How businesses can defend themselves against the rise of phishing as a service

Date:
Mon, 30 Mar 2026 14:09:56 +0000

Description:
Phishing has evolved beyond obvious tells, such as bad grammar and spelling, or fake email addresses.

FULL STORY ======================================================================Copy link Facebook X Whatsapp Reddit Pinterest Flipboard Threads Email Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Tech Radar Pro Are you a pro? Subscribe to our newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Become a Member in Seconds Unlock instant access to exclusive member features. Contact me with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over. You are
now subscribed Your newsletter sign-up was successful Join the club Get full access to premium articles, exclusive features and a growing list of member rewards. Explore An account already exists for this email address, please log in. Subscribe to our newsletter Phishing has evolved beyond obvious tells, such as bad grammar and spelling, or fake email addresses.

In fact, most obvious phishing red flags unprofessional design, faulty website links no longer apply. Phishing attacks are polished and often look exactly like a message from a colleague or a bank. Vimal Raj Social Links Navigation

UK Technical Head at ManageEngine. And gone are the days when hackers worked alone out of random premises. Thats another misconception: todays cybercriminals operate like fully-fledged corporations. Theyre licensing
tools to partners ready-made all in one phishing kits who execute attacks. Article continues below You may like Authentication in 2026 - moving beyond foundational MFA to tackle the new era of attacks Hackers are using LLMs to build the next generation of phishing attacks - here's what to look out for
US workers think they're pretty good at spotting phishing emails - but the reality is quite different

Phishing as a service or PhaaS works like any other software subscription service Netflix, Amazon Prime, or any other product delivery service. Attackers pay a monthly fee which varies depending on chosen features, and in return get fake login pages, email templates, and website hosting that
resists takedown. The tactics and techniques behind PhaaS PhaaS has evolved into a thriving business model on the dark web. It saves time and effort for criminals who dont know how to build phishing emails or the infrastructure to host fake login pages. They also use clever methods to avoid detection, such as using links to compromised websites and platforms that look misleadingly legitimate.

There are typically two purchase models; a one-time purchase of a phishing kit, which can be simple or advanced. More advanced kits include features
like geo-blocking and antidetection elements to evade antiphishing bots and search engines.

The other purchase model customers can go for is a subscription-based model where a PhaaS operation takes care of the entire phishing campaign, or a
large part of it, for the customer. Are you a pro? Subscribe to our
newsletter Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed! Contact me
with news and offers from other Future brands Receive email from us on behalf of our trusted partners or sponsors By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.

A good example is the application Frappo, which helps cybercriminals create and use premium phishing pages called phishlets. This works to collect victims' information, like their IP addresses, login credentials, and user-agents. Its anonymous and doesnt require its users to even register or create an account.

What is particularly dangerous about these kits is that they are evolving, as cybercriminals are constantly evolving their methods to avoid being detected. But these attackers arent even necessarily smarter-theyre just faster.

Keeping pace will require businesses to adopt a layered, proactive strategy which is built around visibility, automation , and trust minimization. What
to read next Most SMBs aren't set up to survive a major cyberattack - here's what needs to be done The human paradox at the center of modern cyber resilience Who are the most spoofed brands in phishing scams? Let's be
honest, you can probably guess most of them - but there are a few surprises Monitoring is the name of the game Set against this backdrop, businesses should adopt the mindset that a breach could occur at any moment. This means ensuring requests from users and devices are verified. Integrating identity and access controls helps limit who can do what, and when. That way, if businesses are attacked, the fallout is minimized.

The MITRE framework recommends continuous monitoring , as the only way to
spot the subtle patterns that signal an attack in progress. Businesses should monitor application logs, network traffic, and file creation.

This entails using software that can monitor network traffic and perform packet inspection, as well as conduct offline analysis on emails. And organizations should be on the lookout for any new files created from
phishing messages. This could be the result of an adversary trying to gain access to vulnerable systems.

There are software tools which can provide businesses with analytics to
detect techniques and sub-techniques used to carry out phishing attacks or attempt to gain initial access. How to prepare for threats Businesses should be taking action to protect employees many who dont even realize theyre at risk. For example, they could implement phishing-resistant MFA such as biometrics, hardware security keys and passkeys, without adding friction to the user experience.

Phishing-resistant MFA is designed to be extremely difficult to crack and to provide protection against device-code compromise. Its a crucial step on the battle to stay ahead of the phishers, which can also be helped by deploying user and entity behavior analytics (UEBA) profiling to spot anomalies.

Similarly, security orchestration, automation, and response (SOAR) capabilities can be used to automatically execute workflow profiles and
assign tickets to security admins to quickly remediate a phishing attack.

Its also useful for businesses to examine endpoint security and identify any blind spots. Organizations should be set up to deploy patches quickly, detect and defuse threats like ransomware, enforce least-privilege access with MFA, and protect sensitive data wherever it resides. Adopt a company-wide cybersecurity culture Businesses should be treating cybersecurity defense
like a continuous operation, not a quarterly checklist. This means ensuring buy-in across the organization, and making security everyones purview, rather than just that of the IT team.

To build a culture which is cybersecurity conscious, businesses must be sharing threat intelligence across teams. They should also be educating employees into why cybersecurity defense is important, by running red team exercises to simulate attacks.

Conducting regular training sessions on recognizing phishing attempts and using strong passwords is a great first step in the right direction.
Employees should be kept aware of how phishing attacks are evolving and getting ever smarter: from artificially intelligent phishing emails to deepfake impersonations and self-evolving malware.

Protecting businesses against PhaaS requires rethinking how they can stay ahead. Its not just about firewalls , antivirus tools, and endpoint security: its also about building a security-aware culture that adapts and anticipates attacks. We've featured the best secure email provider. This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro



======================================================================
Link to news story: https://www.techradar.com/pro/how-businesses-can-defend-themselves-against-the -rise-of-phishing-as-a-service


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet Technology News (1337:1/100)