Susan Morrow
September 30, 2019 by
Susan Morrow


IKEA, the famous Swedish home furnishing superstore, is incredibly successful. One of the secrets of their success is making the home DIY flat pack easy to use and very cost-effective. This means that now even a “do-it-yourself” novice like me can make my own bookshelves.

Cybercriminals, like legitimate businesses, are always looking for better business models. Now they have hit gold with Phishing-as-a-Service (PhaaS).

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

Welcome to the world of DIY flat-pack fraud.

What is Phishing-as-a-Service and why is it a game-changer?

One of the barriers to entry into the world of cybercrime has been at the technical level. In the past, you had to make your own scam, from coding (including malware development) to hosting the spoof landing pages and selling the data harvested as part of the phish. The steps involved meant that it was quite a slow, painstaking and intensive process that involved:

  1. Designing the scam itself: This includes identifying targets, working out the best brands to spoof, deciding how will the phish cycle will work (links? Attachments?), what will you do with the data collected and so on
  2. Designing and developing the phishing emails: Including setting up email servers, writing content, creating the malicious links and/or attachments
  3. Creating the spoof website: Phishing often involves tricking a person into revealing details such as personal data and/or financial information. It may also require a spoof login page to collect authentication credentials
  4. Consuming and using the collected data: The final stage: what to do with the phished data. Is it sold on via a darknet marketplace or messaging app group? Is it used to hijack an account?

Phishing-as-a-Service is a game-changer in the world of cybercrime because it removes a number of the above steps, especially the hard ones like hosting and design. No longer will the apprentice cybercriminal have to hack websites to host their malicious landing pages. By using a ready-made Phishing-as-a-Service option, cybercrime becomes accessible.

Phishing-as-a-Service is an inclusive form of cybercrime, potentially opening the door for everyone. Now, even a novice can have their own phishing campaign.

How does Phishing-as-a-Service work?

The security firm Cyren has looked at Phishing-as-a-Service in some detail. They have found a mix of kits from single tools to fully orchestrated campaigns, available for rent on a darknet near you. It is this latter category that is used for fully-fledged Phishing-as-a-Service offerings.

Cyren compared the pricing of the services and kits, starting at around $50 for a simple one-off kit download. More complicated phishing services, like Phishing-as-a-Service, command prices of between $50 to $80 per month for rental. Cyren identified 5,334 new and unique phishing products on sale in the first half of 2019.

Phishing-as-a-Service generally works as a subscription model, similar to how you would rent any other online services like streaming TV. This model means that novice users get to use professional phishing tools at an affordable price.

Anyone wishing to purchase the tools will go to a marketplace (on the darknet) which offers them as packaged products, in much the same way any other eCommerce site operates. You take your pick of a number of product variants, add them to your shopping cart and pay. Presto, you have a ready-made kit which you can use to create a phishing campaign.

Many of the products are built around the usual tricks used by fraudsters. Specifically, these are branded to look like Microsoft Office 365 or FedEx or some similar well-known brand.

The kits are professionally designed to evade detection and improve success rates. Certain brands and types of phishing emails are more successful than others. For example, emails which create urgency such as “check if your password as your account has been compromised” and order receipts are the most successful.

Professional cybercriminals recognize this and configure phishing kits to reflect this success.

The PhaaS offerings come with almost everything you need to create a successful phishing campaign. They include phishing email, malicious links, hosted spoof landing pages and, importantly for the apprentice phisher, any evasion techniques needed to make sure your cybercrime remains undetected. These evasion measures typically include:

  • HTML character encoding: Encoded webpage HTML so security crawlers cannot detect keywords that give away a malicious site
  • Content encryption: Similar to HTML encoding, used to obfuscate the content to prevent detection
  • Inspection blocking: Protects against security crawlers and bots searching for phishing sites
  • URLs in attachments: Hides malicious links in attachments so not as obvious
  • Content injection: Inject malicious content into the page of a legitimate website — again, to hide the true nature of the phishing site
  • Legitimate cloud hosting: Use recognized and legitimate cloud providers to host the sites

Phishing sites now even use digital certificates to increase the feeling of legitimacy. According to the Anti-Phishing Working Group (APWG), 50% of spoof sites now use SSL certificates to present what was once the default icon of true security, the website lock symbol.

When you rent a phishing kit, your success becomes the seller’s success. News of a successful Phishing-as-a-Service campaign will quickly spread in the cybercriminal community and the fraudsters behind the service will get further sales.

Once the Phishing-as-a-Service product has been purchased, the fraudster has to find the right targets. This is also made simple for our budding cybercriminal because lists of target email addresses are also for sale — thanks to all of the recent data breaches. In a nice piece of targeted marketing, these lists can be bought based on user demographics, just as you would if you were preparing a legitimate marketing campaign.

Once all of the pieces are in place, the phish can begin.

Conclusion: The likely future of phishing

I don't have a crystal ball, but I know this: if something works well, it will continue in that vein until something comes along to change that. Many successful business models have taken advantage of making something that’s hard into something simple.

Phishing-as-a-Service targets consumers and organizations of all sizes, across all sectors; the rent-a-phish mob knows no bounds. According to Verizon, phishing is still the biggest threat to the safety of our data. With data breaches increasing by 54% in the first half of 2019, the likelihood is that Phishing-as-a-Service will be with us for some time to come.

As the cybercriminals up the ante, we have to follow suit. As organizations and individuals, one of the best ways to deal with the results of a rent-a-phishing campaign is through knowledge. Providing security awareness training with phishing simulations to employees not only protects your business, it also gives employees personal power and reassurance in their everyday lives.

See Infosec IQ in action

See Infosec IQ in action

From gamified security awareness to award-winning training, phishing simulations, culture assessments and more, we want to show you what makes Infosec IQ an industry leader.



  1. Evasive Phishing Driven by Phishing-as-a-Service, Cyren
  2. Top 10 most successful phishing headlines reveal human faultlines, Accounting Today
  3. Phishing Activity Trends Report, 1st Quarter 2019, APWG
  4. 2019 Data Breach Investigations Report, Verizon
  5. 2019 MidYear Data Breach QuickView Report, RiskBased Security
Susan Morrow
Susan Morrow

Susan Morrow is a cybersecurity and digital identity expert with over 20 years of experience. Before moving into the tech sector, she was an analytical chemist working in environmental and pharmaceutical analysis. Currently, Susan is Head of R&D at UK-based Avoco Secure.

Susan’s expertise includes usability, accessibility and data privacy within a consumer digital transaction context. She was named a 2020 Most Influential Women in UK Tech by Computer Weekly and shortlisted by WeAreTechWomen as a Top 100 Women in Tech. Susan is on the advisory board of Surfshark and Think Digital Partners, and regularly writes on identity and security for CSO Online and Infosec Resources. Her mantra is to ensure human beings control technology, not the other way around.