From Phishing Kits to Full-Service Fraud
Two decades ago, the most a criminal could hope to sell online was a basic phishing kit. These were crude templates, often copied from bank websites, that allowed even unsophisticated actors to send convincing looking emails. By the mid-2000s, investigators at the FBI and Europol were already warning of online marketplaces where such kits changed hands for a few hundred dollars. The barrier to entry for fraud was falling, and with it came a surge of attacks that no longer required technical expertise. All that was needed was a stolen template and a mailing list.
What began with templates has since matured into a global service economy. Today, deception itself can be purchased as easily as cloud storage. Criminal groups now rent call centers staffed with English speaking operators who impersonate IT support. Deepfake voice generators are available by subscription, offering the ability to mimic an executive for a few dollars an hour. Entire personas can be rented, complete with fake LinkedIn profiles, corroborating email accounts, and social media histories designed to withstand cursory checks. Europol’s 2023 Internet Organised Crime Threat Assessment noted that “cybercrime has reached a level of commoditization where deception services are marketed with customer support.”
The trajectory is clear. What software as a service did for startups, deception as a service has done for cybercriminals. It has lowered the cost, simplified the delivery, and professionalized the infrastructure. The lone hacker stereotype is outdated. What many organizations now face is an industrialized marketplace where deception is outsourced, rented, and scaled.
By the time the victim realized the fraud, money had been drained from accounts and personal information had been harvested.
Deception services have grown alongside broader underground economies. In the 2010s, researchers tracked the rise of fraudulent call centers in India and Eastern Europe that offered voice phishing campaigns targeting banks and credit card issuers. Victims received calls from people claiming to be fraud investigators, followed by an email or text directing them to fake portals. By the time the victim realized the fraud, money had been drained from accounts and personal information had been harvested. These were not isolated actors but coordinated networks operating with a business model familiar to anyone in legitimate industries: pay a subscription, get guaranteed outcomes.
The history also includes the spread of fake antivirus scams, where “security support” could be purchased wholesale. Criminals rented scripts, phone trees, and remote access software to trick users into installing malware. Each iteration became smoother, more professional, and more scalable. The lesson was simple: deception could be productized, and the market would pay for it.
The Economics of Rented Trust
The industrialization of deception changes the calculus for defenders. Phishing once relied on blunt force: mass emails and hope for a click. Now, deception is tailored. Attackers can rent a service that provides them with a convincing phone call from a supposed IT administrator, followed by an email that arrives from a spoofed domain, followed again by a cloned login portal. Each element can be purchased separately or bundled together. The effect is coherence. To a target, the narrative feels authentic because it unfolds across multiple channels with professional polish.
Examples are everywhere. In 2020, Twitter employees were targeted by attackers posing as IT support over the phone. By convincing staff to hand over credentials, the attackers gained access to internal tools and briefly took over high profile accounts including those of Barack Obama, Bill Gates, and Elon Musk. That incident was a reminder that voice pretexting remains one of the most effective attack methods, and deception as a service makes such tactics available to anyone willing to pay. In 2022, researchers documented underground platforms offering “vishing as a service,” complete with dashboards that allowed criminals to track calls and responses in real time. Other services marketed AI driven chatbots that could sustain text conversations long enough to gather credentials or payment details. Some even advertised “deepfake voice offerings, often advertised on underground forums as rentals where an attacker could submit a script and receive an audio file in the chosen voice within minutes. While these services are not mainstream subscriptions, threat researchers have documented them in dark web markets. At scale, this means a mid-level criminal with little technical skill can convincingly impersonate a Fortune 500 executive or a local IT help desk.
Deepfake video calls have already been used to defraud companies out of millions.
The parallels to legitimate business are striking. Just as SaaS freed companies from building their own infrastructure, deception as a service frees criminals from needing technical mastery. The marginal cost of an attack drops close to zero. As a result, more actors can participate. Cybercrime has become less about coding skills and more about operational intent.
For organizations, this creates a profound challenge. Traditional defenses assume the attacker will slip up: a poorly worded email, a mismatched URL, an accent that gives away the fraud. But with professional services providing the polish, those tells are disappearing. The old advice to “hover over the link” or “trust your ear” is losing its power. When deception can be rented at scale, trust itself becomes unstable.
The cultural impact extends further. Employees are asked to be vigilant, but vigilance becomes exhausting when every message, call, or video might be fabricated. Security fatigue grows, and with it, the likelihood of mistakes. The very concept of authenticity in communication is being eroded by industrialized deception. Deepfake video calls have already been used to defraud companies out of millions. In one widely reported case in 2023, criminals used AI generated video to impersonate a CFO during a Zoom call, successfully convincing staff to transfer funds. These are not the slipshod scams of the past. They are well produced, contextually aware, and persistent.
There are ways to blunt the effect. Identity verification can be built directly into workflows so that an IT ticket or vendor request must be validated before action is taken. Ephemeral secret sharing ensures that passwords, files, or reset links do not linger in inboxes or chat logs where a rented persona might gain access. Logs of verification can be preserved for compliance while the sensitive data disappears after use. These strategies reduce the surface area that deception services can exploit.
These approaches are already available in platforms like Traceless (shameless plug noted). By embedding verification into service desks such as ServiceNow or ConnectWise, and by offering ephemeral messaging that leaves nothing at rest, Traceless provides an example of how organizations can adapt without overhauling their workflows. The point is not to replace trust, but to reengineer where it resides. Instead of trusting the message or the voice, trust is anchored in the process.
The quiet rise of deception as a service signals a cultural shift. Just as cloud computing changed how businesses thought about infrastructure, deception markets are changing how criminals think about trust. It is no longer improvised. It is packaged, polished, and sold with customer guarantees. Defending against it will require more than vigilance training. It demands systems where identity is verified by design and where sensitive data evaporates before it can be stockpiled. The rise of deception as a service shows that the economy of fraud is not just thriving. It is maturing.
The most effective time to strengthen your defenses is before an incident occurs. Book a demo to see how Traceless can be implemented in under 10 minutes. All plans are month-to-month, with no long-term commitment.