Skip to main content
Hacker launching a ready-made phishing as a service campaign at a low cost.

Phishing emails have been an extremely effective tool for malicious actors, and their use only increases from year to year. Hackers use them to steal data to sell on the dark web, launch ransomware attacks, and perform other malicious activities that allow them to make money from someone accidentally clicking a suspicious link. Because phishing attacks are so lucrative, hackers have now begun selling phishing kits to up and coming cybercriminals, lowering the skill ceiling necessary to start attacking businesses. Let’s talk about what phishing as a service is and what your business can do to protect its data from phishing campaigns!

What is Phishing as a Service?

Phishing as a service often functions similarly to how a legitimate business procures services from its managed service provider (MSP). An experienced hacker will offer prepackaged phishing kits to buyers that they can purchase and use to begin sending out a large number of phishing emails. For a higher price, the hackers can even customize the phishing campaigns or offer their knowledge on how to best launch and improve the phishing campaign over time. Often, the hacker selling the phishing as a service package will already be running campaigns of their own and sell their kit as an additional way to earn money while they attack businesses.

What is in a Phishing as a Service Kit?

Malicious actors will bundle everything an up-and-coming cybercriminal needs into a ready-to-go kit that allows them to launch their own phishing campaigns. These kits will include templates for the emails to be sent out, fake landing sites to collect user information, a ready-made list of targets to begin sending emails to, and a way to contact the seller for advice and troubleshooting. The cost of these kits is often surprisingly low as some of the simplest kits cost less than $100 to get started. The buyer of the kit does not need much experience to begin their campaign, meaning anyone who can procure a phishing as a service kit off the dark web can begin launching attacks the same day.

What Can Your Business Do?

The rise of phishing as a service means that businesses will have even more phishing emails attempting to trick employees into handing over their credentials or other sensitive data. Even though the attacks are carried out by novices with the support of an experienced hacker, small businesses should take this threat seriously and work to improve their phishing awareness training. Ensuring employees know how to identify a phishing email and understand the proper steps to reporting it to IT is an essential first step a company can take. Small businesses should also consider working with an experienced IT consultant to identify gaps in the cybersecurity posture and acquire the tools and knowledge necessary to keep their network safe.


Phishing as a service is a strong sign that phishing emails won’t be going anywhere any time soon. With the skill ceiling being lowered for new cybercriminals to start launching their own campaigns, Robinett Consulting believes it is essential that small and large businesses take proactive steps to improve their cybersecurity defense. Our team of security specialists focus on bringing high-quality IT to small businesses that need solutions as unique as their business. If you think your business needs to improve its response to phishing attacks, then our team is waiting to have a free consultation with you today!

Robinett Consulting

Author Robinett Consulting

At Robinett Consulting, we are your consultative partner who strives to grow your business and have technology truly enabling you. We aim to understand you and your business so that you do what you do best unhindered by your IT.

More posts by Robinett Consulting