Phishing as a Service


Phishing as a Service

Level up your awareness

In 2016, at least 15 percent of the total cyber-attacks involved phishing. Phishing is usually the first step in the chain of attack, typically used to drop malware such as ransomware or a key logger. However, even if pure technological means exist to prevent phishing, such as email filtering, traffic monitoring and network protection, they cannot be completely effective because phishing involves an unpredictable parameter: human.

The Challenge

The 2016 data breach report shows that still 30 percent of employees targeted by a phishing campaign clicked on the phishing link. Even if phishing is a not a new social engineering attack, it is still a dangerous threat that is continuously evolving. Nowadays ready to use phishing kits including sophisticated techniques to evade automatic detection are broadly available on the web. Spear phishing is also the new trend, and is increasing significantly. To face all this challenges, organizations need a way to measure and reduce their risk against phishing in order to stop the attack from the beginning.

What is Phishing as a Service?

How can Deloitte help you?

Deloitte can help you improve your resilience against phishing attacks. Deloitte Phishing as a Service (PhaaS) is a security awareness program for all employees of the organization. With PhaaS, Deloitte periodically sends phishing emails to employees and monitors the employees' ability to recognize phishing emails over time.

To safeguard the anonymity of the employees, click rates are aggregated and reported back to the organization on a department or country level.
In addition, during the test, no sensitive data leaves the organization security perimeter. Indeed, the phishing campaigns, and specifically the payloads, attachments, and landing pages are harmless and do not contain any malware.

Through PhaaS, employees learn how to recognize phishing emails and how to react.

Our team understands and removes the legal and execution complexities of a phishing simulation, allowing your organization to focus on its core business in a secure manner.

Our phishing simulations are supported by an in-house developed software platform. In particular, our backend application offers the full set of functionalities required to conduct phishing campaigns:

  • Setup of phishing campaigns
  • Creation of phishing email template and landing pages
  • Integration and selection of targeted users
  • Scheduling of phishing campaigns
  • Opt-out process
  • Real time monitoring of click rates, time to click, etc.
  • Evaluation of the basic phishing and ransomware protection controls implemented by the organization
  • Final dashboard with consolidated results

The phishing simulation and associated corporate communications can be optionally complemented by security awareness training focusing on phishing threats. Training can be delivered as classroom and/or as computer-based training.


Stéphane Hurtaud

Stéphane Hurtaud

Partner | Information & Technology Risk

Stéphane is a partner within our Risk Advisory practice. He has over 21 years of experience in the IT risk, Information Security and IT audit fields, with a strong focus on the financial services indu... More

Maxime Verac

Maxime Verac

Senior Manager | Information & Technology Risk

Maxime Verac is a Senior Manager within Deloitte’s Information & Technology Risk services in Luxembourg. He has 10 years of experience in Information Security. During the last 10 years, as a consultan... More