Why Phishing-as-a-Service means the risk to businesses just went up a gear

Cybercrime is big business. In 2023 alone, criminals stole an estimated £30.5 billion from UK businesses – the equivalent of almost £60,000 every minute!

While a number of different scams and tactics were at play (including malware, extortion and fraud), one strategy that continues to be very successful is phishing.

Such attacks are designed to infect a victim’s device with malware or to trick them into handing over sensitive information. These types of cyberattacks can take many forms; from letters and emails to phone calls, text messages and QR codes.

And it’s a big problem. According to the government’s latest Cybersecurity Breaches Survey, 56% of businesses and 62% of charities reported data breaches in the last 12 months, with a massive four in five (79%) respondents reported experiencing a phishing attack.

This trend hasn’t gone unnoticed by entrepreneurial gangs who are finding new ways to capitalise on it, including flipping a traditional business model on its heads to provide Phishing-as-a-Service (PhaaS).

What this basically involves is gangs providing would-be criminals – even those with minimal technical skills – with everything they need to get started. This has opened up access, contributing to a significant rise in phishing attacks.

One such operation was recently uncovered. Called LabHost, it was described as a ’cyber fraud superstore’ by the ICAEW. LabHost sold phishing subscriptions for up to $3,000 a month, including customisable email and text message templates, as well as facilities to harvest PINs, personal information and security question answers.

By the time the site was removed, 70,000 UK victims had been identified. Globally, it’s estimated the platform was responsible for the theft of 480,000 card numbers, 64,000 PIN numbers and over 1m passwords!

While LabHost has gladly been stopped and 37 arrests made, they aren’t the only ones following the ‘crime-as-a-service’ model.

 

So, what can you do to best protect your business against phishing?

Given the significant risk, it is crucial for SMEs to have robust cybersecurity measures in place, to both lower the risk of a successful phishing attack and minimise the potential impact that one may have.

Here are 8 steps you can take to better protect yourself:

 

  1. Invest in cybersecurity solutions

Invest in comprehensive cybersecurity solutions that provide enterprise-level security. This includes computer security, email security, password security, and backup and recovery systems.

 

  1. Implement multi-factor authentication

Passwords alone are no longer sufficient to protect sensitive data. Implementing multi-factor authentication adds an additional layer of security by requiring users to verify their identity through multiple means, such as a password and a unique code sent to their mobile device.

 

  1. Introduce regular employee training

Regular cybersecurity awareness training is essential for all employees. Aim to educate staff on how to recognise and avoid phishing scams, the importance of strong passwords, and best practices for maintaining cybersecurity.

 

  1. Update and patch systems regularly

The phrase ‘security patches’ refers to updates that are released by software companies to address issues, including security vulnerabilities within programmes and products, to fix performance bugs, and provide enhanced security features.

 

  1. Conduct security assessments

Conduct regular security assessments to identify any vulnerabilities and then make sure you address them promptly. This includes evaluating IT infrastructure, software, and security protocols.

 

  1. Backup data securely

Implementing a robust backup and recovery system is crucial for protecting data in the event of a cyber incident. Make sure your data is regularly backed up in a secure way, so it can be quickly restored if needed.

 

  1. Have an incident response plan

Make sure you have an incident response plan in place that outlines the steps the business will take in the event of a security breach. The plan should include core steps such as how you will monitor for and identify any incidents, how you will contain the damage, investigating the root cause, and who you will need to notify.

 

  1. Partner with an expert

The cyberthreat is constantly evolving. By partnering with a team of experts (like ourselves here at Dragon IS), you can stay ahead of new and existing threats and ensure your cybersecurity measures are always up to date.

 

In need of expert support?

Here at Dragon IS, we work with small and medium sized businesses, helping them with a broad range of issues relating to their IT infrastructure and cybersecurity. For an informal chat about your IT needs, please email info@dragon-is.com or call us on 0330 363 005.

You may also be interested in: