What is Phishing as a Service (PhaaS)? | EasyDMARC

What is Phishing as a Service (PhaaS)?

5 Min Read
Phishing as a Service PaaS

Phishing is the single most common cyberattack in the online world by far. Cybercriminals use phishing scams more than all other attack types put together. The reason why is simple. Phishing is far easier than other attacks out there, and its rate of success isn’t terrible either.

Overall, it’s a low-effort scam widely used and rapidly growing more common. However, there’s a new resurgence in its popularity. Why? People can now perform phishing attacks without any hacking or social engineering expertise at all thanks to phishing as a service.

What is PhaaS?

Phishing as a service (or PhaaS) is a provided service where attackers can access full-scale phishing campaigns without having to set them up themselves. In exchange for a fee, these services supply the attacker with emails to use, kits to impersonate various known brands, and even independent hosting and automated managers.

How Does Phishing as a Service Work?

The process behind PhaaS is fairly simple. An attacker contacts the company that provides this service and pays an attack operator to create and deploy a phishing campaign against whoever they choose. Benefits of the service include faulty login pages, site hosting, and means for holding and distributing stolen credentials.

The first major known company to provide PhaaS was BulletProofLink, a less-than-legal company that was discovered and made publicly known back in 2020. Since then, Microsoft’s investigations into the world of phishing as a service have revealed the company’s service is responsible for a massive portion of phishing attacks in modern cyberspace.

Is PhaaS a Crime?

Phishing in itself, obviously, is illegal. The act of phishing for personal information wearing the guise of someone else falls under identity theft. Plus, any intent of gaining information without the knowledge and consent of the other party is considered criminal. These scams have always been, and always will be, illegal activity.

Offering phishing as a paid service only adds to the jungle of criminal activity. Purchasing the service doesn’t by any means ensure that the customer won’t shoulder the responsibility of a phishing campaign. At best, they’ll be considered a willing accomplice of the service organization’s activity. And at worst, the organization can attempt to shrug off any involvement and leave the customer to shoulder the consequences alone.

Is PhaaS Efficient?

PhaaS is meant to be as alluring as possible to potential attackers. Particularly, it’s intended to entice attackers who don’t know how to set up their own phishing campaign. It’s just like it sounds, phishing as a service. If you don’t know how to create a phishing attack yourself, they’ll do it for you.

It’s a surprisingly organized service that allows you to choose the type of attack you want and will offer you a price or give you an estimate of how any earnings from scammed companies are split. More often than not, buyers find these prices to be reasonable. After all, they needn’t have any expertise to develop the attack themselves. So much so, that a massive majority of phishing attacks are done by such service providers.

Phishing as a Service Examples

Microsoft has spent several years investigating the world of phishing as a service. In this time, they’ve been rather surprised to find just how many famous cases of large-scale phishing attacks have likely been credited to PhaaS companies.

For example, the Cabarrus County attack in the United States (which ended up costing the victims a total of roughly 1.7 million USD) was very likely tied to one of these major phishing organizations. Or, much more recently, look at the attack on judge and star of the show Shark Tank, Barbara Corcoran. She was scammed out of almost $400,000 by someone impersonating her assistant, who is believed to have used these services to execute their attack.

Why is it Dangerous for Your Business?

It’s plain to see why this could be a threat to your own business. More access to phishing methods in the world will obviously mean more phishing. More hackers and threats in the cyberworld will never be a good thing for your company, and this “phishing as a service” has lowered the bar of entry so much that anyone with thumbs and questionable morals can do it.

How to Protect Against PhaaS?

You’ll need to take the same steps to prevent these phishing attacks as you would any other. With any luck, the attacker won’t be as educated on how to manage a phishing campaign, but you shouldn’t rely on that. Be prepared for anything to keep your business from being at risk.

We recommend the following to minimize your risk of attacks:

  • Use a trusted VPN to control who has your network’s IP.
  • Use email protection such as EasyDMARC to reduce suspicious emails.
  • Be cautious of which emails you open, or use some sort of sandboxing environment to check their contents safely.
  • When requests are made via message, especially ones asking for information or payment, ensure that you confirm them in person first.
  • Use trusted, updated antivirus software

Final Thoughts

Phishing as a service, unfortunately, adds yet another obstacle that companies must worry about. This new way for attackers to get their hands on the tools they need for a phishing campaign will only prove increasingly troublesome for businesses. However, with exercised caution and the proper knowledge on how to protect against these attacks, such phishing efforts will find no success.

Various authors from EasyDMARC teams have contributed to our blog during company's lifetime. This author brings everyone together.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us