Have you ever gotten an email claiming to be from a major company like Apple or Amazon, warning you of a problem with your account and urging you to click a link or open a file to resolve it? If so, you‘ve likely encountered a phishing scam, a type of cyberattack designed to trick unsuspecting internet users into handing over login credentials, financial information, or other sensitive data.
While phishing attacks used to require a fair amount of technical know-how to pull off, a new business model called phishing-as-a-service (PhaaS) has recently emerged, enabling even complete beginners to buy and sell phishing kits and campaigns. In this article, we‘ll break down how PhaaS works, who the major players are, and most importantly, how everyday internet users like you can avoid falling victim to phishing scams.
A Brief History of Phishing
To understand PhaaS, it helps to understand how phishing arose in the first place. The first recorded use of the term "phishing" was in 1987 among hacker groups who would target America Online users by posing as AOL staffers to trick them into sharing their passwords. The goal was to gain access to the victims‘ accounts.
In the 1990s and 2000s, phishing attacks spread rapidly alongside the growth of the internet, evolving from simple password phishing to more sophisticated scams impersonating banks, e-commerce sites, and other major digital brands that handle sensitive user data. Criminals realized tremendous profits could be made from harvesting users‘ online credentials and financial information.
Some key developments accelerated phishing‘s growth:
- Email – The rise of email as a primary communication medium made it easy for scammers to cast wide nets for potential victims.
- E-commerce – As more shopping and financial transactions moved online, phishers followed the money trail.
- Sophisticated hacking tools – Malware, bots, and other tools enabled criminals to launch mass phishing campaigns.
Losses to phishing scams exceeded $500 million by 2005, per the U.S. Federal Trade Commission. But phishing was still complex for the average scammer. That changed with the dawn of phishing-as-a-service.
The Rise of Phishing-as-a-Service
Phishing-as-a-service originated from cybercriminals and hackers realizing they could sell their tools, knowledge, and infrastructure to clients as a money-making endeavor. Instead of stealing data themselves, they could enable legions of others to do the dirty work.
PhaaS emerged around 2015, but the first widely known provider of commercial PhaaS was the Russian platform BulletProofLink, which launched in 2020 and sold basic phishing kits for as little as $66. Competing platforms like PhishLabs, PowerPhish, and Toxin soon joined the market.
These platforms allow buyers – ranging from small-time scammers to serious cybercrime rings – to simply purchase customizable phishing kits, campaigns, and tools. The providers handle the technical backend like hosting, code, and domain registration, so even a technophobe could become a phisher.
How Does PhaaS Work?
The phishing-as-a-service process follows a few simple steps:
- Buy a kit – The client purchases a phishing kit or campaign subscription from a provider, usually for a monthly fee ranging from $50 to $500.
- Customize the attack – The client personalizes the phishing emails, texts, or sites with their target victims and scam narrative.
- Launch the campaign – The provider handles the technical details of launching the phishing attack – hosting sites, registering domains, sending email blasts, etc.
- Harvest the data – Targets who fall for the scam and submit data have their information routed back to the client.
- Monetize the data – The client monetizes the stolen credentials, financial data, personal info, or sells it online.
Many PhaaS platforms also offer a managed phishing option. For higher fees ranging up to thousands of dollars, providers will handle launching and managing the phishing campaign so clients can sit back and reap the rewards.
Who Are the Major PhaaS Providers?
Dozens of shady platforms now offer phishing-as-a-service, but some of the most prolific include:
- BulletProofLink – One of the first and largest PhaaS providers. Offers self-service and managed phishing campaigns.
- PhishLabs – A Russian PhaaS site, in operation since 2016. Sells kits targeting major brands.
- PowerPhish – Provides inexpensive phishing kits aimed at compromising Microsoft and Google accounts.
- Toxin – Specializes in targeted spear phishing campaigns. Prices start around $800.
- Black Bullet – An emerging PhaaS site offering kits, malware, and harvesting tools.
These are just a sampling of the many platforms proliferating in cybercriminal circles to meet the surging demand for PhaaS.
How Bad is the Phishing Epidemic Today?
Phishing-as-a-service has fueled an exponential increase in phishing attacks across the web. Some key statistics demonstrate the scale of the epidemic today:
- Phishing attacks increased 65% in 2021 over 2020, per FBI data.
- Losses to phishing exceeded $2 billion in 2021, per the FBI.
- 1 in 3 people encounter phishing emails daily, according to research by PhishLabs.
- 80% of organizations reported being targeted by phishing in 2022, per Verizon.
| Year | Phishing Sites Blocked |
|---|---|
| 2019 | 240,000 |
| 2020 | 353,000 |
| 2021 | 551,000 |
Table showing massive rise in blocked phishing sites in recent years. (Source: PhishLabs)
These stats demonstrate how PhaaS has enabled phishing to explode into a billion-dollar online scam industry impacting businesses and consumers globally.
How Can Everyday Internet Users Avoid Phishing Attacks?
While phishing can seem ubiquitous, there are steps you can take to avoid having your data harvested by PhaaS-fueled phishing campaigns:
- Use comprehensive antivirus software to block known phishing sites and malware.
- Check sender addresses closely before opening emails or texts. Scammers often spoof official-looking addresses.
- Avoid clicking links and attachments in unsolicited messages. Manually type in web addresses instead.
- Slow down and scrutinize any urgent requests for your personal information. Verify them through official support channels.
- Use multifactor authentication everywhere to prevent account takeovers.
- Keep software updated to ensure you have the latest security fixes.
- Use a password manager to ensure every account has a long, complex password that‘s hard to crack.
- Be wary of phone calls purporting to be tech support from major brands.
No single tactic is foolproof, but adopting a guarded, skeptical mindset goes a long way in protecting yourself. Equally important is awareness – understanding the prevalence of phishing and how sophisticated scammers have gotten is key to staying vigilant.
The Bottom Line
Phishing-as-a-service has enabled an entire marketplace where cybercriminals can buy and sell tools to steal users‘ private data at scale. By lowering barriers to entry, it has fueled explosive growth in phishing scams targeting individuals and organizations worldwide.
While PhaaS has empowered even novice scammers to perpetrate phishing schemes, education and caution on the part of internet users can go a long way in preventing attacks. By spotting red flags, verifying requests, and using security tools, you can stay safe online and help curb this ecosystem that profits off of tricking the unwary.
