Legal aspects of counteracting phishing: the European Union experience

Іван Васильович Яковюк, Артем Павлович Волошин, Антон Олексійович Шовкун


Cybersecurity is increasingly seen as a fundamental problem of the state, which comprehensively affects its security and defense, economy, certain spheres of public life, in particular energy, health care and others. Reliable operation of data networks, computer systems and mobile devices is a prerequisite for the effective state and society functioning, an individual’s life. The reliability of key public information systems depends on many factors: cyberattacks, hardware and software failures, and all kinds of errors. The significant increase in the number of incidents in cyberspace necessitates a systematic analysis of sources of threats, the first place among which is phishing. The introduction of criminal responsibility for phishing is complicated by the fact that "phishing" is an "umbrella" concept that covers a number of launched or committed crimes. From criminal law point of view, phishing attacks can correspond to different categories of crimes (extortion, fraud, blackmail, offenses related to the processing of personal data, etc.). The attempt by some states to impose criminal penalties for phishing at the national level does not solve the problem, since it is not difficult for phishers who work worldwide to cross national barriers. That is still the reason why counteracting cybercrime requires significant efforts not only by individual states but also by international organizations, in particular by the European Union.


cyberspace; cybersecurity; cybercrime; online fraud; phishing; anti-phishing tools; criminal law; European Union


Alexander, R. (1998). EU: The EC Money Laundering Directive. Journal of Money Laundering Control. Vol. 2.

Antonelli, C., Geuna, A., Steinmueller, W.E. (2000). Information and Communication Technologies and the Production, Distribution and Use of Knowledge. International Journal of Technology Management, Vol. 20 (1–2), 72–94.

Baranov, O.A. (2014). Pravove zabezpechennia informatsiinoi sfery: teoriia, metodolohiia i praktyka. Kyiv: Edelveis.

Bell, R.E. (2002). An Introductory: Who is Who for Money Laundering Investigators. Journal of Money Laundering Control, Vol. 5, 287–295.

Birk, D., Gajek, S., Grobert, F., Sadeghi, Ah.-R. (2007). Phishing Phishers—Observing and Tracing Organized Cybercrime. Second International Conference on Internet Monitoring and Protection. URL:

Bose, I. (2007). Unveiling the Mask of Phishing: Threats, Preventive Measures, and Responsibilities. Communications of the Association for Information Systems, Vol. 19, 544–566.

Brenner, S. (2002). Organized Cybercrime? How Cyberspace May Affect the Structure of Criminal Relationships. North Carolina Journal of Law and Technology, Vol. 4.

Bruijn, H. de, Janssen, M. (2017). Building cybersecurity awareness: The need for evidence-based framing strategies. Government Information Quarterly, Vol. 34, Issue 1, 1–7. doi:

Chang, M., Kuhn, R., Weil, T. (2018). Cyberthreats and Security. IT Professional, 3, 20–22.

Charter of Fundamental Rights of the European Union (2000/C 364/01). Official Journal of the European Communities. C 364 of 18.12.2000.

Commission staff working document – Report on fraud regarding non cash means of payments in the EU: the implementation of the 2004–2007 – EU action plan. URL:

Communication from the Commission to the Council, the European Parliament, the Economic and Social Committee and the Committee of the Regions. Creating a Safer Information Society by Improving the Security of Information Infrastructures and Combating Computer-related Crime. Brussels, 26.01.2001 COM (2000). 890 final. URL:

Communication from the Commission to the Council, the European Parliament, the European Economic and Social Committee and the Committee of the Regions – Network and Information Security: Proposal for A European Policy Approach. URL:

Communique Meeting of Justice and Interior Ministers of The Eight, Washington, D.C. 10 December, 1997. URL:

Copeland, Th.E. (2000). The Information Revolution and National Security. URL:

Council Framework Decision 2005/222/JHA of 24 February 2005 on attacks against information systems. Official Journal of the European Union, L 69, 16.03.2005, 67–71.

Council Resolution of 28 January 2002 on a common approach and specific actions in the area of network and information security. Official Journal of the European Union, C 43, 16.02.2002, 2–4.

Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. Official Journal, L 281, 23/11/1995, 0031–0050.

Directive 97/66/EC of the European Parliament and of the Council of 15 December 1997 concerning the processing of personal data and the protection of privacy in the telecommunications sector. Official Journal, L 024, 30/01/1998, 0001–0008.

Directive 2015/2366/ЕС of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC. Official Journal of the European Union, L 337, 23.12.2015, 35–127.

Directive 2016/1148/ЕС of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union. Official Journal of the European Union, L 194, 19.07.2016, 1–30.

Directive 2019/713/ЕС of the European Parliament and of the Council of 17 April 2019 on combating fraud and counterfeiting of non-cash means of payment and replacing Council Framework Decision 2001/413/JHA. Official Journal of the European Union, L 123, 10.05.2019, 18–29.

Dhamija, R., Tygar, J.D., Hearst, M. (2006). Why phishing works. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22–27, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson (Eds.). CHI '06. ACM Press, New York, NY, 581–590.

Doktryna informatsiinoi bezpeky Ukrainy: zatverdzhena Ukazom Prezydenta Ukrainy vid 25 liutoho 2017 r. № 47/2017. URL:

Downs, J.S., Holbrook, M., Cranor, L.F. (2007). Behavioral response to phishing risk. In Proceedings of the Anti-Phishing Working Groups 2nd Annual Ecrime Researchers Summit (Pittsburgh, Pennsylvania, October 04–05, 2007). eCrime '07, vol. 269. ACM, New York, NY, 37–44.

Dubov, D.V. (2013). Stratehichni aspekty kiberbezpeky Ukrainy. Stratehichni priorytety, 4, 119–127.

Eichensehr, K.E. (2016). Public-private cybersecurity. Texas Law Review, Vol. 95, 467–538.

European Convention on Human Rights as amended by Protocols Nos. 11 and 14 supplemented by Protocols Nos. 1, 4, 6, 7, 12, 13 and 16. URL:

Elyakov, A. (2003). Oborotnaya storona informacionnoj revolyucii. Vysshee obrazovanie, 3, 82–87.

Gefen, D. (2002) Reflections on the Dimensions of Trust and Trustworthiness Among Online Consumers. ACM SIGMIS Database, Vol. 33, 3, 38–53.

Goodman, M.D., Brenner, S.W. (2002). The emerging consensus on criminal conduct in cyberspace. International Journal of Law Infomation Technology, Vol. 10, 139–223.

Gorham-Oscilowski, U., & Jaeger, P.T. (2008). National Security Letters, the USA PATRIOT Act, and the Constitution: The tensions between national security and civil rights. Government Information Quarterly, 25, 625–644. doi 10.1016/j.giq.2008.02.001.

Gupta, B.B., Arachchilage, N.A.G., Psannis, K.E. (2018). Defending against Phishing Attacks: Taxonomy of Methods, Current Issues and Future Directions. Telecommunication Systems, vol. 67, 247–267.

Jang-Jaccard, J., Nepal, S. (2014). A survey of emerging threats in cybersecurity. Journal of Computer and System Sciences, Vol. 80, Issue 5, 973–993.

Kautonen, T., Karjaluoto, H. (2008). Trust and New Technologies: Marketing and Management on the Internet and Mobile Media. Cheltenham: Edward Elgar Publishing.

Kikerpill, K., Siibak, A. (2019). Living in a Spamster’s Paradise: Deceit and Threats in Phishing Emails. Masaryk University Journal of Law and Technology, Vol. 13:1, 45–66. doi: 10.5817/MUJLT2019-1-3.

Kormych, B.A. (2003). Orhanizatsiino-pravovi zasady polityky informatsiinoi bezpeky Ukrainy. Odesa: Yurydychna literatura.

Kumar, A., Chatterjee, J.M., Díaz, V.G. (2020). A novel hybrid approach of SVM combined with NLP and probabilistic neural network for email phishing. International Journal of Electrical and Computer Engineering (IJECE), Vol. 10, 1, 486–493. doi: 10.11591/ijece.v10i1.

Kumaraguru, P., Rhee, Y., Acquisti, A., Cranor, L., Hong, J., Nunge, E. (2007). Protecting People from Phishing: The Design and Evaluation of an Embedded Training Email System. In Proceedings of the 2007 Computer Human Interaction, CHI.

Leuprecht, C., et al. (2016). Beyond the Castle Model of cyber-risk and cyber-security. Government Information Quarterly. Vol. 33 (2), 250–257. doi:

Manap, N.A., Rahim, A.A., Taji, H. (2015). Cyberspace Identity Theft: An Overview. Mediterranean Journal of Social Sciences, Vol. 6, 4 S3, 290–299. doi: 10.5901/mjss.2015.v6n4s3p290.

Mansell, R. (2010). The life and times of the information society. Prometheus. Vol. 28 (2), 165–186. doi: 10.1080/08109028.2010.503120.

McCombie, S., Pieprzyk, J., Watters, P. (2009). Cybercrime Attribution: An Eastern European Case Study. Proceedings of the 7th Australian Digital Forensics Conference. 41–51. URL:

Mitnick, K. & Simon, W. (2002). The art of deception: Controlling the human element of security. New York, New York: Wiley Publishing.

Moisea, A.C. (2017). Considerations of Criminal Law and Forensic Science Regarding the Illegal Access to a Computer System. AGORA International Journal of JuridicalSciences, 2, 49–57.

Mustafa, H. Digital Social Engineering Threatens Cybersecurity. International Journal of Innovative Technology and Exploring Engineering (IJITEE), Vol. 9, Issue 1, 4016–4025.

Lipkan, V.A. (Ed.). (2015). Pravovi zasady rozvytku informatsiinoho suspilstva v Ukraini. Kyiv: FOP Lipkan O. S.

Regulation (EU) 2019/881 of the European Parliament and of the Council of 17 April 2019 on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013 (Cybersecurity Act). Official Journal of the European Union, L 151, 07.06.2019, 15–69.

Rossokhyna, V. Chto proyskhodyt v ynternete za mynutu: ynfohrafyka. URL:

Rusch, J. (2005). The compleat cyber-angler: A guide to phishing. Computer Fraud & Security, (1):4-6. doi: 10.1016/S1361-3723(05)00145-4.

Schleher, D.C. (1999). Electronic warfare in the information age. Norwood: Artech House Publishers.

Serheeva, Yu. (2018). Internet 2017–2018 v myre y v Rossyy: statystyka y trendy. URL:

Singh, N.P. (2007). Online Frauds in Banks with Phishing. Journal of Internet Banking and Commerce, Vol. 12(2), 1–27.

Shaikh, A.N., Shabut, A.M., Hossain, M.A. (2016). A literature review on phishing crime, prevention review and investigation of gaps. 10th International Conference on Software, Knowledge, Information Management & Applications (SKIMA). URL: DOI: 10.1109/SKIMA.2016.7916190.

Sheng, St., Holbrook, M., Kumaraguru, P., Cranor, L. (2010). Who Falls for Phish? A Demographic Analysis of Phishing Susceptibility and Effectiveness of Interventions. Conference: Proceedings of the 28th International Conference on Human Factors in Computing Systems, CHI 2010, Atlanta, Georgia, USA, April 10–15, 373–382. URL: DOI: 10.1145/1753326.1753383.

Sonowal, G., Kuppusamy, K.S. (2020). PhiDMA – A phishing detection model with multi-filter approach. Journal of King Saud University – Computer and Information Sciences, Vol. 32, Issue 1, 99–112. doi:

Statistika internet-auditorii Ukrainy i ispolzuemyh ustrojstv. URL:

Stevenson R. L. B. (2005). Plugging the «Phishing» Hole: Legislation Versus Technology. Duke Law & Technology Review, № 5. URL:

Stratehiia kiberbezpeky Ukrainy: zatverdzhena Ukazom Prezydenta Ukrainy vid 15 bereznia 2016 r. № 96/2016. URL:

Verma, A. (2013). Effects of Phishing on E-Commerce with Special Reference to India. Interdisciplinary Perspectives on Business Convergence, Computing, and Legality (Advances in E-Business Research), 186–197. URL: doi: 10.4018/978-1-4666-4209-6.ch017.

What's phishing? How to be safe? URL:

Wu, M., Miller, R.C., Garfinkel, S.L. (2006). Do security toolbars actually prevent phishing attacks?. In Proceedings of the SIGCHI Conference on Human Factors in Computing Systems (Montréal, Québec, Canada, April 22227, 2006). R. Grinter, T. Rodden, P. Aoki, E. Cutrell, R. Jeffries, and G. Olson (Eds.). CHI '06. ACM Press, New York, NY, 601–610.

Zhurin, S.I., Komarkov, D.E. (2018). Zashita vneshnego informacionnogo perimetra organizacii ot celevogo fishinga. Bezopasnost informacionnyh tehnologij=ITSecurity, Vol. 25, 4, 96–108 [in Russian].

GOST Style Citations

Article Metrics

Metrics Loading ...

Metrics powered by PLOS ALM

Copyright (c) 2020 Іван Васильович Яковюк, Артем Павлович Волошин, Антон Олексійович Шовкун

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.

ISSN 2224-9281