Credential phishing

Credential phishing is one of the most common and dangerous online scams today. Cybercriminals trick you into revealing your login details — such as usernames, passwords, and multi-factor authentication (MFA) codes — often by posing as a trusted organization. Once they have your credentials, they can access your accounts, steal money, or commit identity theft.

What Is Credential Phishing?

Credential phishing occurs when a scammer sends an email, text message, or direct message designed to look legitimate. These messages often impersonate banks, credit card companies, online retailers, cloud storage services, or workplace platforms. The goal is to get you to click on a malicious link or open an attachment that leads to a fake login page. Once you enter your credentials, the attacker captures them instantly.

Common Signs of a Credential Phishing Attempt

• Urgent or threatening language – Messages claiming your account will be locked unless you act immediately.
• Suspicious sender addresses – Email addresses or phone numbers that are slightly misspelled or unfamiliar.
• Unexpected login prompts – Being asked to log in after clicking a link in a message, especially when you didn’t initiate a request.
• Generic greetings – “Dear Customer” instead of your actual name.
• Links that don’t match the official website – Hover over links to see the real destination before clicking.
• Requests for sensitive information – Legitimate companies won’t ask for passwords, MFA codes, or Social Security numbers via email or text.

Best Practices to Stay Safe

• Verify before you click. Hover over links to see the full URL and make sure it matches the legitimate site.
• Type the web address manually. Instead of clicking links, type the known address directly into your browser.
• Use multi-factor authentication (MFA). Even if your password is stolen, MFA can help block unauthorized access — but only if you keep your codes private.
• Keep software up to date. Updates often fix vulnerabilities that attackers exploit.
• Use a password manager. These tools help create strong, unique passwords and can detect fake login pages.
• Enable account alerts. Get notified of unusual login attempts or changes to your account.

What to Do If You Fall for Credential Phishing

• Change your password immediately for the compromised account and any other accounts using the same password.
• Enable MFA if it’s not already in place.
• Notify the organization that was impersonated so they can alert other customers.
• Run a malware scan on your device to ensure no additional threats were installed.
• Monitor your accounts closely for suspicious activity.

Why Credential Phishing Is So Dangerous

Unlike some scams that rely on a single transaction, credential phishing can give criminals ongoing access to your accounts. They may log in multiple times, move money slowly to avoid detection, or use your credentials to target your contacts. In some cases, stolen credentials are sold on the dark web to other cybercriminals, multiplying the risk.