Phishing is a regular topic here on the Panda Security blog. Mainly because it presents such a risk to our users. Our articles tend to focus on how hackers reuse stolen credentials to compromise accounts to commit crimes like identity theft or fraud.

But the reality is that phishing is a profitable activity itself. 

Hackers are selling your account details

Phishing attacks have one purpose – to steal your usernames and passwords. Cybercriminals use carefully crafted messages to trick you into visiting a fake website that looks legitimate. But when you ‘login’, hackers collect your password. 

Typically, people send these messages via email. But as attacks become more sophisticated they may also be received via text message, phone call or even app notifications on your smartphone. Advanced attacks may use two or more channels at once (email + SMS for instance) to make the message appear more legitimate – and urgent.

Once harvested, hackers have a choice. To use the credentials to launch their own attacks or to sell them onto other criminals. Usernames and passwords are extremely valuable too. Although a Microsoft 365 account login can be bought on the dark web for a few dollars, bank account details are worth more than $4000 each. Even credentials for general websites hold some financial value because so many people reuse their passwords between services.

Realising this, hackers now buy and sell compromised credentials to each other. One estimate suggests that there are more than 24 billion username and passwords combinations for sale on the dark web.

Phishing as a Service

One of the most worrying cybersecurity trends is the commoditisation of phishing. Virtually anyone can now “rent” tools to automate and simplify phishing, allowing them to get into credential theft. In the same way that you pay a monthly/annual subscription fee for antivirus software or Netflix streaming, low-skill hackers can subscribe to advanced hacking tools on the dark web.

Some advanced phishing-as-a-service tools, such as Greatness and W3LL Panel, can defeat the two-factor authentication (2FA) mechanisms used by many services to protect user accounts. And although security tools can help to protect you against these attacks, your best defence is still common sense. Take a look at our
10 Tips to Prevent Phishing Attacks to learn more.

Passwords still matter

The IT industry is slowly moving away from passwords, but they remain an essential security protection for most web services. To reduce the potential damage caused by your credentials being exposed always use a unique password for every account.

Obviously this is easier said than done, so choose a secure password manager to generate and store logins – much easier than trying to remember them all yourself! This approach ensures that if someone hacks your eBay account, they cannot use the same password to access your bank account (or similar).