🧭 The Compass Brief - Volume 3
Phishing-as-a-Service: The New Frontier of AI-Driven Scams
🧠 In This Issue:
What exactly is Phishing-as-a-Service (PhaaS)—and how it industrialises cybercrime
How AI is transforming phishing into precision targeting
The tools and platforms driving this trend
Practical protections you can put in place today
🔍 Main Feature
Phishing-as-a-Service (PhaaS): The AI-Enhanced Business Model of Modern Scams
Gone are the days when phishing was a clumsy scam from a Nigerian prince. In 2025, it’s streamlined, scalable, and terrifyingly effective—thanks to Phishing-as-a-Service (PhaaS).
Think of it like Software-as-a-Service (SaaS), but for criminals.
PhaaS kits offer everything a wannabe attacker needs:
Pre-built phishing templates mimicking Gmail, Microsoft, and banking apps
Infrastructure for hosting and real-time credential harvesting
Features like 2FA-bypass kits and AI-generated scripts
Platforms like EvilProxy, Tycoon 2FA, and Caffeine have made phishing campaigns faster, cheaper, and harder to detect. Some even come with customer support.
🤖 AI Is Supercharging the Threat
Here's how artificial intelligence is turning phishing into a precision weapon:
🧬 Hyper-Personalisation:
AI scrapes LinkedIn bios, breached data, and social profiles to craft emails that sound like your HR team—or your best friend.
🗣️ Voice Cloning & Voicemail Scams:
Some kits now include audio phishing tools that simulate real voices to pressure targets via phone.
🧠 Real-Time Adaptive Text:
Natural language models mimic corporate tones (“Your Benefits Portal Needs Review”) with uncanny accuracy.
📂 Case File Snapshots
🗂️ EvilProxy (2025): Fake Microsoft 365 login pages harvested 120,000+ credentials in 30 days.
🗂️ Tycoon 2FA: Offered OTP-stealing kits targeting Google, Apple, and banking services.
🗂️ Caffeine: A free-tier phishing kit with an API for scaling personalised scams—popularised across underground forums in 2024.
Trace Protocol is tracking these kits and will be publishing deep-dive case files soon.
🔒 Tool Spotlight
Tool: Have I Been Pwned
Use: Check if your email or password has been exposed in known data breaches.
Why it matters: If your data is already circulating, you're a prime target for PhaaS-based phishing.
🔒 Quick Tip: How to Vet Suspicious Emails
Before clicking:
Hover over links to check domains
Cross-check sender addresses
Look for mismatched branding or urgency cues (“ACT NOW!”)
If unsure—don’t engage. Forward it to your IT/security team or delete.
📬 Ask The Compass
Q: Can I still get phished even if I use MFA?
A: Yes—especially if your MFA is SMS-based. Some PhaaS kits include 2FA-interception tools that capture one-time passcodes in real time. Upgrade to app-based MFA (like Authy or Aegis), or better yet, use hardware security keys like YubiKey.
🔗 Have a question of your own?
Submit it anonymously through our secure contact form — we’d love to feature it in a future issue!
🔥 Reader Spotlight
This space is reserved for real subscriber contributions. If you’ve encountered a scam, phish, or strange security alert recently, let us know. Your tip could help protect others.
🧭 Share your experience through our secure contact form—we may feature it in a future issue (with your permission).
🔗 Want More? Expand Your Knowledge
Multi-Factor Mayhem: When 2FA Isn’t Enough
Learn how attackers bypass MFA with push fatigue, session hijacking, and SIM-swapping.Why Phishing Still Works (And What To Do About It)
Explore the psychology behind phishing success and how to build stronger defences.
🧭 Final Thoughts
Phishing isn’t just about email anymore—it’s a packaged criminal service powered by AI and scaled for profit. But knowledge is still our best defence.
Recognise the patterns.
Slow down.
Stay sharp.
Heather Roache
Founder of The Cyber Compass
🔐 Reading the patterns. Securing the future.