-1

Phishing emails are illegal under laws such as the Anti-Phishing Act of 2005.

Many companies are becoming increasingly aggressive with sending “simulated phishing” emails to their employees. Employees who click on them can face disciplinary action.

From a security perspective, the difference is clear: With a “real” phishing attack, someone is trying to get access to your accounts, but with a “simulated” one, they are trying to do what they would call “education.”

But from a legal perspective, it seems less clear to me. A “simulated” phishing attack really does mislead you about who sent it, and it really does cause you potential harm (getting in trouble with your employer). Isn’t this still a real act of phishing, and isn’t that illegal?

If a company was trying to teach its employees about suspicious packages, so it loaded its site full of disguised “education bombs” that really explode but only cause minor physical harm, this would probably still be completely illegal. Why would it be any different for emails?

SegNerd
  • 6,355
  • 3
  • 37
  • 61

1 Answers1

3

The law says

Whoever knowingly, with the intent to carry on any activity which would be a Federal or State crime of fraud or identity theft

Which is a pretty clear distinction. More importantly, law enforcement rarely happens out of the blue, someone complains. Unless someone is complaining after being fired, nothing is going to happen. And when someone does complain, whatever law is being cited is probably going to have something similar.

jmoreno
  • 2,389
  • 1
  • 11
  • 17