How to Spot and Prevent Credential Phishing

News and Commentary / 12.3.21

Have you ever fallen for a credential phishing attack? If you have, don’t worry — it’s not you. Phishing techniques are becoming increasingly sophisticated, and because it’s human nature to trust other people, phishing links — and especially credential phishing links — still work.

According to a recent IBM study, breaches and data loss resulting from credential theft took the longest to detect, taking an average of 250 days to identify (vs. 212 for the average breach.

Credential phishing attacks have historically been aimed at consumers, but credential phishing scammers have now begun to focus on corporate targets — and why shouldn’t they? Once a hacker gains a digital foothold into a corporation, they can perform many additional phishing attacks. Depending upon the credentials they use, they could create a wave of deception across the organization and throughout their supply chain.

In this article, we’ll review credential phishing attacks: how to spot them, how they work, and how to prevent them to protect your employees and your business.

What is Credential Phishing?

Credentials — the data most frequently targeted in phishing attacks — generally consist of a username or user ID, password, PIN, or a combination of all three.

Credential phishing is a type of cyberattack in which hackers attempt to steal user credentials by posing as a known or trusted entity in an email, instant message (IM) or other written communication channel. Stolen credentials are then often used for credential abuse: stealing sensitive data or selling it to third parties on the dark web for additional attacks.

How Credential Phishing Works

Hackers often peruse social media sites, searching for users whose credentials will likely help them gain access to the critical data they seek. Attackers then design emails that look nearly identical to legitimate corporate communications. These emails include malicious links that redirect victims to phishing sites designed to collect their login credentials.
An effective credential phishing login page will be carefully designed, using authentic fonts and images to replicate a brand’s site perfectly. In addition, the fake website or landing page must skirt security controls that would alert native security precautions.
Once attackers obtain the necessary credentials to enter your network, there is very little you can do to stop them. They can bypass security measures to move laterally within your system, stealing whatever sensitive information they can get their (digital) hands on.

How to Spot Credential Phishing

Unlike malware, which relies on security vulnerabilities to reach its targets, credential phishing attempts to deceive people directly. While credential phishing depends upon various deceptions to fool people into revealing their logins, 96% of phishing attacks start with emails that exploit people’s trust.

So how do you spot credential phishing? Let’s take a look at some common elements of a credential phishing email.

The Email Header

The Sender

First, the email appears to be from a sender you know, trust and regularly communicate with.

The Subject Line

A hacker’s first goal is to get you to open their email. But how? By using an attention-grabbing or compelling subject line, of course.

The 11 most commonly-used words and phrases in the subject lines of credential phishing emails include:

Immediate password check required
Billing information is out of date
Payroll has been delayed
Updated vacation policy
Office reopening schedule
Confidential information about COVID-19
Your meeting attendees are waiting!
Employee raises
Dropbox: Document shared with you
Attention: unusual account activity detected
Earn money working from home

Don’t think any of these subject lines would fool you? Think again. Subject lines that create a sense of importance, familiarity or urgency — no matter how crude — usually work.

The Body Text

The text within a credential phishing email should do two things to be effective:

Dodge spam filters
Convince the addressee to click a malicious link

Additionally:

The message is addressed to you by name
The message matches the alleged sender’s branding, email signature, and communication style

The Malicious Link

Credential phishing attacks always contain a link to a bogus login page — that’s how they capture your credentials. But like the rest of the email, the URL of a “successful” malicious link should look legitimate.

Here are some telltale signs to look out for:

Bogus brand name URLs. For example, a spoof of the URL “https://www.armorblox.com” might be “http://www.armorblox.net”
Shortened links (like Bitly or TinyURL) disguise URLs or hyperlinked images to avoid spam filters

How to Prevent Credential Phishing

Because credential phishing is one of the most successful forms of cyberattack, preventing all successful credential phishing attacks may not be possible. However, as mentioned in our Spear Phishing 101 guide, implementing the following security plan is a great place to start:

Provide security awareness training
Use multi-factor authentication (MFA)
Implement (and enforce) strict password management policies
Maintain regular backups and security patches
Install email security software

Additionally, consider:
Principle of Least Privilege (POLP): Limit users’ access rights to what they need to do their jobs — and no more. If a user’s ID is compromised, the damage a hacker can do is minimized.

Likewise, segmenting your network prevents a hacker from moving laterally across your organization and accessing unlimited critical data.

Credential phishing can be difficult to detect, endangering your customers’ sensitive data and your business. Guarding against credential phishing attempts can be challenging, but consistently using the right tools and strategies helps protect your business, reputation, and customer relationships.

For more cybersecurity tips and industry trends, join the Armorblox mailing list below.

Join Mailing List