How businesses can defend themselves against the rise of ‘phishing as a service’ | Tech Radar

Overview

News, deals, reviews, guides and more on the newest smartphones

News, deals, reviews, guides and more on the newest computing gadgets

Details

Start exploring exclusive deals, expert advice and more

Unlock and manage exclusive Techradar member rewards.

How businesses can defend themselves against the rise of ‘phishing as a service’

When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Unlock instant access to exclusive member features.

Get full access to premium articles, exclusive features and a growing list of member rewards.

Phishing has evolved beyond obvious tells, such as bad grammar and spelling, or fake email addresses.

In fact, most obvious phishing red flags – unprofessional design, faulty website links – no longer apply. Phishing attacks are polished and often look exactly like a message from a colleague or a bank.

And gone are the days when hackers worked alone out of random premises. That’s another misconception: today’s cybercriminals operate like fully-fledged corporations. They’re licensing tools to partners – ready-made “all in one” phishing kits – who execute attacks.

Authentication in 2026 - moving beyond foundational MFA to tackle the new era of attacks

Hackers are using LLMs to build the next generation of phishing attacks - here's what to look out for

US workers think they're pretty good at spotting phishing emails - but the reality is quite different

There are typically two purchase models; a one-time purchase of a ‘phishing kit’, which can be simple or advanced. More advanced kits include features like geo-blocking and antidetection elements to evade antiphishing bots and search engines.

The other purchase model customers can go for is a subscription-based model where a Phaa S operation takes care of the entire phishing campaign, or a large part of it, for the customer.

What is particularly dangerous about these kits is that they are evolving, as cybercriminals are constantly evolving their methods to avoid being detected. But these attackers aren’t even necessarily smarter-they’re just faster.

Keeping pace will require businesses to adopt a layered, proactive strategy which is built around visibility, automation, and trust minimization.

Most SMBs aren't set up to survive a major cyberattack - here's what needs to be done

Who are the most spoofed brands in phishing scams? Let's be honest, you can probably guess most of them - but there are a few surprises

The human paradox at the center of modern cyber resilience

Set against this backdrop, businesses should adopt the mindset that a breach could occur at any moment. This means ensuring requests from users and devices are verified. Integrating identity and access controls helps limit who can do what, and when. That way, if businesses are attacked, the fallout is minimized.

The MITRE framework recommends continuous monitoring, as the only way to spot the subtle patterns that signal an attack in progress. Businesses should monitor application logs, network traffic, and file creation.

This entails using software that can monitor network traffic and perform packet inspection, as well as conduct offline analysis on emails. And organizations should be on the lookout for any new files created from phishing messages. This could be the result of an adversary trying to gain access to vulnerable systems.

There are software tools which can provide businesses with analytics to detect techniques and sub-techniques used to carry out phishing attacks or attempt to gain initial access.

Businesses should be taking action to protect employees – many who don’t even realize they’re at risk. For example, they could implement phishing-resistant MFA such as biometrics, hardware security keys and passkeys, without adding friction to the user experience.

Phishing-resistant MFA is designed to be extremely difficult to crack and to provide protection against device-code compromise. It’s a crucial step on the battle to stay ahead of the phishers, which can also be helped by deploying user and entity behavior analytics (UEBA) profiling to spot anomalies.

Similarly, security orchestration, automation, and response (SOAR) capabilities can be used to automatically execute workflow profiles and assign tickets to security admins to quickly remediate a phishing attack.

It’s also useful for businesses to examine endpoint security and identify any blind spots. Organizations should be set up to deploy patches quickly, detect and defuse threats like ransomware, enforce least-privilege access with MFA, and protect sensitive data wherever it resides.

Businesses should be treating cybersecurity defense like a continuous operation, not a quarterly checklist. This means ensuring buy-in across the organization, and making security everyone’s purview, rather than just that of the IT team.

To build a culture which is cybersecurity conscious, businesses must be sharing threat intelligence across teams. They should also be educating employees into why cybersecurity defense is important, by running red team exercises to simulate attacks.

Conducting regular training sessions on recognizing phishing attempts and using strong passwords is a great first step in the right direction. Employees should be kept aware of how phishing attacks are evolving and getting ever smarter: from artificially intelligent phishing emails to deepfake impersonations and self-evolving malware.

Protecting businesses against Phaa S requires rethinking how they can stay ahead. It’s not just about firewalls, antivirus tools, and endpoint security: it’s also about building a security-aware culture that adapts and anticipates attacks.

This article was produced as part of Tech Radar Pro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

You must confirm your public display name before commenting

1VPN interest surges in Indonesia as under-16 social media ban takes effect

2 Forget Amazon — here are 3 gaming laptop deals from Walmart's rival sale that have the rest beat

3 Forget The Super Mario Galaxy Movie — Chris Pratt’s unhinged AI sci-fi movie on Prime Video is what you need to stream this week

4'When intelligence and trust move together, AI stops being an experiment and starts becoming how work gets done': Microsoft and Open AI are making AI research tools smarter to help answer even your trickiest questions

5 What is the release date for Daredevil: Born Again season 2 episodes 2 and 3 on Disney+?

Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.

© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.

Key Takeaways

• News, deals, reviews, guides and more on the newest smartphones
• News, deals, reviews, guides and more on the newest computing gadgets
• Start exploring exclusive deals, expert advice and more
• Unlock and manage exclusive Techradar member rewards

• How businesses can defend themselves against the rise of ‘phishing as a service’