Cybersecurity Awareness Month: What to Know About Phishing-as-a-Service

For almost 20 years, October has marked the beginning of Cybersecurity Awareness Month, which is dedicated to helping individuals protect themselves online as threats to technology and data become more common. This year, the Cybersecurity and Infrastructure Agency and the National Cybersecurity Alliance have created a month-long campaign—“See Yourself in Cyber”—to demonstrate that, although it sounds complicated, cybersecurity can impact any and all people across a number of channels.

In the past, becoming a successful hacker had several barriers to entry. Hackers needed substantial knowledge to create attacks and high-end technology to execute. Until this point, the difficulty in accessing information and equipment helped prevent cyberattacks and limited the number of bad actors out there.

However, these tools have become more accessible and now, hackers are even selling their services for anyone to purchase. One of the most common “hacker-as-a-service” offerings is “phishing as a service.” Today, anyone can commit a cybercrime; all they need to know is where to look, who to contact and how much they are willing to pay.

What is PhaaS?

Phishing-as-a-service allows hackers to charge for access to the resources and knowledge necessary to launch a successful phishing attack. With few obstacles to entry, PhaaS has inspired a new generation of cybercriminals to try their hand at phishing. Using web forums, these fraudsters sell “phishing kits” that contain all the components needed to launch an email assault. All they must do is download a kit from a PhaaS vendor and follow the instructions, allowing attacks to be formed and fulfilled quickly. Since hackers are only selling the software and not carrying out the attack, they live in the gray area of legality.

The Danger of PhaaS

The increased popularity and security risk of PhaaS have caused many challenges for organizations. Research from IBM in 2021 confirmed a two percentage-point rise in phishing attacks between 2019 and 2020, partly driven by COVID-19 and supply chain uncertainty. The issue is only getting worse as phishing kits become more accessible.
CISCO’s 2021 Cybersecurity Threat Trends report suggests that at least one person clicked a phishing link among 86% of organizations. Further, CISCO’s data indicates that phishing accounts for approximately 90% of data breaches.

How Can Organizations Defend Against PhaaS?

PhaaS will continue to grow in popularity so long as it is profitable. While trying to shut down the market sites might be a fruitless task, credit unions can take precautions to better defend themselves against these assaults.

Security awareness training is critical and this month’s “See Yourself in Cyber” campaign is helping people understand the real implications cyberattacks can have on their target consumers, employees and themselves.

For credit unions, it is imperative to work alongside employees to help raise their awareness and aid them in identifying the telltale signs of an attack. Proper cybersecurity solutions can detect the most sophisticated attacks but when combined with existing security training programs, they ensure that employees can combat hackers.

Having educated users, up-to-date technology and appropriate policies and procedures allow organizations to have the proper protection. All of these actions protect the organization and most importantly, its people.

Gene Fredriksen is a co-founder and current executive director of the National Credit Union ISAO and the principal cybersecurity consultant with PureIT Credit Union Services. He has previously held the positions of CISO for PSCU, global CISO for Tyco International, principal consultant for security and risk management strategies for Burton Group, VP/technology risk management and chief security officer for Raymond James Financial, and information security manager for American Family Insurance.