What is Credential Phishing?

Posted DateAugust 9, 2022
Posted Time 4   min Read

Proofpoint US says phishing attacks cost large organizations almost $15 million annually or over $1,500 per employee.

Credential phishing attacks may not be the most popular form of phishing anymore, but they are still quite prevalent and are at the root of considerable business loss.

If you have any online accounts requiring login credentials (and most if not all of us do), then you are at risk of credential phishing.

How Do Credential Phishing Attacks Work?

Phishing attacks generally target credentials like usernames, IDs, passwords, or personal pins.

Credential phishing is where hackers attempt to steal your credentials by pretending to be a trusted party in an email or other communication channel. Hackers will often sell the data they’ve collected to the dark web.

From social media and banking to eCommerce sites and business tools, we all have an increasing number of online accounts requiring login credentials.

Your username or email, as well as your password and pin, would all be considered forms of “credentials.” This is the most frequently compromised type of data in phishing attacks.

You might assume password-stealing methods to be mostly innocuous, consisting of brute force attacks, where hackers try in vain to guess your password using manual and automated techniques.

Today’s cybercriminals, however, use increasingly sophisticated forms of digital manipulation to extract your sensitive information. Because credential phishing plays on trust, it is far more effective than you might assume.

Deloitte says 91% of all cyber-attacks begin with a phishing email to unsuspecting victims, and credential-stealing phishing is no exception.

These emails are often positioned as urgent requests, whether a past-due invoice, a recent purchase, or a follow-up on a recent payment. Because the emails appear to be coming from legitimate sources with legitimate-sounding requests, it can be hard for the average user to spot a password theft attack.

Types Of Credential Phishing Emails to Look Out For

Tessian has identified the subject lines of some of the most common phishing emails. They are as follows:

  • Urgent / Important
  • Request
  • Follow up
  • Payment Status
  • Hello
  • Purchase
  • Invoice Due
  • Are you available? / Are you at your desk?

Tessian also says the open rate of such emails can be as high as 25%. So, while not all phishing emails get opened in the first place, there’s a high enough success rate for attackers to continue utilizing a tried-and-true tactic.

There are a few other defining characteristics of password theft attack emails you should be aware of. Here’s what you need to know:

  • The goal of the email is to get you to click on a malicious link
  • The email will be addressed to you personally and will appear to be from a trusted source
  • The email will also feature relevant branding and email signature (if applicable) and even mimic the voice of the sender

Credential Phishing Attacks on Malicious Websites

As noted earlier, the objective of a phishing email is to get you to click on a malicious link. This link, however, does not send you to some rinky-dink website or download a virus onto your computer (although this is always a risk).

As with the original message, the malicious website has all the trust indicators you’ve likely come to expect from the true provider – logos, branding, colors, fonts, communication style, and more!

The only telltale sign that it’s a fake site might be the website URL. Most businesses now utilize multiple domains and portals, so it could be harder to diagnose than you might assume. To add insult to injury, hackers nowadays even use HTTPS and / or SSL certificates to make their websites appear secure. Just because it’s secure, though, doesn’t mean that your data can’t be stolen.

There is one more thing to look out for. However, that could prove helpful if you happen upon a fake website. The website will likely be using images in place of plain text to circumvent spam filters.

How Can You Prevent a Password Theft Attack?

Stolen credentials are often leveraged in Business Email Compromise, Vendor Email Compromise, identify fraud, fraudulent transactions, stealing personal or company information, and other attacks. In some cases, your credentials are even sold on the dark web.

To prevent credential phishing, you’ll want to:

  • Take advantage of email security software. Your email security software is your first line of defense. It may not be able to catch all credential phishing attacks, but it should drastically reduce the number of emails that get passed your filters.
  • Train your staff on phishing and data security. After email security software, people are your first line of defense. And this means they should be trained and educated on what to look for in their inbox. Most data breaches begin with human error, so investing in training is crucial. It is also a requirement under some regulatory standards and privacy laws.
  • Use secure passwords and update them periodically. Technically, the only thing between you and a hacker accessing your sensitive data is your password. For better or for worse, all other credentials can be easily gotten. Strong passwords can help prevent attacks and breaches, assuming you don’t share them with anyone.


Credential phishing attacks are a real concern, and at times, they will get passed all your filters. To minimize the risk, take all precautionary measures mentioned above. Regardless of the size of your business, hackers are actively phishing for login credentials to carry out cybercrimes.

Stay tuned for more relevant and interesting security articles. Follow Indusface on FacebookTwitter, and LinkedIn

Protect Your Web Apps & APIS - Start Free Trial

Spread the love

Join 47000+ Security Leaders

Get weekly tips on blocking ransomware, DDoS and bot attacks and Zero-day threats.

We're committed to your privacy. indusface uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time. For more information, check out our Privacy Policy.