Phishing Penalties: Federal and State Laws Explained

Phishing is a serious criminal offense that can result in prison time, heavy fines, and a permanent criminal record. For victims, falling for a phishing scam can wreak havoc on your finances and personal life. Whether you've been charged with a phishing crime or believe you've been targeted by one, understanding how the law works is the first step toward protecting yourself.

What Is Phishing?

Phishing occurs when someone disguises a communication—an email, text message, phone call, or fake website—as a legitimate message from a trusted individual or organization to trick recipients into revealing sensitive personal information, such as passwords, Social Security numbers, or bank account details.

Scammers can make a communication look like it legitimately came from a bank, PayPal, Amazon, or a government agency like the IRS or Social Security Administration—and with AI, those fakes are becoming harder to spot. This type of impersonation is sometimes called spoofing. The scammer then uses the stolen information to commit identity theft, financial fraud, or other crimes.

What Are Common Types of Phishing Scams?

Common forms of phishing include:

• email phishing: mass emails impersonating a bank, company, or government agency
• smishing: phishing conducted via text message (SMS + phishing)
• vishing: phishing done over the phone or voicemail—for example, someone pretending to be an IRS agent or a bank's fraud department (voice + phishing)
• spear phishing: highly targeted attacks that use a victim's personal details to make the phishing appear credible and with the goal of stealing sensitive information or installing malware
• business email compromise: impersonating executives to pressure employees into revealing sensitive information or making urgent, unauthorized money transfers

As AI and other tools continue to evolve, phishing schemes are becoming more sophisticated and harder to detect.

Is Phishing Illegal Under Federal and State Laws?

Yes, phishing is illegal under both federal and state laws. Some states have criminal statutes aimed specifically at phishing, while others—and federal law—generally rely on broader fraud, theft, and computer crime statutes.

Importantly, a person can be convicted of a phishing crime even if no one responds to the message, no information is ever handed over, and no financial loss occurs. The crime is complete the moment a fraudulent communication is sent with the intent to deceive.

Several states also allow civil lawsuits under consumer protection laws, including California, Florida, and New York.

(Cal. Bus. & Prof. Code §§ 22948 to 22948.3; Fla. Stat. §§ 668.701 to 668.705; N.Y. Gen. Bus. Law § 390-b (2026).)

State Crimes and Penalties for Phishing Scams

As noted above, state laws vary widely in how they handle phishing—some target it directly, while others prosecute it under more general criminal statutes. In either case, phishing is a crime in every state, and felony charges are common.

Phishing-Specific Crimes

In states with phishing-specific laws, prosecutors must generally prove the following:

• the defendant used email, text messages, a fake website, or another electronic method to send a communication
• the communication falsely represented the sender as a legitimate business or organization, and
• the defendant acted with intent to defraud and to induce the recipient into handing over personal identifying information.

Many states impose felony penalties for phishing offenses, which can include prison time, fines, and restitution to victims.

Not all states use the word "phishing" in their laws. Minnesota, for example, calls it the "crime of electronic use of false pretense to obtain identity," while Virginia refers to it as "using a computer to gather identifying information."

(Ala. Code § 13A-8-114; Ga. Code § 16-9-109.1; Minn. Stat. § 609.527; Va. Code § 18.2-152.5:1 (2026).)

Identity Theft, Online Impersonation, and Computer Crimes

In states without phishing-specific laws, prosecutors can charge defendants under identity theft, general theft, online impersonation, computer fraud, or similar statutes. Here's how each applies:

Identity theft covers obtaining another person's personal information with the intent to harm or defraud them.

Theft laws often include obtaining property through false pretenses, swindling, or any deceptive means—and many apply even when no money or property is ultimately stolen.

Online impersonation generally applies when someone uses another person's or business's identity, without authorization and with intent to defraud, to make communications appear legitimate.

Computer fraud covers using a computer system to commit fraud or theft.

Penalties vary by state and offense. Identity theft charges may be based on the number of victims targeted/harmed or total financial loss caused. Theft penalties often increase as the amount of harm increases or are based on the type of act involved. Online impersonation and computer fraud can be charged as either misdemeanors or felonies depending on the circumstances.

Federal Charges and Penalties for Phishing

Federal prosecutors have several statutes at their disposal when prosecuting phishing scheme. Many fall under the broad category of cybercrimes.

Identity Fraud

The federal identity fraud law directly criminalizes using, transferring, or possessing another person's identifying information without lawful authority. A conviction can result in up to 15 years in federal prison, depending on the circumstances. (18 U.S.C. § 1028 (2026).)

Computer Fraud and Abuse Act

When phishing involves unauthorized access to protected computer systems or accounts, prosecutors can charge a defendant under the Computer Fraud and Abuse Act. A conviction carries up to 20 years in prison. (18 U.S.C. § 1030 (2026).)

Wire Fraud

Wire fraud occurs when someone intentionally uses an interstate communication—such as a phone call, email, or website—as part of a scheme to defraud another person. Because phishing relies on electronic or internet communications, wire fraud is frequently charged in phishing cases. Each count carries up to 20 years in federal prison—and because each individual communication can be charged as a separate count, sentencing exposure can multiply quickly. (18 U.S.C. § 1343 (2026).)

Aggravated Identity Theft

Aggravated identity theft involves using or possessing someone's identifying information in connection with a felony-level qualifying offense—a category that includes wire fraud and computer fraud. A conviction under this statute carries a mandatory two-year prison sentence that runs consecutively, meaning it is added on top of any other sentence the defendant receives. (18 U.S.C. § 1028A (2026).)

Getting Help If You're a Victim of a Phishing Scam

If you believe you've fallen victim to a phishing scam, act quickly to minimize the damage. Here are some actions to consider:

1. Change passwords on any accounts that may have been compromised.
2. Lock any credit or debit cards that could be at risk.
3. Contact your bank, credit union, or credit card company to report unauthorized transactions or set up account alerts.
4. Place a fraud alert or credit freeze with the three major credit bureaus—Equifax, Experian, and TransUnion.
5. Monitor your credit. You're entitled to a free credit report from each bureau at AnnualCreditReport.com.
6. Report the scam to the FTC at ReportFraud.ftc.gov and to the FBI's Internet Crime Complaint Center at ic3.gov.
7. Notify your email provider and the organization that was impersonated.

Most of these steps can be completed on your own. You may also want to file a police report with your local department. If the financial or personal damage is significant, consider consulting an attorney about your legal options.

When to Talk to a Criminal Defense Lawyer

Phishing charges—especially at the federal level—are serious and move fast. If you're under investigation or have been charged with phishing or a related identity theft or fraud crime, contact an experienced criminal defense attorney as soon as possible. For federal charges, look for a lawyer who specifically handles cases in federal court.