How businesses can defend themselves against the rise of ‘phishing as a service’

Phishing has evolved beyond obvious tells, such as bad grammar and spelling, or fake email addresses.

In fact, most obvious phishing red flags – unprofessional design, faulty website links – no longer apply. Phishing attacks are polished and often look exactly like a message from a colleague or a bank.

And gone are the days when hackers worked alone out of random premises. That’s another misconception: today’s cybercriminals operate like fully-fledged corporations. They’re licensing tools to partners – ready-made “all in one” phishing kits – who execute attacks.

‘Phishing as a service’ or PhaaS works like any other software subscription service – Netflix, Amazon Prime, or any other product delivery service. Attackers pay a monthly fee which varies depending on chosen features, and in return get fake login pages, email templates, and website hosting that resists takedown.

The tactics and techniques behind PhaaS

PhaaS has evolved into a thriving business model on the dark web. It saves time and effort for criminals who don’t know how to build phishing emails or the infrastructure to host fake login pages. They also use clever methods to avoid detection, such as using links to compromised websites and platforms that look misleadingly legitimate.

There are typically two purchase models; a one-time purchase of a ‘phishing kit’, which can be simple or advanced. More advanced kits include features like geo-blocking and antidetection elements to evade antiphishing bots and search engines.

The other purchase model customers can go for is a subscription-based model where a PhaaS operation takes care of the entire phishing campaign, or a large part of it, for the customer.

A good example is the application ‘Frappo’, which helps cybercriminals create and use premium phishing pages called ‘phishlets’. This works to collect victims' information, like their IP addresses, login credentials, and user-agents. It’s anonymous and doesn’t require its users to even register or create an account.

What is particularly dangerous about these kits is that they are evolving, as cybercriminals are constantly evolving their methods to avoid being detected. But these attackers aren’t even necessarily smarter-they’re just faster.

Keeping pace will require businesses to adopt a layered, proactive strategy which is built around visibility, automation, and trust minimization.

Monitoring is the name of the game

Set against this backdrop, businesses should adopt the mindset that a breach could occur at any moment. This means ensuring requests from users and devices are verified. Integrating identity and access controls helps limit who can do what, and when. That way, if businesses are attacked, the fallout is minimized.

The MITRE framework recommends continuous monitoring, as the only way to spot the subtle patterns that signal an attack in progress. Businesses should monitor application logs, network traffic, and file creation.

This entails using software that can monitor network traffic and perform packet inspection, as well as conduct offline analysis on emails. And organizations should be on the lookout for any new files created from phishing messages. This could be the result of an adversary trying to gain access to vulnerable systems.

There are software tools which can provide businesses with analytics to detect techniques and sub-techniques used to carry out phishing attacks or attempt to gain initial access.

How to prepare for threats

Businesses should be taking action to protect employees – many who don’t even realize they’re at risk. For example, they could implement phishing-resistant MFA such as biometrics, hardware security keys and passkeys, without adding friction to the user experience.

Phishing-resistant MFA is designed to be extremely difficult to crack and to provide protection against device-code compromise. It’s a crucial step on the battle to stay ahead of the phishers, which can also be helped by deploying user and entity behavior analytics (UEBA) profiling to spot anomalies.

Similarly, security orchestration, automation, and response (SOAR) capabilities can be used to automatically execute workflow profiles and assign tickets to security admins to quickly remediate a phishing attack.

It’s also useful for businesses to examine endpoint security and identify any blind spots. Organizations should be set up to deploy patches quickly, detect and defuse threats like ransomware, enforce least-privilege access with MFA, and protect sensitive data wherever it resides.

Adopt a company-wide cybersecurity culture

Businesses should be treating cybersecurity defense like a continuous operation, not a quarterly checklist. This means ensuring buy-in across the organization, and making security everyone’s purview, rather than just that of the IT team.

To build a culture which is cybersecurity conscious, businesses must be sharing threat intelligence across teams. They should also be educating employees into why cybersecurity defense is important, by running red team exercises to simulate attacks.

Conducting regular training sessions on recognizing phishing attempts and using strong passwords is a great first step in the right direction. Employees should be kept aware of how phishing attacks are evolving and getting ever smarter: from artificially intelligent phishing emails to deepfake impersonations and self-evolving malware.

Protecting businesses against PhaaS requires rethinking how they can stay ahead. It’s not just about firewalls, antivirus tools, and endpoint security: it’s also about building a security-aware culture that adapts and anticipates attacks.

We've featured the best secure email provider.

This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro