Engage - Use of Third-Party Company Logos for Phishing Simulations

This article contains information on using third-party and government logos in Engage phishing simulations, intellectual property laws, compliance guidelines, and best practices for responsible usage and training purposes.

Overview

Mimecast's Engage products let customers use third-party logos for phishing simulations. Use these logos carefully to prevent end users from mistaking simulated content for legitimate communications from the represented companies. Logos are used strictly for training purposes only. You can find further details of the limited way in which third-party logos are used for phishing simulations here: 

• Engage - Managing Phishing Templates
• Engage - Custom Email Notifications & Phishing Templates
• Engage - Multi-Stage Phishing Templates

Intellectual Property Concerns with the Use of Third-Party Logos

Mimecast customers can safely use third-party logos in phishing simulations without risking trademark or copyright infringement. We require responsible usage that complies with applicable laws and regulations.
Trademark law focuses on preventing consumer confusion about product origins. Phishing simulations clearly distinguish security training from actual company services. Each simulation concludes with an educational landing page or video that teaches phishing detection skills. These pages explicitly state that third-party logos serve educational purposes only, with no connection to the original companies.
Using logos in security training qualifies as fair use under copyright law because it transforms the logos' purpose from commercial branding to cybersecurity education. This educational use protects users from real threats while respecting logo owners' market interests.

Regulations Governing the Use of Government Intellectual Property

Customers must exercise caution when conducting phishing simulations to avoid using government logos, names, insignia, or intellectual property in a manner that suggests association with, or endorsement by, a government entity. Mimecast has set out some of the requirements specified by the US Federal Government and UK Government below, however, it is recommended that customers check the specific rules within all countries where simulated phishing will be used.

US Federal Government Regulations

• 15 U.S.C. § 1051 et seq.: Governs trademarks and prohibits the unauthorized use of trademarks in a way that may cause confusion or imply endorsement.
• 31 U.S.C. § 333: Prohibits unauthorized use of government agency names, insignia, and logos that suggest association with the U.S. government.
• Copyright Exceptions for U.S. Government Works: Per the guidelines on government intellectual property, government logos and trademarks are protected and cannot be used without explicit permission. For more details, see Learn about copyright and federal government materials.

As an example, organizations conducting phishing simulations must not use the IRS name, logo, or insignia in their training exercises. Doing so may create confusion among recipients and mislead them into believing that the correspondence is officially associated with the IRS. Exercises of this nature can also create significant issues for government agencies and are strictly prohibited.

UK Government Regulations

In the United Kingdom, similar restrictions apply to the use of government logos, names, and insignia. UK government intellectual property is protected under the Crown Copyright and the Trade Marks Act 1994, which prohibit the unauthorized use of government-owned intellectual property, including logos and insignia, in a manner that misleads or implies government endorsement.
Per the UK Intellectual Property Office, government logos, insignia, and departmental names may not be used in phishing simulations or any other training exercises unless explicitly authorized by the UK government. For further details, see Intellectual property and your work.
In both jurisdictions, the use of government intellectual property without permission is a violation of law and can result in penalties. Mimecast customers are strongly advised to refrain from using any government-related intellectual property in their security awareness training.

Best Practices for Responsible Use

To ensure compliance with applicable laws and regulations, Mimecast recommends the following best practices for customers:

1. Do Not Use Government Intellectual Property: Customers must not use government logos, names, or insignia, including those of the IRS (US) or UK government, in phishing simulations or training exercises.
2. Avoid Tax-Themed Exercises: To prevent any issues with government agencies, customers should refrain from using tax-related content or themes in their training exercises.
3. Follow Best Practices for Third-Party Logos: Use of third-party logos should always be done responsibly, with clear disclaimers and corrective pages to ensure recipients understand the purpose of the exercise.

Mimecast is committed to supporting customers in delivering effective security awareness training while ensuring compliance with all applicable laws and protecting the intellectual property of third parties.