AntiPhishers Phishing Legal Consequences and Penalties
Phishing Legal Consequences and Penalties
Phishing is a federal crime in the United States, and violators face severe penalties under multiple statutes. The FBI IC3 documented over $16 billion in cybercrime losses in 2024, and law enforcement has intensified prosecution efforts. Understanding the legal framework serves two purposes: it deters potential offenders, and it helps victims understand the mechanisms available for pursuing justice.
Federal Laws Covering Phishing
Computer Fraud and Abuse Act (CFAA, 18 U.S.C. 1030)
The primary federal statute for computer crimes. Phishing violates the CFAA through unauthorized access to protected computers and fraud in connection with computers.
- Penalties: Up to 5 years for first offense; up to 20 years for subsequent offenses or aggravating factors
- Aggravating factors: Government computers, critical infrastructure, or large-scale operations increase penalties
- Civil liability: Victims can file civil suits for damages, injunctive relief, and attorney fees
Wire Fraud (18 U.S.C. 1343)
Phishing that uses electronic communications (email, internet) to execute fraud. Virtually all phishing qualifies.
- Penalties: Up to 20 years imprisonment per count
- If targeting financial institutions: Up to 30 years and $1 million fine per count
- Each phishing email can constitute a separate count
Identity Theft and Aggravated Identity Theft (18 U.S.C. 1028 and 1028A)
Phishing that steals personal identification information triggers identity theft charges.
- Identity theft: Up to 15 years
- Aggravated identity theft: Mandatory 2-year consecutive sentence added to any underlying crime
- Aggravated identity theft cannot be served concurrently with other sentences
CAN-SPAM Act (18 U.S.C. 1037)
Phishing emails that use deceptive headers, false sender information, or fraudulent subject lines violate CAN-SPAM.
- Criminal penalties: Up to 5 years for accessing computers without authorization to send spam
- Aggravated violations: Additional penalties when combined with fraud, identity theft, or sexual exploitation
Bank Fraud (18 U.S.C. 1344)
Phishing targeting financial institution customers or involving unauthorized access to bank accounts.
- Penalties: Up to 30 years imprisonment and $1 million fine
State-Level Phishing Laws
Most states have their own computer crime and identity theft statutes. Several states have enacted phishing-specific legislation:
| State | Law | Key Provisions |
|---|---|---|
| California | Penal Code 530.5 | Identity theft via phishing; up to 3 years |
| New York | Penal Law 190.78-190.84 | Identity theft graduated by severity |
| Texas | Penal Code 33.07 | Online impersonation; third-degree felony |
| Florida | F.S. 817.568 | Criminal use of personal ID; up to 30 years |
| Virginia | Code 18.2-152.5:1 | Computer fraud; Class 6 felony |
State charges can be filed in addition to federal charges, and many phishing cases involve prosecution at both levels.
International Legal Framework
Phishing is prosecuted internationally under various frameworks:
- Budapest Convention on Cybercrime: Treaty among 60+ nations establishing shared framework for cybercrime prosecution and cross-border evidence sharing
- EU Directive on Attacks Against Information Systems: Harmonizes cybercrime penalties across EU member states
- UK Computer Misuse Act 1990: Unauthorized access offenses; up to 10 years
- Australia Criminal Code Act 1995: Computer offenses; up to 10 years
The FBI and international law enforcement regularly conduct joint operations against phishing networks.
Prosecution in Practice
How Phishers Get Caught
- IC3 reporting: Victim reports to IC3 provide leads for investigations
- Financial trail: Wire transfers, cryptocurrency transactions, and money mule networks leave traceable paths
- Infrastructure analysis: Phishing forensics trace domains, IPs, and hosting to operators
- Collaboration: International law enforcement cooperation (Europol, Interpol, Five Eyes)
- Informants: Participants in phishing operations cooperate with prosecutors
Notable Prosecutions
Federal prosecutors have secured significant convictions in phishing cases:
- BEC operations resulting in tens of millions in losses have led to sentences of 10-20+ years
- International phishing ring takedowns have resulted in dozens of arrests across multiple countries
- Romance scam networks conducting phishing have been prosecuted under RICO statutes
Sentencing Factors
Federal sentencing guidelines consider:
- Total financial losses to victims
- Number of victims affected
- Sophistication of the operation
- Role in the organization (leader vs. money mule)
- Prior criminal history
- Cooperation with authorities
Legal Rights for Victims
Criminal Restitution
Federal courts routinely order restitution — requiring convicted phishers to repay victims. Under the Mandatory Victims Restitution Act, courts must order full restitution for wire fraud and identity theft convictions.
Civil Remedies
Victims can pursue civil litigation independently of criminal prosecution:
- CFAA private right of action for damages
- State consumer protection statutes
- Common law fraud and negligence claims
- Class action suits for large-scale breaches resulting from phishing
Identity Theft Recovery
If phishing led to identity theft:
- File a report at identitytheft.gov for a personalized recovery plan
- Place fraud alerts with credit bureaus
- Review and dispute unauthorized accounts
- File police reports in your jurisdiction
- See our credential compromise checklist for immediate steps
Organizational Liability
Organizations that suffer phishing breaches may face:
- Regulatory penalties: HIPAA, PCI DSS, GLBA, state data breach notification laws
- Class action lawsuits: From customers and employees whose data was exposed
- Contractual liability: Breach of data protection obligations to business partners
- Insurance implications: Cyber insurance may deny claims if basic controls were absent
Implementing DMARC, MFA, and security training demonstrates reasonable security measures that can mitigate liability.
Key Takeaways
- Phishing is a federal crime under CFAA, wire fraud, and identity theft statutes with penalties up to 30 years
- Each phishing email can constitute a separate wire fraud count
- State laws add additional criminal liability on top of federal charges
- Victim reporting to IC3 directly contributes to investigations and prosecutions
- Victims have both criminal restitution and civil litigation options for recovery
- Organizations face regulatory penalties and lawsuits for failing to implement reasonable phishing defenses
For the complete phishing defense framework, see our phishing recognition and reporting guide.
Sources
- FBI IC3 2024 Internet Crime Report
- CISA Phishing Guidance: Stopping the Attack Cycle at Phase One
- NIST Cybersecurity Framework 2.0
This content is for educational purposes only and does not constitute legal advice. Consult a qualified attorney for guidance on specific legal matters related to phishing, cybercrime, or data breach liability.