What Is Phishing? What Are the Laws on Phishing?

The crime of phishing occurs when a person sends an e-mail, text message, or other communication to someone else in an attempt to convince the recipient to reveal sensitive personal information.

Updated January 03, 2023

The crime of phishing occurs when a person sends an e-mail, text message, or other communication to someone else in an attempt to convince the recipient to reveal sensitive personal information. Phishing scams attempt to conceal the fraudulent nature of the message by portraying it as some sort of official communication. For example, someone engaging in a phishing scam might send out a mass e-mail that looks as if it originated from a well-known company, such as eBay or Bank of America, or from a government agency, such as the Federal Trade Commission.

Beware of COVID-19 Scams

In response to stay-at-home orders and social distancing requirements, Americans quickly shifted to conducting their daily activities online. Moving online allows us to work, go to school, and keep in touch with family and friends. But it also opened up opportunities for online hackers and scammers to exploit cybersecurity weaknesses and fears created by the pandemic.

The Federal Bureau of Investigation (FBI) reports experiencing a significant increase in the number of complaints filed with its Internet Crime Complaint Center (ic3.gov) during the COVID-19 pandemic—from identity theft and employment fraud schemes to online extortion and business email compromise. If you've been the victim of an Internet crime, you can file a complaint with your local police department or at ic3.gov.

For more information on how to avoid COVID-19 scams, read How to Identify and Avoid Coronavirus Scams.

Phishing

Phishing messages ask the recipient to send sensitive information, such as the person's name, date of birth, Social Security number, account passwords, personal identification numbers, and anything else a criminal can use to commit identity theft. The end goal of these phishing scams is to acquire information the criminal can use to open fraudulent accounts in the victim's name, or otherwise fraudulently access or use the victim's identity for financial gain.

Identity Theft

Phishing is really just one type of a broader category of crime known as identity theft. Identity theft covers any instance where someone attempts to use someone else's personal information in a fraudulent or illegal manner, though phishing scams are very common.

Knowing and Intentional

Phishing occurs when someone intentionally tries to obtain sensitive information by using fraudulent or misleading communications. If, for example, you send someone an e-mail message and that person responds with a message that includes personal information, this doesn't mean you have committed phishing. To be found guilty of this crime you must intentionally solicit the sensitive information by portraying yourself to be someone you are not, with the intention to defraud the message's recipient.

For example, if you run a small business and send an e-mail to a customer asking for his or her credit card number, this is not phishing. However, if you pretend to be a representative of a bank or a government agency and you are not, that is phishing.

Websites

Phishing laws also apply to websites that are set up to acquire sensitive information. For example, an email might direct people to visit a website that asks them to enter their names, social security numbers, and bank account numbers. These websites are designed to look like legitimate websites, such as those owned by a bank or company. Anyone creating or operating a site is also guilty of phishing.

Attempt and Acquisition

Like other forms of identity theft, phishing does not rely upon a successful attempt. In other words, you can be convicted of phishing if you send out an e-mail simply in an attempt to persuade others to provide you with the desired information. The person who receives the message does not have to respond to you, and even if a response is sent, you do not have to use the sensitive information to be convicted of phishing.

State Laws

While all states have laws that prohibit fraudulently acquiring someone else's personal information, not all states have laws that specifically address phishing. According to the National Conference of State Legislatures, a minority of states currently have specific phishing laws. However, even in those states that do not have specific phishing laws, other criminal laws can apply to phishing activity (computer crimes, identity theft), meaning the activity is a crime in every state. States without these laws may also adapt phishing laws as the crime becomes more common.

Federal Laws

While phishing is covered under various state laws, there is no single federal statute that directly criminalizes this type of activity. However, there are broader federal criminal laws that do apply to phishing and other identity theft crimes. For example, because phishing involves solicitations that are usually sent over the Internet, the federal law against wire fraud is often used to punish phishing crime on a federal level.

Penalties

The penalty for a phishing crime depends greatly on the nature of the circumstances surrounding the case. State laws differ significantly, and while most laws that specifically target phishing categorize the crime as a felony, some of these crimes might be punished as a misdemeanor or felony in other states. Misdemeanors are considered less serious than felonies, though a conviction for either brings the possibility of significant criminal penalties.

Jail or prison. A phishing conviction can easily result in a year or more in prison if you're convicted of a felony. Laws differ widely, but penalties of up to five years in prison are possible with felony convictions. Misdemeanor convictions can result in up to a year in jail.
Fines. Being convicted of a phishing crime can also lead to a significant fine. Misdemeanor fines typically do not exceed a couple of thousand dollars, while felony fines can be as much as $10,000 or more per offense.
Restitution. If the phishing activity resulted in a victim losing money the court will impose a restitution order. This order requires you to pay the victim to compensate for the loss. The amount of restitution will differ from case to case, but they are always made in addition to any fines imposed.
Probation. A phishing conviction can also result in a probation sentence, especially where a person has not been convicted of crimes before. Probation typically lasts from 1 to 3 years, though in some cases it might last longer. When you are on probation you have to comply with specific probation terms. These terms can often differ, but usually include such requirements as regularly reporting to probation officer, maintaining employment, paying all required fines and restitution, and not committing any more crimes while you are on probation.

Talk to an Attorney

If you are charged with, or suspected of, a phishing crime, you should consult with an experienced criminal defense attorney near you. Local attorneys will know what laws apply in your case and can advise you what to do based on their experience with the local criminal justice system.

DEFEND YOUR RIGHTS

Talk to a Defense attorney

We've helped 95 clients find attorneys today.

Full Name

Full Name is required

Email

Email is required

Please enter a valid Email

Phone

Phone Number is required

Please enter a valid Phone Number

Zip Code

Zip Code is required

Please add a valid Zip Code

Please enter a valid Case Description

Description is required

By submitting this form I agree to the Terms of Use and Privacy Policy and consent to be contacted by Martindale-Nolo and its affiliates, and up to three attorneys regarding this request and to receiving relevant marketing messages by automated means, text and/or prerecorded messages at the number provided. Consent is not required as a condition of service,

Click here

to agree without providing consent to be contacted by automated means, text and/or prerecorded messages. Rates may apply.

You should not send any sensitive or confidential information through this site. Any information sent through this site does not create an attorney-client relationship and may not be treated as privileged or confidential. The lawyer or law firm you are contacting is not required to, and may choose not to, accept you as a client. The Internet is not necessarily secure and emails sent through this site could be intercepted or read by third parties.

How It Works

Briefly tell us about your case
Provide your contact information
Choose attorneys to contact you

Copyright ©2023 MH Sub I, LLC dba Nolo ® Self-help services may not be permitted in all states. The information provided on this site is not legal advice, does not constitute a lawyer referral service, and no attorney-client or confidential relationship is or will be formed by use of the site. The attorney listings on this site are paid attorney advertising. In some states, the information on this website may be considered a lawyer referral service. Please reference the Terms of Use and the Supplemental Terms for specific information related to your state. Your use of this website constitutes acceptance of the Terms of Use, Supplemental Terms, Privacy Policy and Cookie Policy. Do Not Sell or Share My Personal Information

Phishing: Sentencing and Penalties