In a spear-phishing engagement, what is a primary legal risk if a victim outside the test scope is attacked after forwarding the email?

When a spear-phishing test is approved, there’s explicit permission to target a defined group and to simulate attacker activity within agreed boundaries. If actions spill outside that scope and someone outside the target gets attacked or their data is harmed, the organization conducting the test can be held legally responsible for the damages. That potential responsibility is what we call legal liability. It captures the real-world consequence of causing harm or unauthorized access during the engagement. Privacy concerns and compliance risk are related topics, but the strongest, direct risk here is being legally liable for the harm caused by stepping outside the authorized scope. To prevent this, clear scope, written authorization, and safeguards are essential.