How has phishing become a service?

Without getting too technical, Barracuda Networks has published an explainer on Phishing-as-a-Service (PhaaS). It covers some of the latest PhaaS attacks, highlights the most popular kits currently circulating online, and describes new tactics attackers are using to avoid detection. 

The shocking stat is not only the rise in attacks, but that 60% to 70% of the phishing attacks this year have come from PhaaS kits. A PhaaS kit refers to a pre-packaged set of tools and resources provided by Phishing-as-a-Service platforms that enables cybercriminals, often with little technical expertise, to launch phishing attacks quickly and efficiently. Attackers can subscribe to or purchase these kits, often through darknet forums or messaging apps like Telegram. 

These kits are a core component of the PhaaS business model, which operates much like legitimate software-as-a-service platforms but is designed for malicious purposes. The kits lower the barrier to entry for cybercrime, allowing even non-technical users to conduct sophisticated, large-scale phishing campaigns. PhaaS providers may also offer customer support, attack dashboards, and anti-detection features, making the process even more accessible and effective for would-be attackers. 

Key components typically included in a PhaaS kit: 

• Email templates: Ready-made, customisable email messages designed to impersonate trusted brands or organisations. 

• Fake website templates: Pre-built web pages that closely mimic legitimate login portals or transaction pages, often including fake multi-factor authentication prompts. 

• Domain registration services: Tools or services to help attackers register domains that look like real company domains. 

• Hosting infrastructure: The technical backend to host fake websites, often maintained by the PhaaS provider to ensure the phishing pages remain online and undetected. 

• Attack instructions: Step-by-step guides or tutorials on how to deploy the phishing campaign. 

• Credential management: Features to collect and store stolen login credentials or other sensitive data from victims. 

• Customisation options: The ability to tailor emails, websites, and domains to target specific individuals or organisations, increasing the likelihood of success. 

New techniques are making these attacks more challenging to detect. For instance, encrypting malicious code makes it difficult for security software to detect, and using real, trusted websites instead of fake ones. New and emerging kits on the market combine phishing and malware delivery to adapt their appearance and bypass email filters quickly.  

What makes these kits particularly dangerous is the fact that they constantly evolve, updating their methods and producing newer, more sophisticated kits to avoid being detected by security systems. This ongoing development helps scammers stay one step ahead and makes it harder to shut them down. Because PhaaS platforms operate globally and utilise servers and websites in various countries, it becomes challenging to track them down or shut them off quickly. 

No one is exempt from being targeted. Everyone will get emails that look like they’re from their banks, platforms, favourite stores or services they use. Employees at companies will try to sneak into company systems, and businesses or organisations of all sizes will have their security protections tested. Even well-known brands like Marks & Spencer (M&S) have fallen victim to sophisticated cyber attacks, highlighting how pervasive and indiscriminate these threats have become. 

Preventing phishing attacks requires a mix of technical defences and human vigilance. Organisations should invest in employee training to help staff recognise suspicious emails and report them quickly, while also deploying robust security measures like email filters, multi-factor authentication, and regular system updates. Limiting user permissions and running phishing simulations can further reduce risk, and having a clear incident response plan ensures a quick reaction if an attack succeeds. Ultimately, staying ahead of phishing means combining up-to-date technology with continuous awareness, so that both people and systems become stronger barriers against ever-evolving threats. 

For businesses, investing in Cyber Essentials is a straightforward step towards greater resilience in today’s ever-evolving threat landscape, offering a practical, affordable way to boost cybersecurity standards. Designed for organisations of all sizes, it helps protect against common threats like phishing, hacking and password breaches by encouraging best practices and building a solid security foundation. Economit can guide your company through the Cyber Essentials requirements, ensuring your controls are in place before starting the questionnaire, and we are a trusted partner of Indelible Data, ensuring that you get the best pricing for your certification.  

To discuss Economit’s cybersecurity consultancy services, get in touch: 

Phone: 01332 447447 

Email: hello@economit.co.uk 

Website: www.economit.co.uk