Spam is an attack where the user's inbox is flooded with advertisements, promotions, get-rich-quick schemes, and other unsolicited messages. Like phishing, the term initially included email-based messaging, but may now more generally include any communication medium. Spam is often used in conjunction with phishing; the attacker attempts to overload as many targets as they can with unsolicited messages, hoping that at least some users will act on them.

Other than email, spam can also be carried over instant messaging (IM). For example, an attacker might send unsolicited messages to members of a Facebook group promising a great deal on a product, if only they follow a link. This is sometimes called spim. Spim may be harder to pull off because it requires a synchronous interaction. If the victim expects to interact with a person in real-time, they may grow more suspicious if the attacker doesn't respond or doesn't respond like a human (i.e., the sender is a bot). Still, spim has been known to work, especially when the target is not tech-savvy.

Because of the rise of robust filters in email and IM clients, spam and spim are less effective than they used to be. However, the volume of unsolicited messages is so great that, every day, an unsuspecting user is successfully snared by spam or spim.