Phishing is the single most common cyberattack in the online world by far. Cybercriminals use phishing scams more than every other attack type put together. The reason why is simple. Phishing is far easier than any other attack out there, and its rate of success isn’t terrible either.
Overall, it’s a low-effort scam that is widely used and rapidly growing more common. However, it’s suddenly having a new resurgence in popularity due to a new way for people to be able to perform phishing attacks without any hacking or social engineering expertise at all: phishing as a service.
What is PhaaS?
Phishing as a service (or PhaaS) is a provided service where attackers can have access to full-scale phishing campaigns without having to set them up themselves. In exchange for a fee, these services supply the attacker with emails to use, kits to impersonate various known brands, and even independent hosting and automated managers.
How Does Phishing as a Service Work?
The process behind PhaaS is fairly simple. An attacker contacts the company that provides this service and pays an attack operator to create and deploy a phishing campaign against whoever they choose. Benefits of the service include faulty login pages, site hosting, and means for holding and distributing stolen credentials.
The first major known company to provide PhaaS was BulletProofLink, a less-than-legal company that was discovered and made publicly known back in 2020. Since then, Microsoft’s investigations into the world of phishing as a service have revealed that the company’s service is responsible for a massive portion of phishing attacks in modern cyberspace.
Is PhaaS a Crime?
Phishing in itself, obviously, is illegal. The act of phishing for personal information wearing the guise of someone else falls under identity theft. Plus, any intent for gaining information with knowledge and consent of the other party would be considered criminal intent as well. These scams have always been, and always will be, illegal activity.
Offering this as a paid service only adds to the jungle of criminal activity. Purchasing the service does not by any means ensure that the customer won’t shoulder the responsibility of a phishing campaign. At best, they’ll be considered a willing accomplice of the service organization’s activity. And at worst, the organization can attempt to shrug off any involvement and leave the customer to shoulder the consequences alone.
Is PhaaS Efficient?
PhaaS is meant to be as alluring as possible to potential attackers. Particularly, it’s intended to entice attackers who don’t know how to set up their own phishing campaign. It’s just like it sounds, phishing as a service. If you don’t know how to create a phishing attack yourself, they’ll do it for you.
It’s a surprisingly organized service that allows you to choose the type of attack you want and will offer you a price or give you an estimate of how any earnings from scammed companies will be split. More often than not, buyers find these prices to be reasonable in exchange for not having to develop the attack themselves. So much so that a massive majority of phishing attacks are done by these service providers.
Phishing as a Service Examples
Microsoft has spent several years investigating the world of phishing as a service. In this time, they’ve been rather surprised to find just how many famous cases of large-scale phishing attacks have likely been credited to these PhaaS companies.
For example, the Cabarrus County attack in the United States, which ended up costing the victims a total of roughly 1.7 million USD, was very likely tied to one of these major phishing organizations. Or, much more recently, look at the attack on judge and star of the show Shark Tank, Barbara Corcoran. She was scammed out of almost $400,000 by someone impersonating her assistant, who is believed to have used these services to begin their attack.
Why is it Dangerous for Your Business?
It’s plain to see why this could be a threat to your own business. More access to phishing methods in the world will obviously mean more phishing. More hackers and threats in the cyber world will never be a good thing for your company, and this “phishing as a service” has lowered the bar of entry so much that anyone with thumbs and questionable morals can do it.
How to Protect Against PhaaS?
You’ll need to take the same steps to prevent these phishing attacks as you would any other. With any luck, the attacker won’t be as educated on how to manage a phishing campaign, but you shouldn’t rely on that. Be prepared for anything so as to keep your business from being at risk.
We recommend the following to minimize your risk of attacks:
- Use a trusted VPN to control who has your network’s IP
- Use email protection such as EasyDMARC to reduce suspicious emails
- Be cautious which emails you open, or use some sort of sandboxing environment to check their contents safely
- When requests are made via message, especially ones asking for information or payment, ensure that you confirm them in person first
- Use trusted, updated antivirus software
Final Thoughts
Phishing as a service, unfortunately, simply adds another obstacle that companies will need to be wary of. This newfound way for attackers to get their hands on the tools they need for a phishing campaign will only prove to be troublesome for businesses. However, with exercised caution and the proper knowledge on how to protect against these attacks, these phishing efforts will find no success among those who are prepared.
