Skip to main content

This is Not a Drill: Phishing-as-a-Service

November 07, 2019

Up first in the Not-News: cybercrime is a problem that’s expected to cost $6 trillion annually by 2021. Which means hackers are always thinking up new ways of fooling people, right?

Well, yes. But also no. The most common hook cybercriminals use is one that’s been around for more than 30 years: phishing.

Phishing Supergraphic

Some interesting stats:

And the primary tool for delivering phishing attacks is email.

PhaaS

According to Webroot, 1.5 million new phishing sites are created every month. That’s more than 46,000 per day.

If that seems like an outrageous number, it is. And part of the reason it’s possible is the advent of Phishing-as-a-Service offerings, which help entry-level hackers get started.

Product Services Supergraphic

In the past, phishing campaigns required threat actors to have some technical knowledge to utilize phishing kits, compromise sites to host the phishing landing pages that are used to steal credentials, and to create realistic spam campaigns.

To overcome this barrier of entry, new criminal sites are being developed that provide a Phishing-as-a-Service that includes a phishing kit and hosting for phishing forms at a very low cost. This allows would-be criminals with little technical knowledge to easily get started with their own phishing campaigns.


These hosted, SaaS-model offerings are simple, cheap and surprisingly sophisticated. And, given the growth we’re seeing, we might expect clever cybercriminals to continue exploring even more in the way of innovative threat services.

Fortunately, there are tried-and-true ways of protecting yourself. From the user’s perspective PhaaS is the same as any other phishing method, and we recently developed a comprehensive list of 22 ways to protect yourself against phishing attacks. In particular:

  • Never trust any source that requests sensitive information via email.
  • Never trust a source that doesn’t know your name and account information. If the greeting is generic, it’s probably a scam.
  • Watch for overly urgent subject lines and language like "Verify your account." Emails saying your account has been compromised frequently tip off a phishing attack.
  • Does the email contain attachments? If it’s an unsolicited approach with an attachment, it may well be a scam.
  • Does the email’s message contain a shortened URL? Hover over it (but don’t click). Check your status bar – does it show a legitimate address? If not, it’s a scam.
  • Be wary of pop-ups, which are frequently employed in phishing attacks. Most commonly used browsers allow you to block pop-ups by default.
  • When in doubt, do not click. Make “don’t click” your default setting. Only click a link once you’re sure it’s safe.

And absolutely, positively:

  • Report potential phishing emails to IT.

Vigilance matters more now than ever. But if you follow these steps, as well as any others suggested by your IT group, you should be fine.

Our new infographic book, A Visual Landscape of Cybersecurity, is 100 pages of eye-opening stats and insights for CISOs to board members to SOC analysts and everyone else in the information security field. We’d love to send you a copy – just click here.

Related Blogs

August 13, 2019

22 Ways to Protect Yourself Against Phishing Attacks

Hackers are clever and are always innovating new ways to breach cybersecurity defenses, so no single tactic is likely to afford 100% protection. But o...

See Details

July 18, 2019

The Evolution of Cybercrime

Fayyaz Rajpari, our Executive Services Director discusses this evolution with Ron Darnall, our senior direct of threat intelligence and Ken Dunham, ou...

See Details

April 16, 2019

That Time I Clicked on a Phish

Even the savviest of us can “fall for” a phishing email. Here are a few things to look for to help spot them quicker.

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.


Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.

Subscribe

Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.