Carnegie Mellon University

image of computer with a phish hook stealing username, password, money, credit cards, financial information VS image of computer with multiple spam letters

December 16, 2019

Phishing vs Spam: How to Determine the Difference

While there are many tools in place to filter and block a large volume of phishing or spam emails, some of these messages may be delivered to your inbox. Make sure you understand the difference between a spam and phishing email and how to handle each type of message.


Spam emails, are unsolicited and irrelevant commercial emails, sent online to a bulk number of recipients. Oftentimes spam messages are from a company trying to sell you something. While these emails can be a nuisance, they are not considered malicious.

Examples of Spam:

  • Advertising (retailers, dating sites, online pharmacies, gambling)
  • Get rich quick schemes (You've Won!, Claim your prize)
  • Hoax virus warnings
  • Chain emails

Received a Spam Email?

If a spam email message is delivered to your inbox, you can report it to the Help Center by forwarding the message to


Phishing is a malicious attempt to obtain sensitive information by disguising as a trustworthy website, person, or company. Requests for personal information such as a password, credit card, bank account number, Social Security Number, etc. are examples of information attackers in a phishing campaign might seek.

Examples of Phishing:

  • Request personal information
  • Direct users to open a link or unexpected attachment
  • Verify account information and/or password
  • Convey a sense of urgency

Received a Phish Email?

If you received a message that you believe is phishing, follow the steps below to report it to the Information Security Office (ISO).

  1. Obtain the message headers from the email in question. This information allows the ISO to investigate how the email entered the environment and prevents future phishing emails from being delivered to campus.
  2. Forward the phishing email and message the headers to
  3. Delete the phishing email.