Spam vs. Phishing vs. Pharming (Complete Guide)

All You Need to Know about Spam

Spam Definition

Spam is the process of sending out unwanted messages in bulk. Spam is mostly used for marketing purposes, and – back in 2018 – it accounted for 45% of all emails sent. Sending out spam doesn’t cost a lot, and if even a tiny segment of the recipients respond or interact with the messages, a spam campaign can be considered successful from an ROI point of view.

However, some spam messages can actually be part of a scam, and they can contain malicious links and attachments.

Common Types of Spam

• Social Media Spam – This type of spam includes stuff like likejacking, clickbaiting, excessive content sharing, fraudulent reviews, and fake claims meant to drive a lot of traffic to an ad-heavy page or a malicious website.
• Delivery Fail Spam – This message is meant to look like it comes from your email provider, and to trick you into believing an email you sent didn’t go through. If you open the attachment, your device will likely get infected with malware.
• Sneaky Spam – This type of spam lures clicks by using a misleading or outright fake subject line. For example, the subject line might say “New Private Message” to make you think you got a new message on a social media website, when – in reality – the whole email message is just spam advertising all sorts of things.
• Re: Spam – Spam messages in this category always have a Re: in their subject line, making you believing it’s a response to an email you sent. For instance, the spam message might have “Re: About Your Response” in the subject line, and the whole email body would just contain ads and links.
• Adult Content Spam – This type of spam will usually advertise adult content like advertisements for pornographic websites, sexual enhancement drugs, and adult meet websites.
• Health-Related Spam – This category is full of spam messages promoting weight loss pills and diets, muscle enhancement drugs, “guaranteed” cures to various illnesses, and cures for baldness (just to name a few examples).
• Personal Finance Spam – Spam that promotes debt reductions services, low-interest loans, and all types of insurance.
• IT Spam – It includes offers for website hosting services, website optimization services, domain registration, and low-cost hardware and software.

How to Spot Spam

• The message you receive feels extremely generic, and doesn’t address you by name.
• The email is full of ads and links.
• You can spot a lot of grammatical errors in the message you receive.
• The email’s tone is very pushy and aggressive, and tries to instill FOMO (Fear of Missing Out). Phrases in all-caps like “BUY TODAY” or “ORDER NOW” litter the whole email.
• The email’s subject line doesn’t have anything to do with its contents.

How to Protect Yourself from Spam

• Don’t disclose your email address to people you don’t trust, and on platforms that seem shady and ad-intensive. As inconvenient as it might be, it’s best to check the ToS on every website you want to sign up on to make sure they can’t legally share your email address with advertisers.
• If you absolutely need to register with an email address on a platform that seems spammy, use a disposable address.
• If you ever receive spam messages, don’t reply to them and block the sender address.
• Use reliable antivirus/antimalware software, and keep it up-to-date.
• Consider using anti-spam filters for your email, though keep in mind most solutions aren’t free.
• Try contacting your ISP and complaining about any spam you receive. If you’re lucky, they might blacklist the sender addresses on their network. If you can track down the spammer’s own ISP, you can complain about the behavior to them as well, and they might terminate the spammer’s service.
• If you get a spam message that contains an unsubscribe button or link, don’t click it. If you do, it will just confirm to the spammer that your address is valid.

All You Need to Know about Phishing

Phishing Definition

Phishing is a cybercriminal or scammer’s attempt of stealing sensitive data from people (financial information, login credentials, personally identifiable information) through fraudulent means.

Usually, the person behind a phishing attack will try to pose as a figure of authority (a bank, the police, a branch of the government) or someone close to the victim (a friend, distant or close relative, or an old acquaintance).

Phishing attempts can be performed over the phone, but – nowadays – cybercriminals and scammers prefer using email, messaging applications, and text messages to trick people into revealing personal/financial data, clicking on malicious links (which will take them to a phishing website), or downloading malware-infected attachments (that can contain keyloggers, spyware, or viruses).

Common Types of Phishing

• Spear Phishing – Spear phishing is basically regular phishing, but the scammer focuses on a specific group of people or type of business. An example of spear phishing is someone who focus on tricking senior citizens.
• Whaling – This type of phishing involves messages that are more personalized than your average phishing email. Why? Because whaling messages target specific people who hold high positions of seniority at large companies, like CEOs, CTOs, or CFOs.
• Deceptive Phishing – The most used type of phishing, deceptive phishing involves scammers pretending to be a legit business or institutions. For instance, a cybercriminal could send an email message pretending to be an IT technician from PayPal, asking potential victims to follow a malicious link to confirm their accounts or fix a technical error.
• Clone Phishing – In this case, cybercriminals will copy legitimate messages from real businesses and institutions, and replace any attachments or links with malicious attachments and links. They will then send that message from an address that is spelled similarly to the real one.
• Dropbox/Google Docs Phishing – This type of phishing isn’t specific only to Dropbox and Google Docs, but it’s named that way since it became well-known after targeting users on those platforms. Essentially, this method of phishing involves sending messages that ask users to enter their login credentials on a malicious website in order to access a new, important document that was uploaded on their accounts.
• Vishing – Vishing is phishing that happens over the phone. Most scammers won’t bother talking to the victim directly. Instead, they will play pre-recorded voice messages that impersonate someone who works at a specific institution (like a bank).

How to Spot Phishing

The most obvious sign you’re targeted by a phishing scam is that you receive an unsolicited message that tries to claim it’s from someone close to you, or someone in a position of authority (an account manager from your bank, a police officer, a lawyer, an IT support tech from a company whose services you use, etc.).

It’s easy to tell if you’re dealing with a phishing email if you notice the following:

• Some messages might contain a lot of grammatical errors, while those that try to impersonate official businesses and institutions might sometimes contain a few errors. Also, the message won’t address you by name, but by something generic (like “Dear User”). That might not always be the case, though – Whaling messages, for instance, could be well written and researched.
• The address you receive the message from is clearly trying to impersonate a legit email address (“[email protected]”  instead of “[email protected]”).
• The message has a very aggressive and pushy tone, trying to pressure you into making decisions quickly.
• If you copy-paste the message between quotes on Google, you’ll find forums where people are saying it’s a scam.
• The email contains shortened links or weird attachments (a file claiming to be a Word doc that ends in .exe).
• The sender insists you need to provide them with personal and financial information. Alternatively, the sender might ask you for money.

Besides messages, you should also learn how to spot a phishing website. Normally, it will meet the following criteria:

• The domain name will be slightly or seriously misspelled (PaiPal instead of PayPal, for example).
• There will be no green padlock icon right before the URL bar. If there is one, it could be slightly altered only to represent a green padlock when in reality it’s something else.
• The URL address will start with “http” instead of “https.”
• The website will contain shady ads and pop-up messages.
• The whole URL address seems shady – “[email protected].” instead of just “paypal.com/signin.”

Other than that, another obvious sign of a phishing attempt is if you receive a phone call from someone claiming to be from the police force, the government, or your bank, trying to aggressively convince you to send money to a bank account, or disclose personal and financial information.

How to Protect Yourself from Phishing

• Try using Standford’s anti-phishing browser extensions.
• Always use a strong antivirus/antimalware program, and keep it up-to-date. Also, install the latest updates for your operating system whenever you can.
• Don’t reply to any phishing messages you might get. Just ignore and delete them.
• Consider contacting the authorities if your country’s laws cover phishing attempts.
• Turn on two-factor or multi-factor authentication on all accounts that support it. This way, even if you were to lose your login credentials in a phishing scam, the cybercriminal would still need the code generated by the app on your phone to log in.
• Hover your mouse over any links you receive in an email to see if they lead to a shady-looking address.
• Don’t click on pop-up windows or ads that open randomly – either on your device or on a website.
• Always remember that banks (and other businesses you’re a client of) will normally not ask you for sensitive information (like your credit card number, for instance).
• Stay calm even if an email is trying to scare or worry you.
• Lastly, if you ever end up on a phishing website, either close the browser or enter gibberish in the username and password fields.

All You Need to Know about Pharming

Pharming Definition

Pharming is a type of cyber attack that’s similar to phishing in that its goal is to steal sensitive personal and financial information. However, pharming attacks do that by automatically redirecting you to fake and malicious website, as opposed to phishing that tries to trick you into accessing them yourself.

Common Types of Pharming

• Hosts File Pharming – This type of pharming starts out with a mass malicious email. Users who interact with it end up having their Hosts file (the computer file responsible for mapping IP addresses to website names) modified to the point where IP addresses no longer lead to legit website, but phishing ones. For example, the IP address 64.4.250.36 that normally connects users to PayPal could be modified to lead to a phishing version of PayPal.
• Poisoned DNS Servers – Some pharming attacks can target DNS servers (servers that resolve IP address-web domain communications) that have vulnerabilities, and “poison” them. What does that mean? Basically, cybercriminals will alter the DNS table on a server, ensuring that any user that uses said server will be redirected to their malicious website(s).

How to Spot Pharming

Most of the tell-tale signs we mentioned when we discussed phishing above apply here as well. Always be on the lookout for shady emails that try to pressure you into clicking on a shortened link or downloading dubious attachments, and avoid them. Also, malicious websites will usually have the classic giveaways – misspelled domain name, lack of an SSL/TLS certificate, and the URL will start with “http” instead of “https.”

How to Protect Yourself from Pharming

Using reliable antivirus/antimalware software and keeping it (as well as your operating system) up-to-date is a good way to keep your Hosts files safe. That, and always double-check the spelling of the domain name (the website address in the URL bar), check if there is a green padlock symbol next to the URL bar, and see if the website has an SSL/TLS certificate (by clicking on the padlock icon). If you notice any problems, close the browser immediately.

Unfortunately, when it comes to poisoned DNS servers, there’s really not much you can do since the server administrator is responsible for maintaining its security and checking up on it regularly. The best thing you can do is to use an ISP which you know is trustworthy, reliable, and isn’t afraid of explaining how they keep their DNS servers safe from pharming attacks. Also, if your ISP provided you with a WiFi router, it’s a good idea to change its login credentials so that the username and password aren’t just “admin; admin.”

Phishing vs. Spam

Pharming vs. Spam

Phishing vs. Pharming

Does a VPN Protect Against Spam, Phishing, and Pharming?

Not exactly. A VPN (Virtual Private Network) is an online service that can encrypt your online communications, and hide your IP address. But doing that won’t prevent you from being targeted by spam, phishing, and pharming attacks. Avoiding spam and phishing is mostly up to you, and the email provider you use. And preventing pharming attempts from endangering your data is something your ISP needs to do.

However, that doesn’t mean you shouldn’t use a VPN when you’re on the Internet. It protects your online traffic from hackers, meaning you can safely access your bank accounts and email even when you use unsecured public WiFi. Without a VPN, hackers might be able to eavesdrop on your online traffic.

So, a VPN is definitely useful, and it’s a service that should be used alongside powerful antivirus/antimalware software, script blockers, and anti-phishing extensions for the best results.

Spam vs. Phishing vs. Pharming – The Bottom Line

Spam, phishing, and pharming can all endanger your privacy and data, but they are different from each other. Here’s a quick comparison:

• Spam vs. phishing – Spam is email that is sent in bulk to multiple addresses at the same time. Its goal is mainly to expose people to ads, and market services to them. Phishing, on the other hand, aims to trick people into revealing personal and financial data.
• Spam vs. pharming – Spam exposes people to mass advertisement campaigns, while pharming automatically redirects online users to malicious websites.
• Phishing vs. pharming – Phishing and pharming have the same goals, namely stealing sensitive data from people. However, phishing tries to deceive people into doing that, while pharming uses malware and DNS poisoning to redirect people to malicious websites.

How do you protect yourself against all of them. Your best bet is to learn how to identify phishing and spam messages, so that you can avoid them. Using antivirus/antimalware programs, anti-phishing extensions, and script blockers would also help. And when it comes to pharming, it’s very important to use an ISP who maintains secure DNS servers.

While a VPN might not directly help you protect yourself from spam, phishing, and pharming, it’s still an important tool to use alongside everything else. Why? Because it makes sure cybercriminals can’t exploit unsecured Internet connections (like public WiFi) to steal personal and financial information from you.