With Crime-as-a-Service, anyone can be an attacker

Crime-as-a-Service (CaaS) is the practice of experienced cybercriminals selling access to the tools and knowledge needed to execute cybercrime – in particular, it’s often used to create phishing attacks.


For hackers, phishing is one of the easiest ways to steal your organization’s data. Traditionally, executing a successful phishing campaign required a seasoned cybercriminal with technical expertise and knowledge of social engineering. However, with the emergence of CaaS, just about anyone can become a master of phishing for a small fee.

CaaS providers offer everything the amateur attacker needs to create their own successful phishing attack, from detailed target lists to branded email templates. Attackers can even pay for access to compromised servers to hide their tracks more easily. By removing many of the barriers to entry, this trend has made it easy to craft an effective phishing attack. And that’s a big problem for the organizations being targeted.

Why should organizations be concerned?

Crime-as-a-Service has made phishing an even more attractive method of attack for cybercriminals, by making it more accessible and less labor-intensive. Why spend months looking for an organization’s security vulnerabilities when you can hit them with a ready-made phishing attack? It’s also made phishing campaigns more easily scalable because it takes criminals takes less time and effort to execute their attacks.

CaaS has technical advantages: using downloadable templates, attackers with little knowledge can create evasive attacks that are more likely to land in your employee’s inbox. They use advanced methods such as content encryption, inspection blocking, and URLs hidden in attachments to evade detection. With attackers able to execute a high volume of technically sophisticated attacks, the threat to organizations is clear.

Concerningly, not only are these campaigns easy to execute, they’re also highly effective.

Phishing attacks executed using CaaS tools are designed to exploit employees, which makes them harder for organizations to mitigate. They use social engineering tactics to trick end users, often through building up trust and creating urgency to respond quickly. They can use open-source intelligence, gathering data from company websites, social media profiles and past data breaches to craft credible spear-phishing campaigns.

Before Crime-as-a-Service, an attack carried out by an entry-level attacker would most likely be poorly crafted and clumsy, easily blocked by spam filters or identified by an employee. But with access to an experienced attacker’s technical knowledge and templates, the amateur criminal can carry out effective campaigns from day one.

The consequences of even a single successful phishing attack can be damaging for the target organization. The financial costs can add up quickly, from the cost of remediating the breach itself to regulatory fines and, in some cases, compensation paid to data subjects. There’s also the potential for financial losses because of business disruption – particularly if the phishing email contains malware. Beyond this, organizations affected by phishing face reputational damage that can weaken customer trust and taint their brand for the long term.

How can organizations protect themselves?

Many organizations see security awareness training as the best way to protect their employees against phishing. Training can provide employees with the knowledge to spot a phishing attack, but many employees’ first response to a malicious email is to act first and think later. This is especially true for stressed, distracted, and busy employees, who are simply trying to get their job done quickly.

It’s only when they stop to consider the email later that the training knowledge kicks in. That’s why it’s vital that organizations support security awareness training with the right technological solutions.

To truly protect their employees from the threat of phishing, organizations must look to human layer security. Intelligent technology that adopts a zero-trust model offers the highest level of protection by analyzing each email’s content before it reaches the user’s inbox.

Additionally, solutions that utilize machine learning and natural language processing (NLP) can more effectively detect advanced phishing threats than static solutions, such as secure email gateways (SEGs), and even newer tools that rely heavily on social graphing. Tools with NLP functionality can detect even the most sophisticated attacks, including those that have used compromised accounts or utilized open-source intelligence to make their attacks more convincing.

The right technology can even support and enhance existing security awareness training initiatives, with active learning built in to point out phishing attempts to the user. This takes training beyond a one-touch approach and helps employees to remain engaged and educated over the long-term.

Crime-as-service has made it easier than ever for attackers to carry out dangerous phishing campaigns, and security teams must remain vigilant in the face of the increasing volume of advanced attacks. Organizations must ensure that they’re using the right technology to safeguard their people, and their data, from this new generation of cybercriminals.

Don't miss