Phishing as a Service Stimulates Cybercrime

According to Verizon, 78% of organizations experienced email-based ransomware attacks in 2021, with 15 million phishing messages containing malware being directly linked to later-stage ransomware. The arrival of the COVID-19 pandemic saw a dramatic rise in phishing attacks, with Trend Micro data showing a whopping 137.6% growth in 2020 alone.

Part of the proliferation of email-based attacks can be linked to the rise in the growing trend of the overarching notion of crime as a service (CaaS). Comprised of malicious actors with different specialized skills, these expert crime groups include ransomware as a service (RaaS), access as a service (AaaS), and most recently PhaaS.

While email remains to be the most common initial attack vector for cybercriminals, due to ease in nature, phishing attacks cost enterprises nearly $15 million USD annually. This is due to phishing attacks evolving in such a short period of time from simple advanced-fee scams to sophisticated advanced social engineering made possible by PhaaS. Effective attack surface risk management (ASRM) must start with proactive defense of initial attack vectors.

Learn more about crime as a service (CaaS) groups:

What is phishing as a service (PhaaS)?

Like RaaS or AaaS, this attack technique allows virtually anyone with even an entry-level knowledge of the cybersecurity landscape, to benefit from a phishing attack—often monetarily and often via email-based entry. Cybercriminals act as a “service provider” on behalf of others in exchange for a payment (often as little as $15 USD a day) and/or a portion of a ransomware payout. Alternatively, wannabe scammers can purchase a “phishing kit” for as little as a flat $40 USD fee (with some providers reportedly offering even steeper discounts as part of Black Friday deals).

These kits include the capabilities and tools required to launch a phishing attack, often including email templates, spoof website templates, contact lists of potential targets, detailed instructions on how to execute an attack, as well as access to “customer support.”

New technology like ChatGPT makes phishing more accessible. The AI chatbot has already proven its ability to write emails indistinguishable from a human, with perfect spelling and grammar as well as faster turnaround to news being shared publicly. Also, its built-in translation capabilities enable attackers with limited English skills to “write” convincing, high-quality phishing emails.

As reported by CNBC, Cody Mullenaux, a 40-year-old small business owner from California, was scammed out of more than $120,000 USD from a team of cybercriminals operating off of a phishing kit.

While banks in the United States of America are required to reimburse stolen funds to customers during such attacks, the Electronic Fund Transfer Act that governs these laws does not protect victims of wire-transfer scams, leaving Mullenaux unable to recoup his losses.

As shown by Cody Mullenaux’s case, PhaaS has made access to ransomware attacks more accessible than ever by removing the barrier of entry for malicious actors. This means more cybercriminal activity and an increased chance of your company falling victim.

Email security best practices

With the new threat of PhaaS only exasperating what was already a ransomware epidemic, your organization requires more than just native email security. A layered security approach, integrated with a broader platform, is your best defense against targeted threats. In 2021, Trend Micro detected and blocked over 33 million malicious emails that slipped past native defenses.

A typical layered security approach combines these four tactics to thwart attacks and mitigate cyber risk:

1. Email gateway

To protect your employees and your assets from potential attacks above and beyond native defenses, you need advanced filtering and protection. An email gateway featuring defenses powered by artificial intelligence (AI), machine learning (ML), and behavioral analysis within a single dashboard will reduce manual tasks for overstretched security teams. AI-assisted capabilities like authorship analysis (ex. Writing Style DNA) study the writing style of your company’s management team and can flag suspected spoof emails before they reach your employees.

2. Cloud app security

When it comes to the evolving world of cybersecurity, 100% protection does not exist. For those instances where a malicious email does penetrate defenses, Cloud Application Security Broker (CASB) will remove the flagged communication from all mailboxes across the environment. In addition, advanced CASB tools can prevent compromised email accounts from spreading phishing messages to other employees and peers.

3. Education

Phishing simulations like Trend Micro™ Phish Insight provide you with the tools to educate and test your users on the latest methods used in the most common phishing campaigns. These real-world simulations make use of templates extracted from actual phishing scams.

4. Secure web gateway (SWG)

By inspecting traffic between employees and the internet, an SWG uses ML to identify spoof websites that have the ability to spread ransomware across your organization. The addition of an acceptable use policy (AUP) can further mitigate risk by restricting access to any unsanctioned apps where users are asked to input personal information.

Next steps

Leveraging a layered security approach that is a part of a unified cybersecurity platform and backed by broad third-party integrations and extended detection and response (XDR) capabilities provides your team with high-resolution visibility and reporting capabilities. This allows for greater visibility across your attack surface, so you can better detect and respond to even the stealthiest phishing attacks.