Anti-Phishing Laws & Regulations

August 30, 2017 by

Information security has never been more important. New threats are rising and old threats still lurk. Data has become the new currency and hackers have switched from targeting the financial aspects of their victims to stealing information, although cash is still sought as well. All types of information have value to hackers, whether we’re talking about trade secrets, company financial information, consumer financial data, or even health records. All of it can be sold to the highest bidder.

In their quest to gain access to this valuable data, hackers have developed a broad suite of tools and capabilities. However, none approaches the widespread use (and significant effectiveness) of phishing.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.

What Is Phishing?

Phishing is a means of attack – a way for scammers to penetrate your business or organization’s defenses and strike at your weakest links. That would be your employees. Humans are always the weakest link any security strategy.

According to Indiana University, “Phishing scams are typically fraudulent email messages appearing to come from legitimate enterprises (e.g., your university, your Internet service provider, your bank). These messages usually direct you to a spoofed website or otherwise get you to divulge private information (e.g. passphrase, credit card or other account updates). The perpetrators then use this private information to commit identity theft.”

Phishing scams come in many different forms. Some are designed to incite panic in the recipient. For instance, you receive an email that seems to be from your bank, stating that your account has been locked for fraudulent activity and containing a link you can use to rectify the situation. If you click that link, it will take you to a spoofed version of your bank’s website, where you are asked to enter your account number and password. Once you do, that information is in the hands of the attackers, who can access your account(s) at will.

However, not all phishing emails are designed to make recipients panic. Some seem to come from a higher-up within the organization and contain a request for specific information. These attacks are not limited to email, either. They can occur through social networks, or even by phone in some instances.

Startling Phishing Statistics

Phishing and related activities like spear-phishing and whaling have grown significantly in recent years. If you’re not familiar with them, let’s define those terms briefly. Phishing is a crime in which a criminal targets an individual or business through email, on the phone, or through text in an effort to steal credentials that can give them access to further information or systems. Spear-phishing is the same concept, but applied to specific individuals within an organization. Whaling is a phishing attack targeted against an executive or some other prominent individual. Below, you’ll find a few eye-opening statistics concerning phishing and its growing prevalence in the world.

  • According to Symantec, one of every 131 emails sent in 2016 contained malware.
  • Business email compromise (BEC) attacks were directed at over 400 businesses every single day. Note that BEC attacks rely on spear-phishing to be successful.
  • APWG News noted that there were over 250,000 unique phishing attacks around the world in 2016, marking an increase of 10% over the previous year.
  • 37% of European businesses admit their executives have fallen victim to phishing attacks.
  • According to ITSP Magazine, government, retail, and technology were the three most targeted industries, accounting for 95% of breached records in 2016.
  • 62% of companies worldwide have experienced phishing or social engineering attacks.

Those are startling numbers. What’s being done about the rise of phishing? Actually, a great deal has been done and is being done, including the adoption of anti-phishing laws and regulations. Understanding these can help ensure you’re able to safeguard your business.

Understanding Anti-Phishing Laws and Regulations

Before we go too much further, understand that there is currently no specific federal legislation pertaining strictly to phishing activities. Originally, the Anti-Phishing Act of 2004 and the Anti-Phishing Act of 2005 would have imposed steeper penalties on those convicted of phishing activities, but the bills ultimately died in a subcommittee and were never enacted. What did the bills propose?

According to the bill’s summary on, it would have had the following effects:

Anti-phishing Act of 2005 - Amends the Federal criminal code to criminalize Internet scams involving fraudulently obtaining personal information (phishing).

Imposes a fine or imprisonment for up to five years, or both, for a person who knowingly and with the intent to engage in an activity constituting fraud or identity theft under Federal or State law: (1) creates or procures the creation of a website or domain name that represents itself as a legitimate online business without the authority or approval of the registered owner of such business; and (2) uses that website or domain name to solicit means of identification from any person.

Imposes a fine or imprisonment for up to five years, or both, for a person who knowingly and with the intent to engage in activity constituting fraud or identity theft under Federal or State law sends an electronic mail message that: (1) falsely represents itself as being sent by a legitimate online business; (2) includes an Internet location tool referring or linking users to an online location on the World Wide Web that falsely purports to belong to or be associated with a legitimate online business; and (3) solicits means of identification from the recipient.

However, as noted, the bill ultimately died in committee and was never passed into law. With that being said, the federal government still possesses the power to punish those found guilty of phishing activities through other means.


The Controlling the Assault of Non-Solicited Pornography and Marketing Act, or CAN-SPAM, passed in 2003 provides the ability to address some threats, although it does not mention phishing by name.

18 U.S.C. Section 1028

Again, this legislation does not mention phishing specifically, but it does cover topics such as identity theft and other related fraudulent crimes. These could be used to prosecute those charged with phishing.

State-Level Legislation

While the federal government might be slow in adopting phishing-specific legislation, many states already have such laws on the books. There are 23 states with anti-phishing laws, plus Guam. These are listed below. Links to all relevant legal codes can be found at the National Conference of State Legislatures.

  • Alabama
  • Arkansas
  • Arizona
  • California
  • Connecticut
  • Florida
  • Georgia
  • Illinois
  • Kentucky
  • Louisiana
  • Michigan
  • Minnesota
  • Montana
  • New Mexico
  • New York
  • Oklahoma
  • Oregon
  • Rhode Island
  • Tennessee
  • Texas
  • Utah
  • Virginia
  • Washington
  • Guam

Don’t see your state listed? Contact your state representative and find out what’s being done at the state level to curb the rise of phishing attacks. However, note that many other states do have laws that specifically address Internet-related crimes, identity theft and the like, but do not specifically have “anti-phishing” laws per se.

The first state to pass stringent anti-phishing laws was California, and many of the states that eventually passed similar legislation followed California’s lead. What does California’s anti-phishing law look like?

  • It is called the Anti-Phishing Act of 2005 (identical naming to the failed federal bill that died in committee).
  • It makes it illegal for anyone to use a website, email or other Internet-based method to “solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.”
  • Note that “identifying information” in the state of California includes the following items:
    • Social Security number
    • Driver’s license number
    • Bank account number
    • Credit/debit card numbers
    • PINs
    • Electronic signatures
    • Biometric data
    • Account passwords
    • “Any other piece of information that can be used to access an individual’s financial accounts or to obtain goods or services.”

Note that you can read the summary of the entire bill at the California Legislature website. In terms of damages sought, those injured by phishing scams (or other Internet-related fraud) can seek up to $500,000 per incident, or the actual cost of the damages, whichever is greater.

Other Federal Laws Pertaining to Phishing

While there are currently no federal laws aimed specifically at phishing, there are regulations that address security concerns that leave businesses and organizations in danger of being victimized by phishing and related crimes.


The Health Insurance Portability and Accountability Act applies to any and all businesses and organizations that deal with patient health records in any way. Hospitals and doctors’ offices fall under these regulations, but so do other businesses, such as records clearing houses, insurance companies, and even warehouses where physical records might be stored.

The act is wide-ranging, but one of the most important requirements of these regulations is that organizations that fall under its auspices must create, enact, and maintain security awareness programs. Such a program educates employees, contractors, and others within the organization about how to identify potential threats, and how to avoid them, safeguarding patient information, as well as company data.


The Sarbanes-Oxley Act (SOX) was originally aimed at holding both public and private businesses accountable for their financial reporting. However, it has implications for the storage, use, and destruction of records that contain consumer financial information. This act applies to all public businesses, regardless of industry or specialization, as well as to most privately-owned companies in the US. While there is no mention specifically of email security in SOX, provisions 302 and 404 both deal with email security and compliance policy, which would affect an organization’s vulnerability to phishing and related attacks.


The Payment Card Industry Data Security Standard (PCI-DSS) is an industry regulation, not one created by the federal government. It applies to any business or organization that accepts credit /debit cards as payment or deals with consumer credit card information in any way. Like HIPAA, PCI-DSS requires that organizations and businesses create a security awareness program that helps to educate and train employees, managers, and executives on best practices and how to prevent theft of consumer financial information.

The Risks of Phishing

While phishing laws and regulations impose penalties on businesses and organizations for not taking mandated actions or instituting appropriate safeguards, it’s important that business owners, decision makers, and executives focus on the most at-risk elements when it comes to phishing.

We’re speaking about your people – the human element is always the one that causes the most risk of a business being the victim of a phishing attack. This is the reason that phishing, spear-phishing, and whaling attacks are directed against individuals. Human beings are fallible. They’re gullible. All too often, they believe that they know the signs to watch for that might indicate an attack, but they actually do not. Almost all national and industry phishing laws and regulations include a stipulation that businesses and organizations must create, implement, and maintain a security awareness training program.

The problem with many existing programs is that they do not result in good retention rates. Video-based lessons generally result in only 20% information retention. This is definitely not good enough. Anyone completing such a program could very easily still fall victim of a phishing attack.

A better option is hands-on training, complete with realistic phishing emails. With our PhishSim platform, you can use premade phishing templates or create your own to test your employees, executives, managers, and contractors. All tests are completely realistic and our PhishReporter feature allows you to track actual suspicious emails that your staff members encounter on a regular basis.

We also offer AwareEd, a full-fledged security awareness training program that focuses on the myriad of threats that businesses face today by using gamified interactive training modules.

Ready to protect your business against phishing and other attacks? Contact us at InfoSec Institute today to learn more about the powerful educational and training tools we make available.


See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.