What Is Phishing-as-a-Service and How Can Anyone Become a Hacker?

Uncovering the definition, methods, and consequences of phishing-as-a-service, as well as how to protect yourself.
Mary James, Author
Catherine McNally, Editor
Last updated Jan 20, 2023

Have you ever received an email telling you your Amazon account has been suspended and the only way to see why is by clicking on the attachment or link provided? If so, you’ve seen an example of a phishing email.

These emails come in all types ranging from fake receipts for outrageous purchases to suspension of service to prizes won. The goal is to trick you through either excitement or fear into clicking on the link or opening the attachment. By tricking you into this, the scam artist who originated the email is able to either download malware onto your computer or gather personal information.

Maybe you knew about phishing scams, but did you know there’s an online marketplace where they’re sold? Much like legitimate software programs, there are developers out there with scam software and programs businesses. It’s called Phishing-as-a-service (PhaaS) when buying and selling phishing scams, and it’s profitable.

In this article
What is phishing-as-a-service?
How phishing-as-a-service works
Impact of phishing-as-a-service
Tips to avoid phishing-as-a-service
PhaaS FAQs
Bottom line

What is phishing-as-a-service?

Phishing-as-a-service is a kit put together by a developer that has all of the code, graphics, email templates, landing pages, and other relevant information necessary to execute a phishing scam. 

These ready-made kits can go for as low as $50 on dark web forums and make it easy for even tech novices to start scamming. The kits can be general or targeted on a specific area. Take the Robin Banks group for example. They sell their kits crafted specifically to attack financial institutions.

But even the least tech-savvy criminal can still benefit from these phishing services. Some PhaaS providers will run the site for you for a monthly or yearly fee. Before this became a service, a cybercriminal would need to purchase the kit, gather the email information for the intended targets, deploy the software in a landscape that would collect the information, and then collect the credentials from unsuspecting victims.

How phishing-as-a-service works

PhaaS is fairly new to the cybersecurity landscape. The first company to be widely acknowledged as a pioneer in the PhaaS sales landscape was BulletProofLink in 2020. BulletProofLink began selling low-cost PhaaS kits to anyone interested. While phishing itself has been around a long time, this was one of the first instances of selling the service to novice hackers.

The service is pretty easy and straightforward. The potential hacker contacts the service provider, pays the fee, chooses the victim, and sits back while the service provider deploys the phishing software. Usually, the potential hacker finds these service providers via the dark web. Once the transaction is complete, the potential hacker collects the credentials and profits from the scam.

For an even easier version, the potential hacker can pay the PhaaS provider to monitor and maintain the scam for them, giving up just a little bit of the profits in return for the service provided.

The profits have the potential for a large payout. Take the case of Shark Tank’s Barbara Corcoran. A scammer sent an official-looking email to her bookkeeper, supposedly from her assistant, requesting a payout of $400,000 for an investment property in Europe.

Here’s how the scam went:

  1. The scammer sent an email to Ms. Corcoran’s bookkeeper, posing as her assistant authorizing a $400,000 purchase of an investment property in Europe in need of repairs.
  2. The bookkeeper didn’t notice the single letter missing from the fake email. They processed the payment.
  3. The bookkeeper wrote back, copying Ms. Corcoran’s actual assistant (thank goodness for auto-filling familiar email addresses) that the transfer took place.
  4. The real assistant, now alerted to the scam, alerted Ms. Corcoran.
  5. Because of the quick thinking of the assistant and Ms. Corcoran, they were able to contact the bank.
  6. Even though the money had already left the account, the New York bank was able to freeze it before it reached the fake account in China.
  7. Ms. Corcoran, fortunately, received all of her money back.

The hacker had the ability to track and learn personal information about Ms. Corcoran then purchased a PhaaS kit to target her. PhaaS kits allow people with a variety of skills to expand those skills into the internet crime arena.

This scam was able to be pulled off because the cybercriminal knew personal information about Ms. Corcoran. By using this information, the hacker was able to send a convincing-looking fraudulent email to Ms. Corcoran’s bookkeeper. The scammer was seconds away from a huge payout and would have gotten away with it had the scam been caught any later.

Ms. Corcoran was lucky. The FBI reported in their 2019 Internet Crime Report that $1.7 billion was stolen in this exact way that year. For more recent statistics, the 2021 Internet Crime Report by the FBI found that there were over 320,000 victims that year of phishing, vishing, smishing, and pharming. For comparison, there were just under 17,000 credit card frauds reported the same year.

Those numbers are startling. Because credit card fraud has been around much longer, people seem much more concerned with it rather than internet scams. Yet the data proves internet fraud is much more prevalent.

Impact of phishing-as-a-service

The impact of PhaaS ripples out much farther than other types of phishing. Because of the nature of the service, anyone can become a cybercriminal with these starter packs. Some of the negative effects are below but this isn’t an exhaustive list.

It removes the barrier to cybercrime

People who lack the technical skills to create a phishing campaign no longer get left out of the mix. With the availability of inexpensive phishing kits, they’re able to efficiently execute phishing scams.

It’s ready to use immediately and usually comes with customer support

Yes, it actually comes with customer support. If the cybercriminal purchasing the kit needs assistance in any way, the service provider has ways of assisting them in executing their con. This is a sophisticated business model that’s picking up steam.

Information stolen from PhaaS kits is usually copied and sent back to the service provider

The old adage, “there’s no honor among thieves,” holds true even in the world of cybercrime. While the criminal purchasing the PhaaS kit may not have intended to resell the stolen credentials on the dark web, they’ll probably end up there anyway.

Since the PhaaS kit provider sets up all the code, they usually include a way to transmit all the information back to themselves. They then make a second profit selling it on the dark web.

The person who purchased the PhaaS kit may not even know the data was transmitted back to the service provider. That stolen data, like credentials and company information, can then be sold on the dark web to a more sophisticated criminal capable of deploying a more malicious ransomware attack. The victim ends up with a double whammy from the original phisher and the secondary attacker.

It allows the service providers to avoid prosecution because they aren’t the ones actually committing the crime

Would-be cybercriminals purchasing PhaaS kits might not be the most savvy in how not to get caught. The FBI and other cybercrime-hunting agencies have sophisticated tools. If the criminals don’t have the most effective methods to stay undetected, there’s a likelihood they’ll be caught.

Unfortunately for the authorities, this is really only helpful in prosecuting that individual. The service providers selling the phishing kits are likely to have much better cloaking methods and will likely avoid prosecution.

Tips to avoid phishing-as-a-service

It’s difficult to get your money or credentials back after being the victim of a phishing attack. The best option is to avoid being scammed. You can learn how to stay safe online, not just from phishing attacks, but many forms of malicious internet activity. Remember, nothing is 100%, but you can reduce your chances of becoming a victim by following some simple rules.

  1. Use a good cybersecurity or antivirus product. A lot of the time, the attacker gains access to your machine or personal information by installing malware. The best antivirus software will catch this and not allow it to run. 
  2. Check email addresses. Like in the case of Barbara Corcoran, all it took was one missing letter for the hacker to successfully trick her bookkeeper. Hackers bank on you not being diligent enough to look at who is sending you the request. You might also purchase an antivirus or email security tool like Norton's AntiSpam tool or Bitdefender.
  3. Don’t click on links or attachments. Amazon is never going to send you a suspension of service email with an attachment you need to open to find out why. That is always a phishing scam. Same with a link. If you’re really worried, independently go to the site (never through a link provided in the email or other message) and check the status. If you have a suspension notice, they’ll let you know there.
  4. Double-check all information requests. Is this a service you use? Is this a problem you were aware of before this email? Did you initiate contact with the sender before they sent an information request? If it looks a little fishy, it probably is phishing.
  5. Look for formatting errors or odd formatting. Most legitimate businesses hold to a brand identity. That means they’ll use the same colors, fonts, formatting, and other similar styles in all their communications. Does this fit that style or does it look a little off? Are all the letters actually letters or do they look like they could have been substituted with numbers? Are there spelling errors? All of these could be clues to a phishing scam.
  6. Evaluate if the level of information requested is necessary for the action needed. For example, there was a USPS scam going around last year around the time free government COVID-19 tests were being sent. The victim received an email telling them the USPS driver was unable to deliver the package. Clicking on the link led the victim to a site. The first page of the site was where you entered your credit card information to get the $1 tracking number for the packages. The second page requested more information like your Social Security number (SSN). This is when the victim realized the scam. The post office would never need your SSN to deliver a package.
  7. Increase your knowledge of phishing tactics. If you’re concerned about phishing scams at work, ask your boss to provide training. If you’re worried about it for your personal use, learn about how to protect yourself from social engineering attacks.
  8. Use anti-phishing software. While it’s not entirely foolproof, anti-phishing software can provide an additional barrier of protection. Anti-phishing prevention is as easy as enabling two-factor or multi-factor authentication (MFA). These authentication methods require account authorization from 2 or more sources or devices.
  9. Update your software and operating system. Keeping your device's operating system up to date ensures you have the latest security patches for any recently discovered vulnerabilities. It's also a good idea to update your antivirus often so it can catch new types of phishing attacks created by threat actors.

PhaaS FAQs


+

What’s the difference between phishing and PhaaS?

Phishing scams are deployed by highly sophisticated online criminals with lots of technical prowess and know how. PhaaS cyberattacks can be done by a complete novice who purchased a package from one of these sophisticated online criminals. They often lack the same amount of control over the stolen data as a normal phishing attack.


+

Who can be the target of phishing-as-a-service?

Everyone can be a target. While some cybercriminals will go after larger corporations, like banks or entertainment companies, smaller criminals are happy going after people like Barbara Corcoran or even your neighbor.


+

What data can phishers collect in a PhaaS attack?

All sorts of personal data can be collected. Frequently, phishers are looking for names, birthdates, Social Security numbers, phone numbers, passwords, password hints, credit card numbers, banking credentials, and any other useful sensitive information.

Bottom line

PhaaS is the newest nasty thing out there in an arsenal of cybersecurity threats. The internet is a dangerous place with plenty of opportunity for someone to make money dishonestly. By knowing the warning signs of phishing, you can avoid becoming a victim.

If you or someone you know has been a victim of internet crime, report it to the Internet Crime Complaint Center (IC3) run by the FBI. The IC3 and the FBI also have educational information that can help expand our knowledge of how cyber criminals are working. The bigger the network of understanding, the more efficient the IC3 becomes. You may be the key to catching a scammer!

Author Details
Mary lives in Los Angeles and has been writing about tech for over 5 years. When she's not writing for work or fun, you'll find her in a theatre, at the movies, volunteering, or hiking the gorgeous SoCal landscape.