What you need to know about Frappo and phishing-as-a-service
Protect yourself from a slick new phishing tool that online fraudsters may be using to target your banking information.
By ATB Financial 5 August 2022 4 min read
Most people are familiar with old-school phishing schemes—the strangely formal emails inviting you to claim a massive inheritance, the bad graphics and misspellings typical of online fraudsters trying to impersonate large corporations. But phishing tools are becoming more sophisticated, and the people using them to steal personal and financial information are becoming more savvy. New phishing-as-a-service (PaaS) tools like Frappo enable even amateur scammers to create emails, text messages, digital forms and web pages that can dupe even vigilant and discerning target individuals.
So how do you recognize these slick new phishing schemes and protect yourself from fraud? It all starts with educating yourself on how PaaS tools work, and learning to recognize the signs of a fraudulent message, form or website—even one that looks really real.
What is phishing-as-a-service (PaaS)?
It’s not surprising that (like almost any other online activity) phishing now has a subscription model.
Think about the subscription services many of us use to create websites, blogs, newsletters and online stores. It’s remarkably simple to adjust an appearance template to make an eye-catching front page, set up a personalized domain and email address, collect data inputted by customers or subscribers, view an analytics dashboard documenting your reach, and generally make your personal brand look legitimate and professional.
Just as these ubiquitous subscription services make it easy for individuals, artists and business owners to create a branded presence online, PaaS providers make it easy for scammers to convincingly impersonate the brand identity of many large financial institutions and retailers.
Adjustable settings, webpage templates, custom domains, analytics dashboards—even technical support—are all part of the package a scammer can receive through a PaaS provider.
It’s a familiar model with a nefarious purpose.
Most PaaS providers are only accessible through the dark web, though a few, including a new one called Frappo, have also appeared on the “surface” internet we are all familiar with.
Frappo: the new PaaS
Frappo is one particularly malicious example of the new PaaS technology. Scammers can pay anonymously for an encrypted Frappo subscription, which allows them to select from a menu of corporations they might wish to impersonate. Once a company or institution has been selected, scammers can access an already assembled collection of graphics, code and software tools with which they can create high-quality interactive digital scenarios (such as forms or login pages) that prompt potential victims to enter their personal and/or financial information.
Unlike older phishing models, Frappo enables even inexperienced scammers to impersonate many trusted North American corporations quite convincingly. For example, Frappo users often have access to identical or near-identical company logos, and Frappo-generated domain names have been known to link to live websites that at first glance appear to represent the corporation being impersonated.
First identified in early 2021, Frappo continues to offer its subscribers updates and improvements.
How to recognize PaaS technology and protect your information
Even though phishing subscription services like Frappo make it easier for scammers to make their phishing attempts look like legitimate correspondence from an institution or company you trust, it’s still possible to identify fraudulent correspondence and protect yourself from information theft and fraud.
Here’s what you can do to keep your information secure:
- Carefully review surprising or unexpected emails and text messages from corporations you have accounts with.
- Do a web search for the domain in the sender’s email address or the phone number you received the text from. Do a comparison search for the name of the corporation the sender claims to be representing. The official websites and contact information for most corporations should be easy to find and identify.
- Look for any discrepancies with other communication you have received from the same corporation. Look for unusual spelling, capitalization, and punctuation—a large corporation is unlikely to send out correspondence with typos!
- Pay attention to the tone of the message. Does the vague tone make you question exactly what the message is about or why you are being contacted? Is there an implied sense of urgency or threat? These are often signs of a phishing scam.
- Copy and search the text of the message you’ve received. Phishing scams are often identified on online forums and consumer protection sites.
- If in doubt, call the official customer service line of the corporation you have the account with before replying to the message, clicking any links or inputting any information.
- Avoid saving login information on your computer, phone or smart device.
- Avoid using the same password for multiple accounts.
- Set up two-factor authentication on your accounts.
- If you are not in the middle of a transaction with a corporation and receive a one time passcode, this is usually a sign that someone else is attempting to complete a transaction using your information. Do not reply, input any information or click any links. Contact the corporation in question immediately to secure your account.
For more advice on protecting your information and navigating phishing attempts, visit atb.com/phishing.