Interest in Human factors in phishing has been growing both in HCI and security communities in the past few years. Despite this interest, conducting covert user studies is associated with a number of ethical and legal challenges for phishing researchers. This paper discusses the need for deception, the implications of deceiving and the legal restrictions in terms of phishing study in the UK. We thematically analyzed these implications from the viewpoints of three stakeholders; ethics committees, researchers and professional bodies. Then we provide a roadmap for researchers to get balanced and timely ethical assessment of their proposed research.