“When I showed the phishing email I received to David Hickey, managing partner at the California law firm Hickey Smith, he quickly offered a legal analysis: If the email had been sent as unsolicited spam, and not as a part of company cybersecurity training program, “It would appear to violate the CAN-SPAM because of a number of reasons,” he said. These include the fact that there was deceptive sender information, a deceptive subject line and absence of a physical address for the sender.

So the email, if sent unsolicited, was illegal, right? Not exactly. Though phishing email violates the CAN-SPAM Act, it might not fall within the law’s jurisdiction in the first place. The act only applies to commercial emails, which it defines as those whose primary purpose “is the commercial advertisement or promotion of a commercial product or service.””