User Tools

Site Tools


legal_aspects_of_phishing_spoofing_etc

About this chapter

The information presented in this wiki is not a legal advice and is subject to change without notice.

From the legal point of view, Copyright in Web is often considered as the grey area. But in the English law everything created privately is copyrighted “automatically”. Explicit copyright is not necessary. The default you should assume for other people’s works is that they are copyrighted and may not be copied unless you know otherwise. Example: you are contracted to test the company "example". In that case, you can copy their webpage www.example.com for a phishing simulation.

In English law, permissions to use copyright works (also known as licenses) do NOT need to be in writing. For instance, when you make a website available to the world, you grant an implied license to internet users to copy that website for the purpose of viewing it on a web browser. Therefore we recommend using the website cloner and logo's only from your own corporate site.

Can you use 3rd party logos/content for your phishing simulation?

When our customers incorporate another company’s logo in a simulated phishing email, that logo is not used in a way that confuses customers into believing that their goods or services originate with, are related to, or are sponsored by the company whose logo is displayed. As the customers are actually not branding goods or services with anyone else’s logo; rather they are engaged in security awareness training. Potential confusion is mitigated by a corrective landing page and/or instructional video that launches at the conclusion of a simulated phishing attack, advising users to be more wary of phishing scams.

So as long as the clients are reinforcing, that any third party logo is for illustrative or instructional purposes only and there is no affiliation or relationship between the mark owner and LUCY or LUCY's customer, there is no legal issue. But customers should not omit this important information when customizing landing pages. So from a copyright perspective, incorporating a third party logo in a simulated phishing email serves an entirely new, transformative purpose, and as such, constitutes fair use. The logo is employed in a different manner (unrelated to the offering or sale of goods or services) and for a different purpose (aimed at security awareness and educating the public about how to avoid phishing scams). This transformative use does not undermine the copyright holder or any market that the copyright holder would reasonably exploit.

Please use a legal disclaimer for your email or landing page in case you spoof a third party brand for educational purposes. Example:

Please note that the third-party logos and trademarks used in this email or landing page are used for illustrative or instructional purposes only and there is no connection or relationship between the trademark owner and Lucy Security or the LUCY Security customer.

Is impersonating an email even allowed?

If you are hired to test another company you should have the properly written contract in place. When testing your own company mail spoofing is allowed in most countries. Spoofing (mail or SMS) is only illegal in cases where it’s used to commit fraud or otherwise perpetrate a crime.

There are entirely legitimate reasons to spoof text messages, as well as less legitimate ones and the legality of this practice varies worldwide. Some nations have banned it due to concerns about the potential for fraud and abuse, while others may allow it. Individual carriers may also restrict SMS spoofing even if it is legal in a given nation. It is illegal to send anonymous SMS messages in Australia

legal_aspects_of_phishing_spoofing_etc.txt · Last modified: 2019/07/25 12:49 by 127.0.0.1