What is phishing as a service (PhaaS), and how can you protect yourself from it?

What is phishing as a service in cybersecurity?

Phishing as a service (PhaaS) is a toolkit that equips malicious actors with detailed instructions, infrastructure, and tools to launch sophisticated phishing campaigns. These kits, created by skilled developers, include email templates, landing pages, and code. In some cases, these kits are designed to send copies of stolen data back to the service provider, enabling it to access this information and profit further by selling it to a third party.

A proactive approach is essential for mitigating cyber threats, and PhaaS is no exception. Companies and individuals need to learn how to select the right tools to shield themselves from identity theft and other cybercrimes.

What is the difference between phishing and PhaaS?

The main difference between phishing and PhaaS is how they are facilitated. Phishing is an attack in which cybercriminals trick victims into providing access to their bank accounts and personal information by impersonating legitimate individuals, companies, or organizations. It usually comes in the form of an email, while similar attacks like smishing and vishing are carried out over text messages and phone calls, respectively. Vishing scams also make use of Voice over IP (VoIP) technology.

In contrast, phishing as a service is a business model that enables cybercriminals to launch phishing attacks without needing to create fake web pages or email templates themselves.

How does phishing as a service work?

Launching a PhaaS-driven scam is simple, which is a major reason why phishing attacks have been on the rise. Bad actors carry out the process by:

• Acquiring a kit. First, a malicious actor purchases a phishing kit from a service provider. Developers used to advertise their services mainly on the dark web, but now they look for customers on the surface web as well.
• Creating a campaign. Using pre-designed templates for convincing fake emails and phishing pages, PhaaS makes it incredibly easy for a rookie hacker to set up a phishing campaign.
• Launching the campaign. And just like that, a cybercriminal is ready to initiate a phishing attack. The PhaaS platform sends out phishing emails, often using advanced techniques to bypass spam filters.
• Collecting private data. When unsuspecting users click malicious links and enter information such as usernames, passwords, phone numbers, and credit card details, this data goes directly to the cybercriminal behind the campaign. This process gives them access to the information they need to commit identity theft and financial fraud. Sometimes they threaten to make sensitive information public so they can extort their victims.

Who are the targets of phishing as a service?

Another troubling aspect of this business model is the wide range of victims hackers can target with phishing attacks, including:

• Individuals. It’s nearly impossible to operate a business, shop, or stay connected with friends without an online presence. The more online accounts you have — whether with email services, social media, online retailers, or banking institutions — the higher the risk of falling victim to phishing attacks. It’s not just credit card information at risk — personal details and other sensitive data can be compromised as well.
• Companies. Hackers leverage PhaaS to target businesses of all sizes. They often focus on banks and financial institutions, but no company is safe from a potential attack. For example, a PhaaS platform called Greatness specifically targets Microsoft 365 business users. Additionally, fake emails and websites used in phishing campaigns often imitate legitimate businesses and can damage their reputation.

Impact of PhaaS for organizations

Phishing as a service can have a profound impact on organizations. Many businesses have learned to manage phishing campaigns over the years, but several aspects of PhaaS make it a more prevalent and concerning issue. PhaaS results in:

• More frequent, complex attacks. PhaaS removes the technical barriers, allowing more threat actors to launch successful phishing campaigns despite their low technical expertise. They can take advantage of the developer’s expert knowledge to launch a phishing attack and use advanced techniques to avoid detection. Many phishing kits include customer support as well, providing attackers with assistance in configuring and troubleshooting their campaigns.
• Attacks coming from multiple fronts. As mentioned, most phishing kits sold to malicious actors typically include a way to transmit victims’ stolen data back to the kits’ developer. This access enables the developer to sell the information to anyone, so potential victims have to deal not only with the original hacker but also with other malicious actors who receive their information from the phishing service.
• Criminals not getting caught. Since many attackers who purchase phishing kits lack experience, they rarely cover their tracks and can face legal consequences for their actions. However, the service providers who design the phishing kits — and often cause far more damage — are not the ones launching the actual attacks. Because of this and their superior cloaking methods, they often evade prosecution.

Phishing as a service: Red flags to be aware of

If you’re concerned about yourself or your company becoming a PhaaS victim, recognizing key red flags may help you identify phishing emails and improve your email security:

• Suspicious email addresses. If a sender claims to represent a business or organization, their email address should be associated with that group (for example, “businessname.com”). If you’re unfamiliar with the email address’s domain or if it resembles a known brand but contains spelling errors, it may indicate that someone has used PhaaS in an attempt to access your accounts.
• Suspicious links. In a PhaaS-driven campaign, a phishing kit developer creates highly convincing decoy websites. The phishing page may look like a legitimate login page. However, it is merely a scam designed to steal your login credentials, phone number, credit card details, and other information. Before clicking on a link in an email, hover over it to see if it matches the brand’s official website. Look for the appropriate company logo in the email as well. Another sign of a suspicious link is that it could be missing the “s” after “http,” which means that it’s not secure.
• A sense of urgency. Most phishing messages will attempt to pressure you into responding immediately by setting a time limit. It could be a huge discount that will only be available until midnight or a short period to cancel a fraudulent purchase. They will invoke strong emotions such as joy (you’ve won a contest), trust (an email from a coworker), and especially fear (your account has been hacked).
• Requests for personal information. These malicious actors are out to steal private data, so they will likely ask for passwords, bank details, or Social Security numbers. Never provide this kind of information in response to an unsolicited request. If you’re concerned the email might be legitimate, you can contact the organization directly to verify it.

How to stay safe from PhaaS

Apart from spotting red flags, you can take a few extra steps to increase email security and protect yourself and your company from PhaaS:

• Invest in anti-phishing software. With quality anti-phishing software, you won’t have to worry about spotting the signs of a phishing email since there’s little chance that any will even reach your inbox. Threat intelligence and machine learning allow anti-phishing software to identify and detect phishing patterns, continuously learn from new data, and adapt to the latest trends, enhancing your email security.
• Employ multi-factor authentication. Multi-factor authentication requires you to enter a password and provide at least one additional piece of information when logging into an account. This can involve a code sent by text or email or biometric authentication methods like a fingerprint or face scan. Unlike two-factor authentication, multi-factor authentication can require more than two steps to identify a user. It provides an added layer of protection — even if a hacker uses PhaaS to acquire your username and password, they likely won’t be able to meet the other authentication requirements to access your account.
• Use DNS filtering. As vigilant as you may be, you could still end up clicking on a phishing link in an email. DNS filtering is a service that prevents you from visiting unsafe corners of the Internet. A DNS filtering tool checks your requests against a list of domains, blocking access to dangerous ones. DNS filtering is a feature of NordVPN’s Threat Protection Pro™, which is integrated directly into the NordVPN app and will help to protect you from PhaaS and other cybersecurity threats.
• Stay informed. Keeping up with cybersecurity news will ensure that you are aware of the latest threats and updates and will help you and your company stay ahead of the curve. You can prepare accordingly if you’re aware of recent Internet data breaches and security vulnerabilities.

PhaaS is a serious threat but one you can defend against

Keeping safe online is hard enough without hackers who constantly devise new and more sophisticated ways to scam people out of their private information. It is especially scary that a business model like phishing as a service makes it possible for any hacker to buy a cheap phishing kit from a developer and launch a phishing attack.

Don’t get discouraged. As this article shows, there are several PhaaS red flags to watch out for and tools individuals and companies can use to avoid becoming victims. If you believe that your information has been compromised, file a claim with the Internet Crime Complaint Center (IC3).