PhaaS: It’s like Netflix, but for criminals 

Executive summary 

  • Phishing-as-a-service (PhaaS) has made sophisticated phishing campaigns as easy as signing up for Netflix, lowering the barrier for cybercriminals and bombarding businesses with ever more convincing scams. 
  • Tech giants like Microsoft have clamped down on major PhaaS operations recently, but new services pop up all the time. For organisations, this is best treated as an evolving threat. 
  • The best defence again PhaaS includes phishing-resistant authentication methods, email filtering systems, finely tuned response plans, and robust staff training.  

Introduction 

Phishing used to be something you could spot a mile off.  

An iffy-looking logo here, a smattering of spelling mistakes there. For many of us, it’s become second nature to spot email scams like this.  

But things may not be so simple anymore.  

In 2025, even small-time criminals can buy access to sophisticated phishing software that mimics real websites and hijacks login credentials. The Phishing-as-a-Service systems can be accessed via a subscription model with no technical knowledge required to get up and running. 

So, yes, it really is a bit like Netflix. But for cybercriminals.  

What is Phishing-as-a-Service? 

Phishing-as-a-Service, or PhaaS, is essentially a criminal subscription model. Enterprising cybercriminals provide ready-made phishing kits, hosting, and dashboards that let anyone – even those without technical skills – launch phishing campaigns from pretty much anywhere. 

This “service” can include: 

  • Templates and landing pages. Cloned login screens for Microsoft 365, your bank, or even courier services like Evri and Royal Mail. 
  • Automated delivery. Email or SMS campaigns that rotate domains and links to evade filters. 
  • Real-time dashboards. Attackers can see who clicked, who entered credentials, and sometimes even intercept MFA codes. 
  • Support and updates. Some PhaaS platforms even offer guidance for the less experienced attackers, making it almost plug-and-play. 

The result is a professionalised phishing ecosystem that grows rapidly, floods inboxes, and targets multiple layers of an organisation’s defences. 

How a PhaaS attack might play out 

So how does a PhaaS attack actually happen?  

It’s no longer the reserve of a hoodie-wearing hacker in a bedroom somewhere. These days, anyone with the will to do so can have a campaign up and running by paying a small fee.  

Here’s what that might look like in the real world: 

  1. A “wannabe” cybercriminal subscribes to a PhaaS provider and pays a monthly fee for access to a PhaaS kit. This will include everything they need to mimic common login pages, like Microsoft 365. 
  2. The attacker then customises the campaign. Depending who they want to target, they’ll choose a brand, tweak the wording, adjust logos, and upload a list of targets. These may be scraped email addresses or data bought from the dark web.  
  3. The PhaaS platform will then spin up the fake site, send out thousands of emails, and perhaps even rotate domains and IP addresses automatically to swerve automated defences.  
  4. Next, the victim takes the bate. A staff member will receive what looks like a legit email, click through, and inadvertently enter their credentials on a cloned page.  
  5. Now the attacker simply waits for the stolen data to roll in. From there, it’s a case of either using the data themselves or selling it to another criminal group.  

          This might all sound complex, but in reality, this can all be done in less than an hour. That’s the biggest danger of industrialised phishing – it operates at a speed and scale that we’ve never seen before. Throw AI in the mix (which can effectively remove the human from this equation) and you can see how big of a problem PhaaS can be.  

          What UK businesses can do about it 

          Okay, so that’s how PhaaS works – now let’s look at what you can do to avoid it. 

          As we’ve covered many times before here at Get Support, there’s no magic wand for phishing. There’s no single solution that can protect your business in perpetuity. Instead, there are practical, dependable steps that you can take to make your business a much tougher target. In our experience, that’s often enough to encourage cybercriminals to look for a softer one.  

          Here’s where to start: 

          1. Use phishing-resistant authentication. Passkeys or FIDO2 tokens make stolen passwords worthless because they’re tied to physical devices. Learn more here
          2. Review access controls. Don’t give employees more access than they really need, and be sure to remove it when it’s no longer required. Simple, but often overlooked. 
          3. Bolster your email filtering. Advanced threat protection tools can detect fake links, QR codes, and sender spoofing before they reach your team’s inbox. 
          4. Train people like it’s real life. Simulate modern phishing tactics – SMS, QR codes, or fake Teams invites – and not just the “bad spelling and a fake logo” kind. 
          5. Plan your response. Know who does what if someone clicks the wrong link. Quick isolation and credential resets can stop a single mistake from snowballing into a crisis. 

                  Don’t wait for the worst to happen 

                  The reality here is that Phishing-as-a-Service isn’t going away. If anything, it’s getting more professional and widespread. That means preparation and practice matter more than ever. 

                  So, if you’d like help shoring up your defences – from MFA deployment to user training or response planning – just speak to your Get Support Customer Success Manager or call our friendly team on 01865 594 000