Phishing

Glossary category

Phishing

What is phishing?

Phishing is a form of fraud in which an offender impersonates a trusted person, institution, or service in order to obtain information, money, or access to systems. In practice, phishing usually involves deceptive emails, text messages, phone calls, social media messages, or fake websites designed to convince the recipient to disclose passwords, banking data, identification details, or security codes, or to open a malicious attachment or click a harmful link.

From a legal and compliance perspective, phishing is not only a technical incident. It may involve fraud, identity theft, unauthorized access to IT systems, unlawful processing of personal data, forgery-related conduct, and offences affecting property or the security of information. Depending on the facts, one phishing campaign may trigger criminal, civil, regulatory, and contractual consequences at the same time.

Phishing attacks are often carefully prepared. The sender may use branding, domain names, signatures, and language that resemble legitimate communication from a bank, courier company, public authority, employer, or business partner. More sophisticated forms, such as spear phishing, are directed at a specific person or department, for example finance, HR, or senior management. Their purpose is usually to bypass normal verification procedures and create a false sense of urgency, confidentiality, or authority.

How does phishing work in practice?

A typical phishing scenario starts with a message that appears genuine and requests immediate action – logging in, confirming payment data, updating an account, opening an invoice, or verifying identity. The recipient is redirected to a fake website or persuaded to provide information directly in a reply or during a phone conversation. In other cases, the message contains malware that enables further compromise of the device or company network.

Phishing may affect both individuals and businesses. Private persons may lose funds, access to email accounts, social media profiles, or online banking. Companies may face unauthorized transfers, leakage of confidential information, disruption of operations, loss of trade secrets, and data protection incidents. Where personal data are exposed, the event may also require legal assessment under privacy and cybersecurity rules, internal reporting, and notification to competent authorities or affected persons.

In business environments, phishing is frequently connected with business email compromise, invoice fraud, payroll diversion, and unauthorized payment instructions. Even where the technical intrusion is limited, legal exposure may be significant. Questions often arise as to internal negligence, adequacy of security measures, employee conduct, contractual allocation of risk, insurer notification, and possible recovery of transferred funds.

When is legal assistance advisable in a phishing case?

Legal assistance is advisable both immediately after a phishing incident and at the preventive stage. If phishing has already occurred, time is critical. Early action may help secure evidence, reduce financial loss, assess reporting obligations, support communication with banks and service providers, and determine whether the matter should be reported to law enforcement or other authorities. In some cases, prompt legal and technical coordination improves the chances of blocking transactions or limiting further misuse of stolen data.

For individuals, legal support may be needed when money has been transferred as a result of deception, accounts have been taken over, identity documents or personal data have been misused, or a person has become involved in proceedings as an injured party. For entrepreneurs, legal assistance is often necessary when phishing affects employees, management accounts, customer data, supplier communications, or internal approval procedures.

Support may also be important where the phishing event leads to broader legal consequences – for example, disputes with a bank, claims between contractual parties, allegations of insufficient organizational safeguards, or concerns related to criminal liability of the perpetrators and evidentiary strategy. In cross-border matters, additional issues may arise regarding jurisdiction, language of evidence, service providers located abroad, and international cooperation.

A quick consultation with a lawyer may help avoid secondary mistakes, such as destroying evidence, making inaccurate notifications, admitting facts without verification, failing to secure internal records, or delaying action against unauthorized transfers. Early legal review can also reduce the risk of avoidable disputes, liability, regulatory exposure, or financial loss.

Law firm support in matters related to phishing may include in particular:

  • assessment of the legal nature of the incident and the available response options,
  • support in preparing notifications to law enforcement authorities and other institutions,
  • assistance in securing and organizing evidence for criminal or civil proceedings,
  • analysis of liability risks affecting individuals, board members, and employees,
  • advice on disputes with banks, payment institutions, contractors, or insurers,
  • support in matters involving personal data, confidentiality, and internal compliance procedures,
  • preparation of internal policies and response protocols intended to reduce phishing risk.

Need legal assistance in a phishing-related matter? Contact us.

See also

  • Forgery
  • Indictment
  • Injured Party
  • Theft