Your company may have taken advantage of such offerings as Software as a Service (SaaS), Platform as a Service (PaaS), or Infrastructure as a Service (Iaas). “As a service” offerings help companies to manage their expenses by charging a standard subscription rate and taking over cumbersome activities like updates and hardware purchasing. The concept can be extended to just about any service, including robotics (RaaS) and energy delivery (EaaS).
Unfortunately, cybercriminals have figured out a way to use this win-win business model to create a win-lose scenario in which they win your valuable data and you lose time, money, and customer trust. Phishing as a Service (PhaaS) makes the tools to launch phishing attacks easily available for anyone to use, just as SaaS makes using software easy and highly accessible.
Phishing attacks — in which attackers send you links to malicious sites, enabling them to gain valuable information — are on the rise, and PhaaS is one of the reasons. But knowledge is power, so here we focus on what PhaaS is, how it works, who uses it, how it can impact your company, and how to avoid these attacks.
How It Works
To explain how PhaaS works, let’s use the example of one PhaaS operation, recently discovered by Microsoft. According to a Microsoft blog post, the operation, known as BulletProofLink, sells phishing kits, email templates, hosting facilities, and automated services. The templates mimic well-known brands and services and are used within a subscription-based model to create a steady revenue stream. Microsoft notes “how effortless it can be for attackers to purchase phishing campaigns and deploy them at scale.”
As with legitimate businesses, BulletProofLink — otherwise known as BulletProftLink and Anthrax — proudly advertises its services and provides YouTube and Vimeo pages with instructions for how to use their services. According to Microsoft, “Just like any other service, the group even boasts of a 10% welcome discount on customers’ orders when they subscribe to their newsletter.” When it’s time to take advantage of the discount and pay the fee, Bitcoin is a common payment method.
Who Uses It
Cybercriminals are typically technically gifted and risk-tolerant and have a desire to outsmart others and make money without regard for legality. Those who use PhaaS typically share these traits, but one of the benefits is that it can be deployed by those with minimal technical skills, as long as the user is willing to pay the (typically affordable) price.
From the cybercriminal’s point of view, PhaaS is a great investment, given that phishing is inexpensive, yet yields a healthy return based on its high success rate.
These bad actors can target any organization to try and get email recipients to divulge or lead them to user credentials to various services, or to distribute malware. They get to take advantage of the full package as described above as well as customer service to help them be more effective.
How It Can Impact Your Company
Unfortunately, phishing can negatively impact your company in numerous ways:
- Loss of data. Hackers that get access to your network can do what they like with your data, including remove or damage it.
- Loss of intellectual property. Some of the data that gets stolen may be proprietary information like trade secrets that help a company stand out in the marketplace. When such data is compromised, a company loses its ability to compete.
- Reputational damage. Companies that suffer cyberattacks lose trust with customers and the public, a situation that can become long-lasting or even permanent.
- Loss of time and money. Employees must take time away from their normal duties to restore the network. This effort also costs money, in the form of having it stolen by the hackers or having to pay it to compensate affected customers.
- Fines and penalties. Some companies may also be required to pay regulatory fines for mishandling customer data, even if the breach wasn’t their fault.
- Loss of revenue. In addition to losing money, companies may not be making money if they must remain closed or limit the availability of some products or services for a time as a result of the attack.
Clearly, the effects of phishing and other types of cybercrime can be devastating to a business. The following video explains that cybercrime costs the global economy over $1 trillion:
How To Stay Safe
To avoid the major problems listed above, provide proper training to employees, including the following strategies from Business Insider:
- Enable multi-factor authentication and blocking sign-in attempts from legacy authentication.
- Use anti-phishing policies to enable mailbox intelligence settings.
- Configure impersonation protection settings for specific messages and sender domains.
- Enable SafeLink in Defender for Office 365 to ensure real-time protection by scanning at the time of delivery and at the time of click.
Another strategy to consider is phishing simulations. According to security experts Expert Insights, “Employees are, more often than not, considered an organization’s biggest security weakness…. But employees don’t have to be a weakness. With the right training and tools, you can empower your workforce….”
That training may include sending workers fake phishing emails so they can learn to spot them and what to do next. Phishing simulations work best over time as part of a larger security awareness training program.
It Takes Two
The thing to remember about phishing is that it doesn’t work unless someone within your organization clicks a link or otherwise provides information that enables the cybercrime to occur. While everyone can make mistakes, it’s important to train your employees so those mistakes become rare or even nonexistent.
The more you and your employees know about phishing and the better you can recognize it, the less likely you are to experience such an attack. Give yourself and your team members time to learn about this unpleasant reality of today’s online world and make sure you make the training ongoing to keep up with ever-changing threats.