Threat of the Week: Phishing as a Service (PhaaS)

September 26th, 2025

Threat of the Week #01

Phishing is one of the oldest and most common tricks in the cybercriminal’s playbook. The threat actor sends a message that appears trustworthy, often pretending to be your bank, a retailer, or even someone from your office. Their ultimate goal is to persuade you to click on links that lead to fake websites designed to closely resemble authentic company sites, which can then trick you into entering your username and passwords or downloading harmful software. But what happens when hackers launch phishing attacks on an industrial scale, targeting organizations and their clients with unprecedented frequency and sophistication?

Phishing as a Service (PhaaS) is a term that describes an emerging criminal practice where prepared phishing tools and campaigns are sold or lent to other cybercriminals.

Key Points:

• PhaaS platforms dramatically lower the barrier to entry for conducting phishing attacks.

• PhaaS providers offer pay-per-use and subscription based services, with the most sophisticated even offering PhaaS services tailored to specific targets.

• The emergence of PhaaS has led to an increase in both the number and sophistication of phishing threats targeting organizations and their clients.

What started out as hackers building do-it-yourself phishing tools, that still required a degree of expertise use, has evolved into comprehensive “turnkey” phishing services. PhaaS marketplaces even have customer-friendly dashboards, allowing potential customers to track and analyze the effectiveness of attacks.

The evolution of Phishing as a Service has made it increasingly important for security professionals to stay vigilant and continually educate one another about how to recognize and defend against evolving cyber risks.

— Ben Skinner