This is Not a Drill: Phishing as-a-Service

This is Not a Drill: Phishing as-a-Service

Up first in the Not-News: cybercrime is a problem that’s expected to cost $6 trillion annually by 2021. Which means hackers are always thinking up new ways of fooling people, right?


Well, yes. But also no. The most common hook cybercriminals use is one that’s been around for more than 30 years: phishing.


Phishing Supergraphic

Some interesting stats:



And the primary tool for delivering phishing attacks is email.




According to Webroot, 1.5 million new phishing sites are created every month. That’s more than 46,000 per day.


If that seems like an outrageous number, it is. And part of the reason it’s possible is the advent of Phishing as-a-Service offerings, which help entry-level hackers get started.


Product Services Supergraphic


In the past, phishing campaigns required threat actors to have some technical knowledge to utilize phishing kits, compromise sites to host the phishing landing pages that are used to steal credentials, and to create realistic spam campaigns.


To overcome this barrier of entry, new criminal sites are being developed that provide a Phishing as-a-Service that includes a phishing kit and hosting for phishing forms at a very low cost. This allows would-be criminals with little technical knowledge to easily get started with their own phishing campaigns.


These hosted, SaaS-model offerings are simple, cheap and surprisingly sophisticated. And, given the growth we’re seeing, we might expect clever cybercriminals to continue exploring even more in the way of innovative threat services.



Fortunately, there are tried-and-true ways of protecting yourself. From the user’s perspective PhaaS is the same as any other phishing method, and we recently developed a comprehensive list of 22 ways to protect yourself against phishing attacks. In particular:


  • Never trust any source that requests sensitive information via email.
  • Never trust a source that doesn’t know your name and account information. If the greeting is generic, it’s probably a scam.
  • Watch for overly urgent subject lines and language like "Verify your account." Emails saying your account has been compromised frequently tip off a phishing attack.
  • Does the email contain attachments? If it’s an unsolicited approach with an attachment, it may well be a scam.
  • Does the email’s message contain a shortened URL? Hover over it (but don’t click). Check your status bar – does it show a legitimate address? If not, it’s a scam.
  • Be wary of pop-ups, which are frequently employed in phishing attacks. Most commonly used browsers allow you to block pop-ups by default.
  • When in doubt, do not click. Make “don’t click” your default setting. Only click a link once you’re sure it’s safe.


And absolutely, positively:


  • Report potential phishing emails to IT.


Vigilance matters more now than ever. But if you follow these steps, as well as any others suggested by your IT group, you should be fine.


Our new infographic book, A Visual Landscape of Cybersecurity, is 100 pages of eye-opening stats and insights for CISOs to board members to SOC analysts and everyone else in the information security field. We’d love to send you a copy – just click here.