You want to use well-known brand logos for a phishing simulation? Go ahead, because phishing for training purposes does not infringe any trademark rights!
The key point of a trademark infringement and/or trademark infringement suit is whether there is a misleading consumer as to the origin of a particular product or service. If you use another company’s logo for training purposes for a simulated phishing email, that logo will not be used in a way that deceives customers. The sender of the phishing email is not concerned that the branded goods or services originate from and are associated with the ‘logo donating company’ or are sponsored by the company owning the trademark and/or the brand.
As a sender of phishing simulations, you do not ‘brand’ goods or services with someone else’s logo, but rather train your employees’ security awareness! Possible deception is clearly prevented/corrected by a corrective landing page and/or the training module included in the campaign. That’s why LUCY Server sends training content to users at the end of a simulated phishing attack. Its basic content teaches the user to beware of phishing fraud.
Thus, the logo of a third party is only used for illustrative or didactic purposes and there is no connection or relationship between the trademark owner and the customer (i.e. the recipient of the phishing mail).
From a copyright perspective, the integration of a third-party logo in a simulated phishing e-mail serves a completely new, didactic purpose and thus represents fair use. The new purpose is to “increase security awareness” and to inform the public / the users about the prevention of phishing fraud. This new use does not undermine either the copyright owner or a market that the author would reasonably work.
Please note, we are not lawyers, please use this information with caution. This is LUCY Security AG’s view on things. The information is without guarantee and is subject to change.
Palo Stacho, Head of Operations LUCY Security AG
 Tip for LUCY Campaign Admins: If you want to communicate something like this explicitly to the end user, then you can provide this information as a text field on the ‘Account Page’ when configuring the attack scenario in LUCY Server.
Topic: Trademark infringement phishing.