Phishing is a significant security threat that causes financial and reputational losses to end-users and service providers in modern information systems. Current anti-phishing research is fragmented and does not address the issue from a pervasive computing perspective. As phishing attacks exploit human susceptibility, designing appropriate and personalized anti-phishing security frameworks that consider individual behavior is crucial. Phishing experiments raise ethical and legal concerns. Many researchers conduct experiments to quantify risks and degrees of vulnerabilities and identify where to focus protective measures. This paper aims to identify ethical and practical issues related to setting up and conducting phishing experiments. The review examines the types of experiments conducted, ethical rules applied, user consent obtained, and the types of phishing examined in the experiments. Through this review, we aim to provide a comprehensive overview of the current approaches and methods used in phishing experiments, with a particular focus on identifying legal white spaces and ethical considerations.