What Is SPIM (Spam Over Instant Messaging)?

SPIM are spam messages symptomatic of widely-used free instant messaging apps like Messenger, Whatsapp, Viber, Telegram, Skype and WeChat. These spam messages are usually commercial-type spam but can contain malware and spyware.

Most apps have built-in filters that block messages from unknown sources. However not all of them have this as the default setting, which means that you might still fall victim to this problem. Which is exactly what SPIM relies on to win its small victories.

How instant messaging spam works

How instant messaging spam works
Every SPIM has its spimmer. The spimmer’s goal is to spread an unsolicited message to as many users as possible. The best way to spread that message is to “borrow” their victim’s identity and spam the users from their buddy list.

Spimmers hack into their victims’ profiles by sending an instant message with a link that has a malicious code buried in it. Here’s what happens next:

  1. When the victim clicks the link, they basically give away their identity on that IM platform to the spimmers
  2. The spimmers then use the identity to send unsolicited commercial messages to users on their victims’ buddy lists
  3. Some users from the buddy list click on a malicious link and the cycle continues

Another scenario is that a link is sent to a funny video hosted on a phony website designed to look like a popular social network. If you’re not savvy to these tricks, you’ll enter your credentials and effectively give away your account to a cybercriminal.

There’s also a less insidious way spimmers conduct their IM spams – They create software bots that generate innumerable throwaway accounts on instant messaging software. Once they do, Once this is done, they go in rapidly-fire mode and  send countless unsolicited messages to as many accounts as possible.

Of course, not all SPIM is evil. Most of it is just annoying commercial spam from companies without the moral compass and business shrewdness to know better.

Ways to combat SPIM

  1. Use two-factor authentication (2FA)
  2. Delete SPIM messages
  3. Use filters to block messages from unknown sources
  4. Use antivirus with a built-in web filter

Two-factor authentication

Add another layer of authentication so that a cybercriminal who got your passwords can’t access your accounts. This is a great way to stop the “funny-video hackers” in their tracks. Without a security question, the password alone is useless.

Use filters

Even better than deleting unsolicited messages is not getting them in the first place. That’s why limiting incoming messages to only your contacts or buddy list is the way to go. That only leaves you with SPIM you get from hacked accounts of the people from your contacts. Meaning that you would only potentially receive SPIM if one of your contacts were hacked.

How to recognize SPIM from a buddy list

How to recognize SPIM from a buddy list
SPIM from a buddy list usually requires some form of interaction and almost always contains an external link (spyware/malware alert!). It will most probably look weird and be in a different tone to what you’re used to from that person. In the event that you click on the link and the website you’re taken to looks legit, it will often have one tell tale sign – it’ll be an HTTP website instead of HTTPS. HTTP websites don’t have encrypted data and are therefore unsafe.

To stay on the safe side, use antivirus with a built-in web filter. This filter will recognize phishing websites and alert you not to visit them and subsequently, not give out your sensitive information to hackers. With Brosix, you can integrate our app with your preferred antivirus software easily.

Spam over internet telephony (SPIT or VoIP spam)

SPIT is a fitting acronym for a spam method that includes voice. This type of spam includes the same unsolicited messages, just in the form of a (usually) prerecorded voice message.

They are extremely common today because VoIP calling rates are either free or very cheap. Meaning that the companies that deem this a profitable way of “marketing” see it as an investment. To add insult to injury, telephony software like Asterisk makes it really easy for spammers to deliver robocalls at scale.

Thankfully, there are ways to battle this on your own, you just have to adjust the VoIP app settings on your phone or desktop. You can also rely on third-party software that blocks calls and detects fraud.

Why are free instant messaging apps susceptible to SPIM?

Why are free instant messaging apps susceptible to SPIM
There’s a simple reason why free instant messaging apps suffer from SPIM – top cyber security is expensive and that’s why it can’t be a part of a freeware business model.

Take Whatsapp for example – they collaborate with companies that want to advertise their products and services by selling your contact information. That’s why, every once in a while, you’ll get a “great deal” in your Whatsapp chats. Learn more about Whatsapp’s security shortcomings in this blog post.

None of that happens with Brosix, even on a free plan. We don’t store user data unless you specifically ask us to and all our end users have to pass authentication in order to access their accounts. So no third party has access to your Brosix data and there’s no way that unauthorized accounts can even attempt to communicate with you.

If you’re interested in secure messengers that offer more advanced features, check out our article:
The 10 Best Secure Encrypted Messaging Apps in 2024 (Private and Team Messengers)

Improve your online security with password managers

Improve your online security with password managers
Because online security mostly revolves around passwords, both individuals and organizations big and small can benefit from password manager software. Here are some of the reasons why:

Password managers, just like web filters on antivirus software, recognize malicious websites and don’t auto-complete your credentials, thus keeping your account information safe.

  1. They allow you to use a unique password for each online account that you have. This way, even if one of your passwords gets hacked, your entire online identity won’t be compromised.
  2. Where organizations are concerned, as soon as a team member leaves the company, a password manager generates new passwords and disables them from accessing your accounts.
  3. This software enables something called digital inheritance – in the case of a person passing away, their family would gain access to the password vault of the deceased.

Read our review of the LastPass password manager and other productivity tools.


Unfortunately we’re stuck with SPIM, as long as there are companies and individuals who believe taking shortcuts is the way to run a business. That’s why you need to be able to recognize a spim message even when it comes from one of your contacts and act accordingly. Block unknown numbers that contact you and restrict communication only to buddy lists. However, don’t forget that spammers have ways to infiltrate accounts and pose as other people.

With this in mind, always be alert when there’s a link in one of your messages, even if it’s from a family member. It’d be good to have an antivirus with a built-in web filter in order to disallow autofill of your data even if you click on a link accidentally.

Finally, if you need an instant messenger for your business, consider software with high-end security features.

Improve your team’s communication today.
Request Demo


What do you mean by SPIM?

Spim is email spam’s younger cousin and as a “cool kid”, uses an acronym to represent itself. That acronym stands for spam over instant messaging. SPIM are all the unsolicited messages people receive on apps such as Messenger, Whatsapp, Twitter chat, WeChat etc.

How can you avoid SPIM?

You can avoid SPIM by restricting incoming messages only to your contacts or your buddy list, deleting unwanted messages before opening them and thinking twice before opening links that your contacts send you (their accounts might have been hacked).

What is SPIM malware?

Spim malware are usually lines of code hidden in the links spammers send to their victims. An example of this is a popular Messenger scam that uses an enticing call to action “is that you in the video?” and a link leading users to a phony Facebook login page, where they attempt to steal people’s FB login details.

Every malicious IM spam has a link, which is why we implore you to be extra careful when clicking on them. One reminder – if a linked website starts with “HTTP” instead of “HTTPS”, the chances are, it’s malware.

What is spit cyber security?

SPIT cyber security is the practice of defending your VoIP network from spam, malware, phishing and other malicious practices. Voice traffic firewall software is a great example of effective SPIT cyber security because it screens potentially harmful caller IDs and restricts their access to your VoIP network.

Call encryption is another way to make your online conversations safer. If a VoIP provider you are considering doesn’t offer call encryption, start looking elsewhere. That’s why choosing a secure VoIP provider is half the battle.

However, if you have concerns about internet telephony, Brosix’s voice chat messaging app is a great alternative to using VoIP altogether, precisely because of its security features.

Nikola Baldikov

Nikola Baldikov is a Head of Marketing at Brosix, specializing in SaaS marketing, SEO, and outreach strategies. Besides his passion for digital marketing, he is an avid football fan and loves to dance. Connect with him on LinkedIn or follow him on Twitter at @baldikovn.

To top