The Software-as-a-Service (SaaS) movement has completely transformed how we work and how we interact in our personal lives. We can onboard new vendors and scale business services at a fraction of pre-SaaS costs and timescales. It has also been possible for millions of people to work remotely during the COVID-19 pandemic thanks to this shift in service provisioning. And outside of work, we interact with SaaS applications daily, streaming on Spotify and Netflix, and hailing rides on Uber and Lyft, and keeping up with friends and family via Zoom.
It doesn’t stop there. SaaSification is now transforming the way cybercriminals behave, causing a shift change in how they provision and launch their attacks.
With everyone accessing work (and, often, personal) email via laptops and mobile devices connected to your organization’s network, it is necessary to understand what the commercialization of cybercrime means for you.
What is Phishing-as-a-Service (PhaaS)?
PhaaS enables cybercriminals to engage in ‘vendor’ and ‘buyer’ relationships, making it possible to purchase every element required for a phishing attack.
So-called ‘phishing kits’ are compiled by experienced and organized cybercriminals, and then are made available for online purchase. These kits typically contain everything the buyer needs to launch a phishing attack, such as email and webpage templates, malware, and email addresses of potential targets. They can also contain step-by-step installation instructions for the buyer, making it as easy as possible to follow to launch their attacks.
Why is PhaaS a concern?
PhaaS lowers the financial and technical barriers to entry for phishing.
Recent research published by Egress found examples of phishing kits available from as little as $40. We also uncovered subscription services – such as one that advertised a premium subscription service costing $499 upfront and a monthly fee of $199. With their subscription, buyers can access an online platform with over 20 pre-loaded phishing kits that target financial institutions and consumer brands, as well as access to an additional 15 new phishing kits every month.
Much like the use of SaaS applications saves legitimate organizations from developing their own software, PhaaS means a cybercriminal can launch more attacks within a given timeframe and without necessarily personally possessing all the skills required. For example, it makes it far easier for someone with little-to-no HTML skills to get their hands on a well-crafted and convincing phishing email and webpage. Whereas their own work might not have fooled your people – perhaps due to poor formatting, spelling and grammar errors, and low-quality images – these less-skilled individuals are now able to piggyback off the work of more refined criminals and launch highly convincing attacks.
What’s the risk to your organization?
Every person working in every company is targeted by phishing emails. These days, phishing emails is sadly just another cost of doing business. And these attacks are bypassing the traditional perimeter defenses of secure email gateways (SEGs) and landing in people’s inboxes. The next part is also sadly inevitable. Recent research by Egress found that 73% of organizations have been the victims of successful phishing attacks in the last 12 months.
We can’t blame people for being human. Cybersecurity awareness has increased dramatically in recent years and people are genuinely getting better at spotting phishing emails. But they’re not perfect and we can’t rely on individuals to detect every phishing email every time – and that’s what it takes, because just one misstep by one person clicking a malicious link or opening a malicious attachment, and that’s all a hacker needs to compromise your organization.
The impact of PhaaS is an increased number of targeted phishing attacks aimed at your people, in turn heightening the risk and likelihood that just one person will fall victim. It means your organization needs to defend against a greater volume of sophisticated attacks, which for many, will require a change in your approach to your anti-phishing defenses and security awareness.
How can you protect your people and your organization from PhaaS?
Technology is the best way to reduce your risk of a successful phishing attack.
“But what about security awareness training?” I hear you cry! Keep those programs running – but accept they have a ceiling. We invest in security awareness training at Egress to maintain our compliance accreditations and to help educate our people.
Every training program, however, has its limits. You need your people to be switched-on and actively learning in the moment, and then able to clearly recall what they’ve been taught days, weeks or months down the line when they’re in a real-life phishing scenario. And we know that cybercriminals socially engineer their attacks to move people out of logical thinking patterns, when they can remember and implement their training, into emotional and irrational decision-making.
That’s when they need technology to step in and help them to work securely.
We’ve touched briefly on SEGs earlier. These are the traditional security defenses deployed at an organization’s perimeter to scan inbound emails and quarantine threats. While they’re good at filtering spam and scanning for known viruses, there’s a high proportion of phishing attacks that bypass the SEG and land in people’s inboxes. Firstly, SEGs can only identify known threats and not emerging attacks. They use static technology that doesn’t know what it doesn’t know, and leaves you exposed to new attacks and tactics. And smart cybercriminals know that – so they’re engineering their attacks to avoid SEG detection. SEGs scan for subject lines from known attacks; cybercriminals are leaving subject lines blank. SEGs scan for known malicious URLs; cybercriminals are weaponizing their links post-delivery. The list goes on.
organizations therefore need to look to intelligent integrated cloud email security solutions that can detect zero-day and emerging attacks, and can be deployed directly into people’s mailboxes to keep them safe.
What should you look for in an intelligent anti-phishing solution?
The first element is how it engages with your people. There are real-time teachable moments in everyone’s day – including when a phishing email lands in a person’s inbox.
By delivering a neutralized threat to an individual and offering a clear explanation of why it’s a phishing email, they can see the risks for themselves. This will activate their security awareness training on a daily basis, making it more effective for the longer term. Quarantining emails at the gateway and never showing them to their targets means that when someone is faced with a cyber-threat in real life (for example, a phishing email delivered to their personal email that they’re accessing on a work laptop), they won’t know what to look for and could fall victim.
The second is the approach taken to develop the software. For an anti-phishing solution to be truly effective, it needs to be built using a zero-trust approach, so that it examines every inbound email to verify whether it’s a threat. The solution should use machine learning and natural language processing technologies to enable it to understand the context and content when arriving at is decision. The solution also shouldn’t use social graph technology or update its algorithms based on people’s feedback, meaning non-cyber experts can’t poison its detection capabilities.
This approach enables the anti-phishing solution to detect the most sophisticated and emerging attacks, including those that are launched used compromised supply chain accounts that were previously trusted.
People are only human: they will make mistakes and fall for phishing attacks – but with the right email security defenses, you can not only protect your organization but transform your people into your first line of defense.
- Here's our rundown of the best identity theft companies out there
Tony Pepper, Co-founder, Egress Software Technologies