Beware of the Growing Threat of Phishing-as-a-Service

October 28, 2022

Phishing attacks have skyrocketed in recent times, with more than a million attacks reported in only the second quarter of 2022. Phishing campaigns have emerged as one of the biggest drivers of headlines and principal causes for cyber-attacks. In fact, 80% of reported security incidents are phishing-related, which speaks volumes about the impact of phishing attacks. Historically, successful hackers had to have the knowledge and skills to create their own attacks from scratch. However, all that is changing with the proliferation of Phishing-as-a-Service (PhaaS). Today anyone can launch a sophisticated phishing attack on an individual or entity using PhaaS – all they need to know is where to look and what they want to pay.


Get the guide that helps you detect & defeat dangerous BEC attacks to keep your company out of trouble! DOWNLOAD IT>>


What is Phishing-as-a-Service (PhaaS)

Most of us are familiar with Software-as-a-Service (SaaS) model and its advantages to businesses, including its ability to save organizations from spending significant time building their own software for delivering a particular service. Akin to SaaS, PhaaS is a fully-managed phishing program where skilled cybercriminals sell access to the tools and knowledge required to carry out a phishing attack.

Cybercriminals use dark web forums as a vehicle to to advertise and sell phishing kits. These toolkits are typically put together by more experienced and organized specialist cybercriminals. Some phishing kits are even available for free. This makes cyber-attacks increasingly accessible to new entrants in the game. The kits include everything from malware to curated databases of targets and branded email templates. Additionally, some cybercriminal gangs offer access to collated open-source intelligence (OSINT) to enable their buyers to create highly convincing attacks, or the back-end code needed to create fraudulent webpages that mimic well-known brands to harvest credentials.

Some examples of PhaaS

  • Frappo Toolkit: In March 2021, The Resecurity HUNTER unit identified Frappo, a new underground service that is available on the Dark Web. Used primarily for account takeover, business email compromise and identity data theft, the Frappo toolkit enables cybercriminals to host and generate high-quality phishing pages which impersonate major online banking, e-commerce, popular retailers, and other online services.
  • BulletProofLinks: While researching phishing campaigns, Microsoft came across a large-scale phishing-as-a-service operation called BulletProofLink, which enables one-off or subscription-based methods for leasing infrastructure, phishing kits and strategies for collecting and redistributing stolen credentials still in operation. Phishing kits distributed through BulletProofLink campaigns are designed to bypass email threat detection technologies and are available for purchase as stand-alone products. According to Microsoft, one of the popular methods that cybercriminals deploy is zero-point fonts in the HTML of an email lure to pad the body text of the message and bypass scanning technology for in-line email defenses.

Learn how to add more hands to your security team without adding to your headcount. FREE EBOOK>>


Why businesses should worry about PhaaS

While phishing attacks on their own are a cause of worry for businesses, PhaaS is adding to their complexity. It has lowered the financial and technical barriers that previously stopped many cyber criminals from deploying high-quality, sophisticated phishing attacks to their advantage. For experienced cybercriminals, it’s a quick way to make money from their phishing skills with less risk of being caught. For their customers, it’s a fast and easy way to pull off an expert-level phishing attack that has a high chance of being successful. Add that to the many open-source tools that already exist in the market, which can be easily accessed, used and built upon to help carry out attacks, and you have yourself a dangerous cocktail.

By lowering the barriers to entry, a new generation of cybercriminals is entering the cybercrime landscape to try their hand at phishing without any technical knowledge and a meager investment of as low as $40. They no longer need to spend time building their own email templates or false websites to scrape credentials or payment information. All they need to do is purchase a PhaaS toolkit from a vendor on the dark web and follow the instructions to launch their attack – or just sign up for a phishing subscription and wait for the data to roll in.


See 10 reasons why Graphus is just better than other email security solutions. SEE THE LIST>>


Advanced threat detection is the need of the hour

As cybercriminals are getting innovative in launching phishing attacks, traditional security can no longer protect against this onslaught. To stem the flow of today’s advanced cyber threats, organizations need to strengthen their security perimeter and employ solutions that proactively detect and mitigate cyberattacks before they can enter their system and wreak havoc.  

Graphus is your one-stop shop for email security

As over 90% of phishing attacks start with a phishing email, email security is paramount to protecting organizations against falling into the traps of cybercriminals. Graphus is the world’s first AI-driven email security solution that helps foil even the nastiest cybercrime attempt, protecting organizations from severe reputational and financial damages. It puts three layers of defense between a phishing email and your organization and prevents any phishing email from reaching an employee’s inbox. Graphus automatically monitors communication patterns between people, devices and networks to reveal untrustworthy emails, making it a simple, powerful, and cost-effective automated phishing defense solution for companies of all sizes. 

Here are some of the features that make Graphus the best email security solution:

  • Block sophisticated phishing messages from reaching employees   
  • Put three layers of protection between employees and phishing email messages  
  • Seamlessly deploys to Microsoft 365 and Google Workspace via API, without big downloads or lengthy installs
  • Provide intuitive administration and precise reporting to help you gain insights into the effectiveness of your security, level of risks, attack types and more 

Book of demo of Graphus to start your email security journey.


Stay safe from even the most sophisticated cyberattacks and social engineering scams

Put the powerful TrustGraph® AI of Graphus to work for your business, and in minutes you’ll get a powerful, easy-to-use, and customizable EmployeeShield® against phishing attacks.
Get a Demo of Graphus