University of Colorado Anschutz Medical Campus

Information Security and IT Compliance News

Spam vs Phishing

Aug 19, 2025

Graphic of email envelopes with two red ones labeled spam and phishing, one blue one that is okay.

With all the methods bad actors use to try and gain access to your information, it can be challenging to tell the difference between spam or phishing. Reporting is what is most important, so if you identify spam or phishing report it using the built-in "Report" button along the top toolbar; the "Report Message" add-in; or you can right-click the message, hover over "Report" and choose "Junk" or "Phishing."

What is Spam?

Spam is unsolicited junk email. It is sent out in bulk to an email list and is typically unwanted commercial advertising. If the message contains links, those links are typically for legitimate commercial/sales websites. Spam may also contain “Unsubscribe” links so that you can remove yourself from the email list. Report spam as “junk” to automatically filter it out of your inbox.

What is Phishing?

Phishing is a psychological attack used by cyber criminals to trick you into giving up information or taking an action. The term originally described email attacks that would steal your online username and password. However, phishing has evolved and now refers to almost any message-based attack. If the message doesn’t have a link or doesn’t ask you to reply with information, it probably isn’t phishing. Phishing messages are unlikely to contain “Unsubscribe” links.

Similarities and Differences

While both are unsolicited, spam is typically commercial in nature and sent out by businesses to get you purchase a product or service. Whereas phishing is a fraudulent communication designed to lure a victim to reveal personal information and/or click on a malicious link to steal credentials or infect your computer.

Spam is a nuisance, phishing is dangerous, and it is important to report both spam and phishing attempts to ensure Microsoft sorts your email inbox accordingly and blocks unwanted emails. Spam and phishing are both types of unwanted or malicious communications, especially via email, but they have different purposes and risks. Here's a breakdown of the key differences:

Spam

Purpose: Typically commercial. Spam messages are unsolicited bulk messages sent to promote products, services or websites.
Intent: Annoying but usually not harmful. The goal is to advertise or generate traffic.
Examples:
- Ads for weight loss pills or miracle cures
- Promotions for questionable investment schemes
- Unsolicited newsletters or offers
Risk Level: Low to moderate. Spam can clutter inboxes and sometimes link to shady sites, but it usually doesn’t try to steal personal information.

Phishing

Purpose: Malicious. Phishing messages are designed to trick recipients into revealing sensitive information (e.g., passwords, credit card numbers).
Intent: Fraudulent and harmful. The goal is identity theft, financial fraud or unauthorized access.
Examples:
- Fake emails from banks asking you to “verify your account”
- Messages pretending to be from IT support asking for login credentials
- Links to fake login pages that mimic real websites
Risk Level: High. Phishing can lead to serious consequences like data breaches, financial loss or compromised systems.

Email Best Practices

Never click on anything from an unknown and unverified sender.
- Hover over the link with your cursor to see the URL.
- You can always look up the expected site on your own to compare the URL. This is an easy method to avoid clicking on links.
  - If it looks weird and/or comes from an unverified sender, do NOT click.
Never share confidential information such as your credentials, passwords, PINs, etc.
- A legitimate professional will never ask you for this information through email, text, or any non-secure method.
- Always verify who is on the other line asking for this data.

Learn more about reporting phishing on the ISIC website. The same method can be used to report spam messages, simply select “Report Junk” instead.

Thank you for being vigilant and protecting your and the university’s information.