Phishing threatens to topple information societys stability because this erodes trust in its underlying infrastructure. From the insight, researchers are attempting to quantify how people fall for deceit. However, in-lab studies are challenged with ecological and external validity issues. So researchers conducting security usability studies are engaged in deceit-based field studies of users that are conducted without prior consent. Unfortunately, such studies can expose researchers to ethical risks since field studies usually mimic real phishing. Here, we present studies about how researchers managed risks for previous deceit-based studies, not only in usable security but also in other research areas such as psychology, and then propose and evaluate recommendable experiment design method and ethic guideline for ethical and valid phishing study.