GUEST ESSAY: The rise of ‘PhaaS’ – and a roadmap to mitigating ‘Phishing as a Service’

Cybersecurity is a major concern for individuals and businesses in an increasingly digital world. Billion-dollar businesses, small, family-run shops and average consumers could fall victim to a cyberattack.

Related: Using humans as safety sensors

Phishing is one of the most common social engineering tactics used by cybercriminals to target their victims. Cybersecurity experts are discussing a new trend in the cybercrime community called phishing-as-a-service.

Why should companies be aware of this trend and what can they do to protect themselves?

Phishing as a Service (PhaaS)

Countless organizations have adopted “as-a-service (-aaS)” business model. It describes companies that present customers with an offer, as the name suggests, to buy and use “as a service”. Popular examples include artificial intelligence as a service (AIaaS), software as a service (SaaS), and infrastructure as a service (IaaS).

Phishing-as-a-service, also known as PhaaS, is the same as the SaaS business model, except the product for sale is designed to help users launch a phishing attack. In a PhaaS transaction, cybercriminals or cybercriminal gangs are called sellers, and they sell access to various attack tools and technical knowledge to help customers commit their crimes.

Ready-to-use phishing kits containing all necessary attack elements are available on the web. Some sellers offer more specialized products, such as back-end codes to create fraudulent websites to collect credentials. They can provide access to aggregated open source intelligence (OSINT) to create highly sophisticated phishing attacks.

Growing popularity

PhaaS services are growing in popularity for several reasons. These products lower the barrier to entry for malicious actors and are relatively affordable.


Traditionally, people faced high barriers to entry to becoming successful hackers. With PhaaS, this is no longer the case. Anyone with enough funds and access to the dark web can purchase PhaaS tools to help them launch a phishing attack.

Along with a low barrier to entry and affordability, PhaaS is a win-win situation for vendors and their customers. Sellers benefit from PhaaS because they profit from selling their skills while avoiding the risks associated with committing a cybercrime. On the client’s side, it takes minimal effort to pay for a phishing kit and launch a pro-level attack on a victim.

PhaaS has become so popular that it is now a commercialized industry on the dark web. As a result, the number of phishing attacks around the world will increase, allowing lucrative cybercrime to thrive in the digital age.

PhaaS mitigation

The PhaaS industry is growing rapidly and presenting more risk to businesses of all types and sizes. An individual company is probably unable to take down the entire PhaaS community, but they can certainly take proactive cybersecurity measures to reduce the risk of encountering a phishing attack.

Many modern organizations know online safety basics and follow cybersecurity best practices. However, this new trend could change the landscape, forcing companies to adapt, use new technologies and implement different defense strategies.

Enterprises can respond to the rise of PhaaS services in three ways:

• Comply with cybersecurity standards and compliance rules

Many industries are implementing cybersecurity standards and compliance requirements to protect businesses and their customers. For example, government defense contractors must successfully complete the Cybersecurity Maturity Model certification (CMMC) to do business with the Department of Defense (DoD).

By passing the CMMC, the DoD ensures that contractors maintain a strong cybersecurity posture so that all sensitive data remains secure. Organizations need to determine the industry standards and compliance requirements they need to meet to improve their security measures.

• Take advantage of security software

Several new technologies, including artificial intelligence (AI) and machine learning (ML), are included in today’s cybersecurity software solutions. Those with a zero-trust approach or powered by AI and ML technology can help businesses defend against cyberattacks.

• Prioritize training

Human error is the biggest contributor to the success of a phishing attack. Employees who receive exceptional cybersecurity training are less likely to put an organization at risk of attack. Companies must prioritize employee education so they can act as the company’s first defense.

PhaaS is not going anywhere. Organizations need to take various preventive measures to strengthen their cybersecurity as this black market industry grows. Business owners need to be aware of PhaaS and take phishing attacks seriously to keep their business running smoothly.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the editor of Repirate. Follow him on Twitter Where LinkedIn for more articles on emerging cybersecurity trends.

*** This is a syndicated blog from the Security Bloggers Network of The Last Watchdog written by bacohido. Read the original post at:

Comments are closed.