Rise of phishing-as-a-service


You’ve probably heard of phishing, but what about phishing-as-a-service?

This method makes it much easier for cyber-criminals to launch their attacks because they are able to buy everything they need in a ‘phishing kit’.

These are put together by experienced and organised cybercriminals and then are made available online. The kits typically contain email and webpage templates, malware, and email addresses of potential targets. They can also contain step-by-step installation instructions for the buyer, making them as easy as possible to follow.

Microsoft has recently released a report on one of the companies selling them, called BulletProofLink, which sells phishing kits, email templates, hosting, and automated services at a low cost.

PhaaS means cybercriminals can launch more attacks within a given timeframe, and the number of them is growing. Here’s how you can protect your business:

It might seem ironic, but technology is the best way to reduce your risk of a successful phishing attack.

Know the red flags

Emails full of typos or grammatical mistakes, or that come from a strange-looking address, should raise some suspicion. Scare tactics and “better act now” types of messages are also red flags.

Cyber-criminals often embed malicious files into emails to get the malware code into your system. The most dangerous file extensions include .exe, .jar, .bat, .cmd, and .vbs. Sometimes these links even appear in pdf documents, because they can bypass some security barriers.

Think twice before clicking or downloading

As a general rule, don’t open or click links in emails with the characteristics above. If an email is coming from a source you don’t recognise, it’s best not to interact with anything it contains. That means no clicking links, downloading files, or opening attachments. Generally, you should only open email attachments if you are expecting them and know what information they will contain.

Check website

Besides watching out for the common phishing tactics, checking for website security should be part and parcel of your cybersecurity training.

Keep an eye out for HTTPS and look for the SSL certificate. An HTTPS is a secure version of HTTP (hypertext transfer protocol) that prevents communication from being accessed by anyone but you and the website you are accessing. On the other hand, an SSL certificate is an additional layer to ensure security (apart from HTTPS). This will allow you to double-check the website’s certificate credentials. Most browsers will give you access to this information by clicking a corresponding ‘View Certificate’ button.

Install anti-fishing software

Asking your IT provider to install email security software and anti-phishing features can help to improve your security, reduce the number of phishing emails that get through as well as flagging any odd-looking ones, this can be achieved with:

Blacklisting domains – This means that you can stop any emails coming from certain addresses that are associated with fraudulent activity.

Creating spam filters – These filters can set rules to block communications that use dodgy keywords, poor quality URLs and much more.

Scanning content – This helps to quickly highlight any viruses, ransomware or any other corrupted-looking attachments.

Spoofed sender detection – This will alert recipients when they have never had any previous communications with a sender.

Use multi-factor authentication

Multifactor authentication is essential in helping to protect your email accounts from being compromised.  Essentially it stops information from being hijacked by putting into place multiple authentication methods – a secondary, one-time password or code sent via an app or text message – vs just using a simple username and password.

You should also proactively enforce policies for regular password changes and make sure passwords are strong, long and contain a mix of characters.

 Awareness training

You need your people to be switched-on and actively able to recall what they’ve been taught days, weeks or months down the line when they’re in a real-life phishing scenario. And we know that cybercriminals often rely on human error to carry out their attacks.

So make sure your employees have regular cybersecurity training that considers the most up-to-date methods of cyber attack.

If you’ve already clicked or opened a suspicious email, don’t panic. Contact your IT department and let them know if you’re using a work phone or laptop. Open your antivirus software and run a full scan to clean up any problems it may find. If you’ve provided a password, change the password on accounts that use the same one – email accounts, social media, your computer, everything. The quicker you can stop hackers from getting in, the better.

If you are worried about potential phishing attacks then please get in touch with our team of IT experts who will be able to take you through all our tailored security solutions that are available for your business.