Phishing is an umbrella term for digital deception in which an attacker deliberately presents as a trusted party in order to induce a recipient to disclose confidential information or to perform an action that causes financial or operational harm. A defining feature is that the interaction is engineered to bypass ordinary vigilance: a familiar visual identity, a credible sender name, contextual references that align with current events or internal processes, and wording designed to convey legitimacy. The objective ranges from obtaining login credentials and verification codes to initiating payments, modifying supplier details, or prompting the installation of malicious software. The manifestations evolve continuously, partly because attackers adapt to changing communication channels and defensive controls. As a result, any factual assessment must repeatedly be tailored to the specific modus operandi, the infrastructure deployed, and the conduct attributable to the relevant individuals.
The legal and forensic interpretation of phishing requires a clear distinction between the deceptive act, its technical implementation, and the resulting effect. In many matters, multiple links are involved: drafting a message or script, registering or abusing a domain name, hosting a counterfeit environment, collecting or forwarding data, and moving proceeds through payment flows. That division of tasks makes evidential attribution complex and creates space for debate on role, knowledge, and intent. At the same time, the assessment typically rests on objectively verifiable traces, such as log files, email headers, registrar and hosting data, transaction information, chat communications, device artefacts, and victim statements. In an environment where data protection and information security are structurally embedded in governance, a parallel assessment may also be relevant in relation to non-compliance with the GDPR, for example where victim data has been unlawfully processed, shared, or stored, or where incident response and notification obligations have fallen short.
Conceptual Boundaries and Manifestations
At its core, phishing can be described as social engineering with a digital component, aimed at obtaining access, data, or money through deception. The distinction from other forms of cybercrime does not primarily lie in technical sophistication, but in the starting point: creating a credible yet false representation of reality that leads a recipient to take a step that would otherwise not be taken. That step may involve entering usernames and passwords, sharing a one-time code, approving an authentication prompt, opening an attachment, installing an application, or executing a payment. The surrounding context is usually carefully selected, such as account security, invoicing, parcel delivery, HR processes, or internal IT notifications, with the message designed to align with routine expectations and established workflows.
The variants each have distinct characteristics and evidential indicators. Email phishing is often associated with spoofed or lookalike domains, anomalies in sender configurations, subtle misspellings in URLs, and templates closely resembling those of well-known organisations. Smishing relocates the same deception to SMS and chat platforms, frequently using shortened links and emphasising immediate action. Vishing adds telephone follow-up to resolve doubt and increase pressure, for instance by posing as a bank representative, service desk, or senior executive. Spearphishing is a targeted variant that uses information about functions, internal projects, supplier relationships, or organisational hierarchies to make the message exceptionally plausible. In practice, hybrid scenarios are common, where email, phone, and chat reinforce one another and the attack adapts dynamically to the target’s responses.
A consistent legal and factual delineation requires attention to the central question of what deceptive representation was created and what act was thereby induced. Relevant aspects include the degree of impersonation, the chosen communication channel, timing, the presence of technical components such as fake portals or reverse proxies, and the concrete benefit sought. Even where no damage has materialised, the conduct may still fall within a criminal-law relevant trajectory, for example in the context of preparatory acts, attempt, or the offering of facilities that enable phishing. At the same time, the factual matrix may overlap with civil and compliance issues, such as contractual liability, duties of care in payment processes, and non-compliance with the GDPR in relation to unlawful processing of personal data in lists, panels, or datasets.
Technical Enablers and Infrastructure
The technical implementation of phishing ranges from relatively simple imitations to advanced infrastructures designed to bypass authentication and session controls. A common technique is the use of lookalike domains, where a domain name visually resembles that of a legitimate organisation through letter substitutions, added subdomains, or the use of international characters. In addition, counterfeit login portals are created that replicate the appearance and user experience of genuine environments, including branding, error messages, and redirects, so that the interaction remains credible up to and including the moment data is entered. A more advanced method involves reverse proxy set-ups that “relay” the session between user and legitimate service while simultaneously intercepting tokens or session cookies, meaning that even multi-factor authentication may be less effective where session artefacts are captured.
Infrastructure is frequently assembled from components that may appear lawful in isolation, but collectively form a deceptive system. Hosting may take place with mainstream providers, on ephemeral servers, on compromised websites, or via content delivery networks, making blocking and takedown more difficult. Domain registration may be arranged through intermediaries or under false identities, and DNS configurations can be changed rapidly to avoid detection. Attackers also misuse legitimate services for link shortening, document sharing, or form hosting, so that the link in the message appears less suspicious and reputation-based filtering is circumvented. Email infrastructure can likewise be manipulated through misconfiguration or by abusing authorised accounts, allowing messages to pass technical controls intended to prevent spoofing.
From an evidential perspective, it is important not only to establish that technical means existed, but also to link them to specific acts and individuals. Domain registration alone does not prove who actually used the domain, while server logs without context may be insufficient to infer intent. Relevant factors include timelines of creation and use, correlations between IP addresses, administrator accounts, payment details, configuration changes, and communications directing the deployment of infrastructure. Where personal data is processed as part of the infrastructure, such as captured credentials, contact lists, or victim data, a parallel assessment of non-compliance with the GDPR may be necessary, for example in relation to lawfulness, security measures, retention periods, and any personal data breach notifications by affected organisations.
Social Engineering and Behavioural Dynamics
The effectiveness of phishing is largely grounded in behavioural manipulation, using psychological triggers to suppress ordinary verification steps. Urgency is a classic driver: an “account will be locked,” a “payment must be made today,” or a “security incident requires immediate action.” Authority amplifies this effect, for example when the sender purports to be senior management, a bank, a regulator, or an IT security function. Scarcity and time pressure force rapid decisions, while fear of loss or reputational damage increases the likelihood that instructions will be followed. Communications are often tailored to organisational routines, so that actions such as “logging in,” “confirming,” or “processing an invoice” feel like normal work rather than an exceptional risk event.
Spearphishing intensifies these dynamics through personalisation and contextual credibility. Rather than generic text, messages use role-specific information, internal terminology, ongoing projects, supplier relationships, and reporting lines, creating the impression of a natural continuation of existing correspondence. In Business Email Compromise-type scenarios, an attacker may replicate a realistic email thread and only later introduce altered payment instructions, so that the recipient perceives the step as an administrative formality. Prior reconnaissance may also be conducted through public sources, social media, or leaked datasets, enabling messages to contain details that build trust. In such cases, the distinction between “user error” and “professional deception” is relevant, because the level of sophistication may influence the assessment of precautions, causation, and potential contributory negligence arguments in a civil context.
For legal purposes, it is essential to translate the behavioural component into concrete facts that can be verified in the file. This includes the wording of messages, timing, follow-up steps, the consistency of instructions, and how resistance or questions were managed. Where telephone follow-up occurred, call logs, call detail records, and recorded conversations may be decisive in establishing pressure, deception, and direction. Internal communications within an organisation can likewise shed light on decision-making around payments or the sharing of codes. In a broader compliance context, questions may arise as to whether internal awareness, procedures, and verification mechanisms were adequately designed, particularly in light of evolving cybersecurity expectations and the risks of non-compliance with the GDPR where personal data is implicated.
Criminal Law Qualification and Allocation of Roles
From a criminal law perspective, phishing may engage multiple offences depending on the specific conduct and the realised or intended outcome. The deceptive act may fall within fraud where, through deceitful means or a web of falsehoods, another person is induced to transfer funds or goods, incur a debt, or provide a service. Where stolen credentials are used to gain access to systems, unlawful access offences may also be engaged, with further qualification if data is taken, altered, or made unavailable. The creation or use of forged digital documents, invoices, or instructions may, in certain circumstances, intersect with document-falsification-type constructs in a digital form, where the evidential position often depends on authenticity, provenance, and the function of the document in the decision-making chain.
In practice, files frequently involve debate about the precise role of different individuals, because phishing is rarely carried out by a single actor in isolation. Sending messages is only one link and may be separate from hosting the counterfeit environment or processing captured data. Managing payment flows, recruiting or instructing money mules, or converting proceeds can each constitute distinct conduct with its own evidential matrix. Offering, maintaining, or developing phishing kits, panels, templates, or lists of harvested data may be viewed as facilitative conduct that increases scale and effectiveness. A careful qualification therefore requires a clear picture of factual acts, degree of involvement, and whether the legal characterisation is one of joint perpetration, aiding and abetting, or participation in a structured collaboration.
The assessment of seriousness is often influenced by factors such as professionalism, repetition, number of victims, loss amounts, and the extent of task allocation and organisational structure. A structured collaborative relationship may be inferred from stable role patterns, shared infrastructure, agreements on profit sharing, and sustained cooperation over time. At the same time, evidential caution is required when inferring intent and knowledge: presence in a chat group, receipt of a payment, or the provision of an account is not, without more, sufficient to sustain the full offence absent supporting facts indicating awareness of the phishing objective and the origin of funds or data. Where personal data is processed, stored, or traded in bulk, additional attention may arise in relation to non-compliance with the GDPR by affected organisations or service providers, particularly where security controls and incident response are inadequate or where data processing lacks a lawful basis.
Evidential Chain, Attribution, and Separating Assumptions from Facts
The evidential chain in phishing matters is typically built from a combination of digital content, infrastructure data, transaction information, and communications. Digital content includes email headers, routing paths, domain and URL structures, templates, landing pages, and any attachments, with metadata and technical attributes being critical for traceability. Infrastructure data may include registrar information, DNS changes, hosting contracts, server logs, and administrator accounts, supplemented by records from intermediary services such as link shorteners or document platforms. Payment traces include bank transfers, payment requests, crypto transactions, account identifiers, and conversions, often linked to timestamps and references that can support the line from deception to financial gain. Device data and chat logs, for example from messaging applications, may shed light on coordination, role allocation, and instructions, provided that provenance and integrity are adequately safeguarded.
Attribution is particularly challenging in phishing because infrastructure may be rented under false identities, proceeds may be moved through mule structures and layered transactions, and communication may take place via end-to-end encrypted channels. This can create tension between technical indicators and the legal threshold required for attribution. An IP address may reflect multiple users, a device may be shared or resold, and a bank account may be held in another person’s name or used under coercion. There may also be intermediaries who carry out a narrow function, such as forwarding funds, without demonstrable involvement in the initial deception. The file therefore calls for an approach in which each link is assessed on its own merits, with close attention to timelines, correlations, and corroborative evidence that materially weakens alternative explanations.
A careful assessment consistently requires separating assumptions from facts, both technically and legally. Findings that follow directly from logs, registrations, or communications must be distinguished from interpretations about intent, knowledge, or role. The question of which act is objectively established, such as registering a domain, uploading a template, sending a message, or receiving funds, must be linked to whether the association is technically reliable and legally material. The next step is whether intent or knowledge can reasonably be inferred from surrounding circumstances, where context, repetition, message content, and post-discovery conduct may be relevant. In parallel assessments concerning data protection, the same principle applies: data flows, retention periods, and security measures must be established concretely, so that any conclusion on non-compliance with the GDPR does not rest on generalities but on demonstrable shortcomings in processing, security, and incident handling.
Responsibility Within Chains and the Distinction Between Perpetrator and Facilitator
Phishing case files frequently reveal a layered chain of involvement in which not every participant has exercised the same degree of control, knowledge, or initiative, yet actions have been taken that enabled the offence or accelerated its execution. The legal assessment of that chain requires a granular analysis of the concrete contribution made at each link, not least because phishing is often carried out through a combination of infrastructure management, content creation, distribution, follow-up activity, and monetisation. The mere fact that a particular act “fits” within a phishing operation is insufficient for robust attribution; decisive factors are the factual contribution that was made, how that contribution relates to the core mechanism of deception, and what knowledge or intent can reasonably be inferred from the surrounding circumstances. This approach mitigates the risk of role allocation being driven by generalisations about “typical” task distribution and compels an evidential construction anchored in timelines, technical traces, and communications.
A recurring point of tension concerns the boundary between executors and facilitators. Hosting a landing page, making a domain available, or configuring email infrastructure can constitute a central act of execution, but can also be a service delivered remotely without visibility of the concrete use case. The same applies to offering templates, panels, or lists: the technical functionality is often generic, while intent is derived from context, marketing, instructions, and the envisaged use by customers or end users. In such circumstances, it is relevant whether there is bespoke tailoring, operational support, updates, or troubleshooting that directly aligns with phishing objectives. It is also relevant whether proceeds are shared, whether there is an ongoing relationship with a stable group of customers, and whether communications indicate awareness of victim behaviour and conversion rates. The stronger the involvement in optimising deception and increasing success rates, the greater the likelihood that the role will be characterised more seriously as a matter of law.
In addition, a practical, yet legally sensitive distinction arises between “acting” and “omitting to act.” In respect of service providers or individuals who make resources available, debate can arise as to whether passive provision is criminally relevant and, if so, under what conditions. The file then requires concrete indications that the provision was not neutral but was intentional, or that the relevant risk was consciously accepted in the context of phishing. Signals such as complaints, chargebacks, unusual traffic patterns, repeated takedown requests, or internal warnings can be material in that analysis. In parallel compliance tracks, an assessment may also arise regarding non-compliance with the GDPR, for example where victims’ personal data is systematically processed, stored, or shared by parties whose security controls and governance are insufficient, or where processing purposes and retention periods cannot be justified.
Financial Flows, Money Mules, and Laundering-Type Patterns
Phishing frequently results in direct or indirect money flows, with criminal benefit being moved as quickly as possible to frustrate blocks, reversals, and investigative tracing. A characteristic feature is that payments are often directed to accounts not held by the primary organiser, but to accounts belonging to intermediaries, straw account holders, or so-called money mules. Such accounts may be recruited through deception, pressure, or the promise of commission, and used to receive funds and onward-transfer them almost immediately. The speed of onward transfers, the use of multiple accounts, and the deployment of cash withdrawals or crypto conversions are recurring indicators in case files, but their evidential weight depends on context and the presence of additional indications regarding knowledge and direction.
The evidential analysis of money flows typically requires a reconstruction that goes beyond a mere transaction list. Relevant factors include timestamps, payment descriptions, counterpart accounts, device and IP data associated with online banking, and communications concerning instructions and distribution of proceeds. Often a pattern emerges in which amounts are split, routed through further accounts, or used to purchase digital goods and services such as hosting, domains, or advertising accounts. In more professionalised operations, a “payment hub” may exist where multiple victims’ funds converge and from which distribution occurs to various end destinations. The legal characterisation then depends, among other things, on whether an individual functioned merely as a conduit without insight, or whether circumstances such as instruction messages, commission arrangements, repeated transactions, or concealment of origin point to conscious involvement in handling criminal proceeds.
Money mule structures introduce specific nuance into the assessment of intent and culpability. Some mules act out of naivety or under pressure, whereas others actively offer “cash-out” services and take measures to evade detection, such as using multiple banking apps, switching devices, or opening accounts across different institutions. The distinction is often decisive for both legal qualification and sentencing, because it determines whether there is deliberate participation in a fraud chain or a limited role driven by deception. Within organisations, parallel discussion may arise regarding verification processes for payments and supplier changes, particularly in the context of non-compliance with the GDPR where incident response is deficient and personal data from payment processes or internal systems ends up in unsecured environments.
International Dimension, Jurisdiction, and Cooperation
Phishing frequently has a cross-border character because infrastructure, victims, payment flows, and involved individuals may be located in different jurisdictions. Domains may be registered with foreign registrars, hosting may take place in countries with limited enforcement options, and funds may be moved via international payment services or crypto platforms. This international aspect affects evidence gathering because requests for information from foreign parties depend on mutual legal assistance mechanisms, providers’ compliance practices, and retention periods. It can also limit the speed of intervention, allowing landing pages and command-and-control environments to remain online longer and to generate additional victims. At the same time, international dispersion can be used as a diversion, where “traces” point to countries that bear no relationship to the true direction of the operation.
Assessing jurisdiction and applicable law in this type of file requires precision, particularly where conduct spans multiple countries. Relevant connecting factors include the location of victims, the time and place at which deceptive communications were received, the location where systems were compromised, and the place where financial damage materialised. The location of the suspect, the infrastructure used, or the bank accounts involved can also be relevant. In multi-jurisdiction scenarios, it is additionally important that evidence is collected in a manner that remains procedurally robust, with attention to chain of custody, authenticity, and integrity of digital material. A file that must “land” in several countries requires consistency in fact finding and a clear distinction between primary sources and derived analytical conclusions.
The international dimension also intersects with data protection, because personal data in phishing contexts frequently crosses borders without control or a lawful basis. Where victim data is stored on foreign servers, shared within groups, or traded via platforms, this generates not only a criminal trail but also a compliance issue for organisations that have become victims or that are involved in data exchange. Non-compliance with the GDPR may then arise in relation to transfers outside the EEA, inadequate security measures, or the absence of appropriate incident documentation. Cross-border incidents in particular highlight how essential consistent logging, access controls, and contractual arrangements with processors are in supporting both enforcement efforts and compliance requirements.
Incident Response, Loss Mitigation, and Forensic Preservation
The period immediately following the discovery of phishing is often decisive for both loss mitigation and the quality of the later evidential position. Effective response requires rapid isolation of affected accounts, resetting credentials, revoking sessions, and blocking or recalling payments where possible. At the same time, there is a risk that rushed “cleanup” efforts destroy valuable traces, such as email headers, log files, browser data, or device artefacts that may demonstrate how the deception unfolded. A careful response plan therefore balances containment against preservation of evidence, with clear instructions on securing relevant data, recording timestamps, and retaining original messages and attachments. In mature environments, forensic imaging or structured exports of mailboxes and logs are often used to preserve integrity and reproducibility.
Robust forensic preservation focuses not only on the “entry point” of phishing, namely the message and the link, but also on internal effects. This includes audit logs from identity providers, MFA registrations, authorisations, mailbox forwarding rules, changes to supplier details, and payment workflows. In spearphishing and BEC scenarios, it can be critical to reconstruct email threading, reply-to changes, and lookalike communications in order to substantiate causation between deception and payment. It may also be necessary to analyse network and proxy logs for indications of reverse proxy use or token theft. The factual outcome, for example a payment, a personal data breach, or account takeover, must be linked in the file to concrete technical events and internal decision points so that the evidential construction does not rest on assumptions about a “probable course of events.”
Incident response also has a governance and compliance component, particularly where personal data is affected. Non-compliance with the GDPR may be in issue where incidents are insufficiently documented, where appropriate technical and organisational measures are lacking, or where notification obligations and communications with data subjects are inaccurate or late. Debate may also arise regarding data minimisation, system segmentation, and privilege restriction, because such measures can materially reduce the impact of phishing attacks. In legal proceedings, incident response is increasingly assessed for professionalism and consistency, not only what was done, but also whether decisions were documented, escalation occurred in a timely manner, and evidence was secured with appropriate safeguards.
Prevention, Governance, and Structural Risk Reduction
Countering phishing requires a structural approach in which technology, people, and process reinforce one another. Technical measures such as SPF/DKIM/DMARC, advanced email filtering, URL rewriting, and sandboxing provide an initial line of defence, but are not sufficient where attackers abuse legitimate services or target internal processes such as supplier changes. Identity security through strong MFA, conditional access, device compliance, and anomaly monitoring reduces the likelihood that stolen credentials will lead to system access. Equally important are process controls, such as out-of-band verification for changes to payment instructions, four-eyes principles for high-value payments, and strict procedures for sharing verification codes. The effectiveness of these measures depends on consistency: exceptions, workload pressure, and informal shortcuts are precisely the circumstances attackers seek to exploit.
Awareness and training should be approached as risk management rather than as a one-off instruction. Realistic simulations, feedback loops, and lowering barriers to reporting increase the probability of detection and shorten response times. It is also important that reporting does not lead to blame, but to rapid triage and support, so that staff are more willing to escalate suspicious situations. Targeted training warrants particular attention in higher-risk functions such as finance, HR, IT, and executive management, because spearphishing can cause the greatest damage precisely in those areas. Supplier management is also relevant: attacks often exploit chain relationships, invoicing processes, and shared systems, making due diligence on supplier security and contractual arrangements on incident reporting and logging critical.
Governance and compliance provide the framework within which prevention and response can be demonstrated and evidenced. In particular, non-compliance with the GDPR may arise where insufficient measures have been taken to protect personal data against unauthorised access, loss, or disclosure, or where incidents are not adequately controlled and documented. A mature governance approach allocates roles and responsibilities, establishes minimum standards for logging and access management, and integrates phishing risks into enterprise risk management. This creates a defensible position both towards supervisory authorities and in civil or criminal contexts, demonstrating that measures are not ad hoc, but structural, measurable, and capable of being tested.
