing a fraudulent wire transfer – without raising suspicion.

A successful spoofing attack can have serious consequences, including stealing personal or company information, harvesting credentials for use in further attacks, spreading malware, gaining unauthorized network access, or bypassing access controls. For businesses, spoofing attacks can sometimes lead to ransomware attacks or damaging and costly data breaches.

There are many different types of spoofing attacks – the more straightforward ones relate to emails, websites, and phone calls. The more complex technical attacks involve internet addresses (like IPs and DNS).

Most or all cyber criminals tend to use Malicious Links. A malicious link is created with the purpose of promoting scams, attacks and frauds. By clicking on an infected URL, you can download malware such as a Trojan or virus that can take control of your devices, or you can be persuaded to provide sensitive information on a fake website.

Double check where the links in an email message lead; you can do this by moving the mouse cursor over the link and waiting. Your email client will show you the full address the link points to. Legitimate links will point to the site you expect, like "chase.com," but a malicious link will point to a site you don't recognize, like "eb45ea9.grflrghb.com."

If you have any doubts as to what a legitimate email looks like don’t forget to check out this article: How do I tell an email is legitimate or not?