All About Cookies is an independent, advertising-supported website. Some of the offers that appear on this site are from third-party advertisers from which All About Cookies receives compensation. This compensation may impact how and where products appear on this site (including, for example, the order in which they appear).
All About Cookies does not include all financial or credit offers that might be available to consumers nor do we include all companies or all available products. Information is accurate as of the publishing date and has not been provided or endorsed by the advertiser.
The All About Cookies editorial team strives to provide accurate, in-depth information and reviews to help you, our reader, make online privacy decisions with confidence. Here's what you can expect from us:
- All About Cookies makes money when you click the links on our site to some of the products and offers that we mention. These partnerships do not influence our opinions or recommendations. Read more about how we make money.
- Partners are not able to review or request changes to our content except for compliance reasons.
- We aim to make sure everything on our site is up-to-date and accurate as of the publishing date, but we cannot guarantee we haven't missed something. It's your responsibility to double-check all information before making any decision. If you spot something that looks wrong, please let us know.
Have you ever received an email telling you your Amazon account has been suspended and the only way to see why is by clicking on the attachment or link provided? If so, you’ve seen an example of a phishing email.
These emails come in all types ranging from fake receipts for outrageous purchases to suspension of service to prizes won. The goal is to trick you through either excitement or fear into clicking on the link or opening the attachment. By tricking you into this, the scam artist who originated the email is able to either download malware onto your computer or gather personal information.
Maybe you knew about phishing scams, but did you know there’s an online marketplace where they’re sold? Much like legitimate software programs, there are developers out there with scam software and programs businesses. It’s called Phishing-as-a-service (PhaaS) when buying and selling phishing scams, and it’s profitable.
How phishing-as-a-service works
Impact of phishing-as-a-service
Tips to avoid phishing-as-a-service
What is phishing-as-a-service?
Phishing-as-a-service is a kit put together by a developer that has all of the code, graphics, email templates, landing pages, and other relevant information necessary to execute a phishing scam.
These ready-made kits can go for as low as $50 on dark web forums and make it easy for even tech novices to start scamming. The kits can be general or targeted on a specific area. Take the Robin Banks group for example. They sell their kits crafted specifically to attack financial institutions.
But even the least tech-savvy criminal can still benefit from these phishing services. Some PhaaS providers will run the site for you for a monthly or yearly fee. Before this became a service, a cybercriminal would need to purchase the kit, gather the email information for the intended targets, deploy the software in a landscape that would collect the information, and then collect the credentials from unsuspecting victims.
How phishing-as-a-service works
PhaaS is fairly new to the cybersecurity landscape. The first company to be widely acknowledged as a pioneer in the PhaaS sales landscape was BulletProofLink in 2020. BulletProofLink began selling low-cost PhaaS kits to anyone interested. While phishing itself has been around a long time, this was one of the first instances of selling the service to novice hackers.
The service is pretty easy and straightforward. The potential hacker contacts the service provider, pays the fee, chooses the victim, and sits back while the service provider deploys the phishing software. Usually, the potential hacker finds these service providers via the dark web. Once the transaction is complete, the potential hacker collects the credentials and profits from the scam.
For an even easier version, the potential hacker can pay the PhaaS provider to monitor and maintain the scam for them, giving up just a little bit of the profits in return for the service provided.
The profits have the potential for a large payout. Take the case of Shark Tank’s Barbara Corcoran. A scammer sent an official-looking email to her bookkeeper, supposedly from her assistant, requesting a payout of $400,000 for an investment property in Europe.
Here’s how the scam went:
- The scammer sent an email to Ms. Corcoran’s bookkeeper, posing as her assistant authorizing a $400,000 purchase of an investment property in Europe in need of repairs.
- The bookkeeper didn’t notice the single letter missing from the fake email. They processed the payment.
- The bookkeeper wrote back, copying Ms. Corcoran’s actual assistant (thank goodness for auto-filling familiar email addresses) that the transfer took place.
- The real assistant, now alerted to the scam, alerted Ms. Corcoran.
- Because of the quick thinking of the assistant and Ms. Corcoran, they were able to contact the bank.
- Even though the money had already left the account, the New York bank was able to freeze it before it reached the fake account in China.
- Ms. Corcoran, fortunately, received all of her money back.
The hacker had the ability to track and learn personal information about Ms. Corcoran then purchased a PhaaS kit to target her. PhaaS kits allow people with a variety of skills to expand those skills into the internet crime arena.
This scam was able to be pulled off because the cybercriminal knew personal information about Ms. Corcoran. By using this information, the hacker was able to send a convincing-looking fraudulent email to Ms. Corcoran’s bookkeeper. The scammer was seconds away from a huge payout and would have gotten away with it had the scam been caught any later.
Ms. Corcoran was lucky. The FBI reported in their 2019 Internet Crime Report that $1.7 billion was stolen in this exact way that year. For more recent statistics, the 2021 Internet Crime Report by the FBI found that there were over 320,000 victims that year of phishing, vishing, smishing, and pharming. For comparison, there were just under 17,000 credit card frauds reported the same year.
Those numbers are startling. Because credit card fraud has been around much longer, people seem much more concerned with it rather than internet scams. Yet the data proves internet fraud is much more prevalent.
Impact of phishing-as-a-service
The impact of PhaaS ripples out much farther than other types of phishing. Because of the nature of the service, anyone can become a cybercriminal with these starter packs. Some of the negative effects are below but this isn’t an exhaustive list.
It removes the barrier to cybercrime
People who lack the technical skills to create a phishing campaign no longer get left out of the mix. With the availability of inexpensive phishing kits, they’re able to efficiently execute phishing scams.
It’s ready to use immediately and usually comes with customer support
Yes, it actually comes with customer support. If the cybercriminal purchasing the kit needs assistance in any way, the service provider has ways of assisting them in executing their con. This is a sophisticated business model that’s picking up steam.
Information stolen from PhaaS kits is usually copied and sent back to the service provider
The old adage, “there’s no honor among thieves,” holds true even in the world of cybercrime. While the criminal purchasing the PhaaS kit may not have intended to resell the stolen credentials on the dark web, they’ll probably end up there anyway.
Since the PhaaS kit provider sets up all the code, they usually include a way to transmit all the information back to themselves. They then make a second profit selling it on the dark web.
The person who purchased the PhaaS kit may not even know the data was transmitted back to the service provider. That stolen data, like credentials and company information, can then be sold on the dark web to a more sophisticated criminal capable of deploying a more malicious ransomware attack. The victim ends up with a double whammy from the original phisher and the secondary attacker.
It allows the service providers to avoid prosecution because they aren’t the ones actually committing the crime
Would-be cybercriminals purchasing PhaaS kits might not be the most savvy in how not to get caught. The FBI and other cybercrime-hunting agencies have sophisticated tools. If the criminals don’t have the most effective methods to stay undetected, there’s a likelihood they’ll be caught.
Unfortunately for the authorities, this is really only helpful in prosecuting that individual. The service providers selling the phishing kits are likely to have much better cloaking methods and will likely avoid prosecution.
Tips to avoid phishing-as-a-service
It’s difficult to get your money or credentials back after being the victim of a phishing attack. The best option is to avoid being scammed. You can learn how to stay safe online, not just from phishing attacks, but many forms of malicious internet activity. Remember, nothing is 100%, but you can reduce your chances of becoming a victim by following some simple rules.
- Use a good cybersecurity or antivirus product. A lot of the time, the attacker gains access to your machine or personal information by installing malware. The best antivirus software will catch this and not allow it to run.
- Check email addresses. Like in the case of Barbara Corcoran, all it took was one missing letter for the hacker to successfully trick her bookkeeper. Hackers bank on you not being diligent enough to look at who is sending you the request. You might also purchase an antivirus or email security tool like Norton's AntiSpam tool or Bitdefender.
- Don’t click on links or attachments. Amazon is never going to send you a suspension of service email with an attachment you need to open to find out why. That is always a phishing scam. Same with a link. If you’re really worried, independently go to the site (never through a link provided in the email or other message) and check the status. If you have a suspension notice, they’ll let you know there.
- Double-check all information requests. Is this a service you use? Is this a problem you were aware of before this email? Did you initiate contact with the sender before they sent an information request? If it looks a little fishy, it probably is phishing.
- Look for formatting errors or odd formatting. Most legitimate businesses hold to a brand identity. That means they’ll use the same colors, fonts, formatting, and other similar styles in all their communications. Does this fit that style or does it look a little off? Are all the letters actually letters or do they look like they could have been substituted with numbers? Are there spelling errors? All of these could be clues to a phishing scam.
- Evaluate if the level of information requested is necessary for the action needed. For example, there was a USPS scam going around last year around the time free government COVID-19 tests were being sent. The victim received an email telling them the USPS driver was unable to deliver the package. Clicking on the link led the victim to a site. The first page of the site was where you entered your credit card information to get the $1 tracking number for the packages. The second page requested more information like your Social Security number (SSN). This is when the victim realized the scam. The post office would never need your SSN to deliver a package.
- Increase your knowledge of phishing tactics. If you’re concerned about phishing scams at work, ask your boss to provide training. If you’re worried about it for your personal use, learn about how to protect yourself from social engineering attacks.
- Use anti-phishing software. While it’s not entirely foolproof, anti-phishing software can provide an additional barrier of protection. Anti-phishing prevention is as easy as enabling two-factor or multi-factor authentication (MFA). These authentication methods require account authorization from 2 or more sources or devices.
- Update your software and operating system. Keeping your device's operating system up to date ensures you have the latest security patches for any recently discovered vulnerabilities. It's also a good idea to update your antivirus often so it can catch new types of phishing attacks created by threat actors.
What’s the difference between phishing and PhaaS?
Phishing scams are deployed by highly sophisticated online criminals with lots of technical prowess and know how. PhaaS cyberattacks can be done by a complete novice who purchased a package from one of these sophisticated online criminals. They often lack the same amount of control over the stolen data as a normal phishing attack.
Who can be the target of phishing-as-a-service?
Everyone can be a target. While some cybercriminals will go after larger corporations, like banks or entertainment companies, smaller criminals are happy going after people like Barbara Corcoran or even your neighbor.
What data can phishers collect in a PhaaS attack?
All sorts of personal data can be collected. Frequently, phishers are looking for names, birthdates, Social Security numbers, phone numbers, passwords, password hints, credit card numbers, banking credentials, and any other useful sensitive information.
PhaaS is the newest nasty thing out there in an arsenal of cybersecurity threats. The internet is a dangerous place with plenty of opportunity for someone to make money dishonestly. By knowing the warning signs of phishing, you can avoid becoming a victim.
If you or someone you know has been a victim of internet crime, report it to the Internet Crime Complaint Center (IC3) run by the FBI. The IC3 and the FBI also have educational information that can help expand our knowledge of how cyber criminals are working. The bigger the network of understanding, the more efficient the IC3 becomes. You may be the key to catching a scammer!