GUEST ESSAY: The rise of ‘PhaaS’ — and a roadmap to mitigate ‘Phishing-as-a-Service’

By Zac Amos

Cybersecurity is a top concern for individuals and businesses in the increasingly digital world. Billion-dollar corporations, small mom-and-pop shops and average consumers could fall victim to a cyberattack.

Related: Utilizing humans as security sensors

Phishing is one of the most common social engineering tactics cybercriminals use to target their victims. Cybersecurity experts are discussing a new trend in the cybercrime community called phishing-as-a-service.

Why should companies be aware of this trend, and what can they do to protect themselves?

Phishing-as-a-Service (PhaaS)

Countless organizations have adopted the “as-a-service (-aaS)” business model. It describes companies that present customers with an offering, as its name suggests, to purchase and use “as a service.” Popular examples include artificial intelligence-as-a-service (AIaaS), software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS).

Phishing-as-a-service, also called PhaaS, is the same as the SaaS business model, except the product for sale is designed to help users launch a phishing attack. In a PhaaS transaction, cybercriminals or cybercrime gangs are called vendors, and they sell access to various attack tools and technical knowledge to help customers carry out their crimes.

Ready-to-use phishing kits with all necessary attack items are available on the web. Some vendors offer more specialized products, such as back-end codes to build fraudulent websites for harvesting credentials. They might provide access to collated open-source intelligence (OSINT) to create highly sophisticated phishing attacks.

Rising popularity

PhaaS services are growing in popularity for a few reasons. These products lower the barrier to entry for malicious actors and are relatively affordable.


Traditionally, people faced high barriers to entry to become successful hackers. With PhaaS, this is no longer the case. Anyone with enough funds and access to the dark web can purchase PhaaS tools to help them launch a phishing attack.

Aside from a low barrier to entry and affordability, PhaaS is a win-win situation for vendors and their customers. Vendors benefit from PhaaS because they earn a profit from selling their skills while avoiding the risks associated with committing a cybercrime. On the customer side, it requires minimal effort to pay for a phishing kit and launch a professional-level attack on a victim.

PhaaS has grown so popular that it’s now a commercialized industry on the dark web. As a result, the number of phishing attacks worldwide will increase, allowing lucrative cybercrime to flourish in the digital age.

Mitigating PhaaS

The PhaaS industry is rapidly expanding and presenting more risks to businesses of all types and sizes. An individual company is likely unable to take down the entire PhaaS community, but it can certainly take proactive cybersecurity measures to reduce the chances of facing a phishing attack.

Many modern organizations know the basics of online safety and follow the best cybersecurity practices. However, this new trend could change the landscape, forcing businesses to adapt, use new technologies and implement different defense strategies.

Businesses can respond to the rise of PhaaS services in three ways:

•Heed cybersecurity standards

Many industries implement cybersecurity standards and compliance requirements to protect businesses and their clients or customers. For example, government defense contractors must pass the Cybersecurity Maturity Model Certification (CMMC) assessment to conduct business with the Department of Defense (DoD).

By passing the CMMC, the DoD ensures that contractors maintain a strong cybersecurity posture so any sensitive data remains secure. Organizations should determine which industry standards and compliance requirements they must follow to improve their security measures.

•Leverage security software

Several new technologies, including artificial intelligence (AI) and machine learning (ML), are included in today’s cybersecurity software solutions. Those with a zero-trust approach or powered by AI and ML tech can help companies defend themselves against cyberattacks.

•Prioritize training

Human error is the main factor contributing to a successful phishing attack. Employees who receive exceptional cybersecurity training are less likely to put an organization at risk of attacks. Businesses must prioritize education for employees so they can act as the company’s first defense.

PhaaS is not going anywhere. Organizations must take various preventive measures to bolster their cybersecurity as this black-market industry grows. Company leaders must be aware of PhaaS and take phishing attacks seriously to keep their business running.

About the essayist: Zac Amos writes about cybersecurity and the tech industry, and he is the Features Editor at ReHack. Follow him on Twitter or LinkedIn for more articles on emerging cybersecurity trends.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone