Custom phishing emails - legal aspects regarding logo use

  • 5 February 2020
  • 1 reply

Userlevel 5

Afternoon all,

just wondering if anyone in Australia or New Zealand has encountered issues around logo use etc when creating phishing emails. 

It seems that fair use etc may allow some use (according to a few US articles), but we don’t want to inadvertently damage anyone’s reputation if an email makes it to social media etc. 

All links going to an obvious education page etc should make things OK within target clients, but I am still concerned about any potential blow-back on us, our clients and the companies if we use a logo etc. without prior approval. 

I know the bad people don’t care as I’ve just seen a bank phishing attempt that was very well put together and a fake invoice email trail complete with payment request, but actively approaching a company and explaining what we are doing and asking for permission to use their intellectual property is (in my mind) impractical, especially when considering a multi-national with probably more important things on their mind.

We will be approaching our lawyers for an official opinion, this is just a feeler for other people’s experiences, if any.

Yes, we will be talking to our lawyers in the near future.


1 reply

In my eyes, if the client is paying you for this training service then they are accepting the fact that you are going to make it as realistic as possible. If you want to be cautious I would just write up a section in the payment agreement stating that official logos may be used to provide realism. 

Since Webroot itself has templates based on O365 logins and such I don’t see it being an issue with the actual companies because realistically no one is ever going to know unless your client is for some reason forwarding these phishing emails to those perspective company security teams.


All in all, I see no reason to worry about it but you can see what your lawyer says.