What Is Phishing-as-a-Service (PhaaS) and How to Protect Against It
Last updated on October 19, 2023
Phishing-as-a-service, or PhaaS, platforms have evolved from the classic phishing attacks as a business model. Less experienced hackers embraced the opportunity of leading several phishing campaigns without necessarily owning the technical abilities for it.
In this article, we will define Phishing-as-a-Service, discuss how is it a cyber risk for business users, and how you can protect your organization from it.
Phishing-as-a-service uses a software-as-a-service business model providing access to a phishing kit (phishing pages, fake websites, etc.) in exchange for a fee. Cybercriminals are service providers that sell access to the tools and knowledge necessary for a phishing attack.
Usually, creating a phishing campaign requires a broad set of skills. Phishing-as-a-Service enables even a novice to conduct an attack.
A Definition of Phishing
Phishing is a malicious technique that aims to steal personal data using deception like a legitimate login page that is, in fact, a phishing page. A traditional phishing campaign involves coming up with a scam, creating an effective message, and building a fake site that also steals data. But now you can just buy all these, in a phishing kit that creates highly convincing decoy.
Adversaries can impersonate a trustworthy entity by copying the appropriate company logo, colors, official website, etc. The success of a phishing campaign depends on how realistic its message is.
Phishing campaigns use legitimate-looking login pages that induce the unsuspecting victims a sense of trust. The targets are tricked into revealing confidential information like usernames and passwords, credit card details, etc. Once the victim connects, this data can be used in financial fraud, identity theft, to access the victims’ accounts, or blackmail them. In some cases, hackers sell the data on the dark web, to other malicious actors.
How Does Phishing-as-a-Service Work?
Initially, PhaaS vendors were only advertising their products on the darknet. Lately, you can see them trying to find customers for phishing pages even on the regular Internet.
When a customer is interested in using Phishing-as-a-Service, he buys a phishing kit. Prices for phishing kits can begin from only $40. Just like for any other product, vendors use marketing techniques to increase sales. They even offer discounts and Black Friday deals.
A phishing kit includes all the items that a malicious actor needs:
email templates directed to the victims,
fake website templates where the targets will land (for the phishing page),
lists of potential targets,
Some phishing kits are designed to send a copy of the stolen data to the creator of the PhaaS, allowing skilled hackers to make more money by using them in future malicious endeavors or directly selling them to a third party.
All these components of a phishing kit provided by a phishing service show us even more that they are intended for persons who want to be involved in cyberattacks but do not have the technical abilities to do it on their own.
Why Is PhaaS a Growing Problem for Organizations?
This new way of cybercriminals making money proved to be a success, making it more and more frequently used. The FBI’s 2022 Internet Crime Report shows that phishing remains the most common criminal activity on the Internet. There were 300,497 reported cases in 2022, that led to a loss of $52,089,159.
Footnotes in the FBI report advise companies to educate their employees to identify a phishing email. However, organizations should not only rely on awareness trainings as a protection measure against phishing attacks.
Until recently, receiving a message that was abundant in grammar errors and misspellings would immediately put you on alert. Now hackers not only have access to, but also own custom generative AI tools. So, writing a correct, persuasive phishing message is a piece of cake and doesn`t even cost much. DNS filtering tools are more likely to save the day, in case of a phishing attempt.
One of the reasons for the high numbers in the FBI report is the appearance of Phishing-as-a-Service. In their early days, phishing campaigns required attackers to achieve a high level of technical knowledge. Phishing-as-a-Service made the whole process a lot faster and more inclusive for every criminal mind.
The success of a phishing attack often resides in preparatory measures, so a well-built PhaaS platform will be something that will attract more and more hackers. Consequently, this will bring more money to phishing actors.
PhaaS made prosecuting the authors of phishing activities more difficult. Catching the person who carried out the attack does not put an end to the story. You will still have to catch the guy who designed the phishing kit and the one who provided it.
How to Protect Your Company Against PhaaS?
There’s nothing you can do to stop the growing PhaaS industry. However, individuals and organizations can learn how to protect themselves from the attacks produced using Phishing-as-a-Service.
Here are a few a few options of simple protection measures:
Pay attention to the sender of an email. Check the email addresses domain, not only the name. Threat actors rely on you not looking twice to spot a potentially malicious email.
Spelling errors and formatting variations are another sign of phishing emails. However, this indicator might disappear in the years to come, due to generative AI.
Investigate all links before you click. Hover over the link and pay attention if the actual URL is what the message claims to be.
Be cautious when downloading attachments. Especially from senders that you don’t know personally.
Phishing emails will request your credentials in one form or another, so be very reluctant to divulge your personal information online.
Train your employees to spot phishing campaigns. Most attacks against businesses start by targeting an employee. Education alone is not enough, but is, however, an important security measure.
An anti-phishing software can stop a phishing email before it reaches your or your colleagues’ inboxes. Even the most advanced attacks can be identified by solutions that use a zero-trust approach in conjunction with machine learning and natural language processing (NLP) technologies.
Use multi factor authentication to protect assets. In this case, even if threat actors compromise your password in a phishing attack, they will not be able to break into your account. They will still need the multi factor authentication code in order to sign in.
Phishing Attempt Red Flags
As well trained and aware as one might be, there`s still a possibility that they`ll click on a phishing link or download a harmful attachment. Most of the time, the huge number of emails and information a person has to deal with in a workday does the trick.
An email spoofing a message that allegedly came from the HR Department could be a highly convincing decoy. Yet there are some classic red flags that everybody should be aware of.
So, be extra careful and double-check if:
the message is requesting by any means information like credit card information, phone numbers, social security numbers, usernames, and passwords.
there is a sense of urgency in the tone of the message – a ”do this or else” kind of talk.
the domain of the sender`s address is unknown or looks funny.
How Can Heimdal® Help?
Malicious actors deliver most of their phishing attacks via email. This is why Heimdal Email Security is a necessary addition to your spam filter. The solution is a ground-breaking malware protection system that safeguards your digital communications with more security vectors than any other platform on the market.
Lightweight and simple to set up, it includes cutting-edge spam filtering that detects and removes malicious attachments, screens through infected IPs and domains, and recognizes malicious links.
Heimdal`s solution acts like a man-in-the-middle between the Internet and your organization’s email server – in case of the Inbound Mail Flow – or vice-versa – in case of the Outbound Mail Flow. This way it protects both Inbound and Outbound mail flows.
It works like this.
When you receive an email, the message goes through the HEIMDAL Security MX Records found on the domain’s DNS (eu-esec-01.heimdalsecurity.comor eu-esec-02.heimdalsecurity.com). When the email gets to HEIMDAL’s servers, our engines perform 6 different operations to keep you safe:
Advanced Threat Protection,
When you send an email, the message leaves from the organization’s Outbound server towards the HEIMDAL Security smart host (eu-esec-outbound.heimdalsecurity.com). After that, the engines get to work for:
The PhaaS trend is nowhere close to the end, as it brings many advantages to skilled hackers – more money, and fewer risks. Newcomers are also on board with being able to launch professional-level attacks without gaining the actual skills.
So, while adversaries improve techniques and go on with their business, you should do the same with yours. IP filtering, DNS filtering, multi factor authentication, and cybersecurity education are four of the critical elements that protect organizations from this kind of cyber threat.
The offensive strategy in cybersecurity is always the winning card. Don’t wait to have your credential stolen or your network intruded on to invest in protecting yourself and your company. Knowledge is the best strategy, so stay informed about the latest evolutions in the phishing business and choose the right tools to shelter you from malicious actions.
Andreea is a digital content creator within Heimdal® with a great belief in the educational power of content. A literature-born cybersecurity enthusiast (through all those SF novels…), she loves to bring her ONG, cultural, and media background to this job.