Credential Threats: Attack Types, Red Flags, and Defenses
Stolen credentials are the most common way attackers breach organizations. Learn the six main credential attack types and five defenses that work.
Credential threats: how attackers steal your logins and how to stop them
Stolen credentials are the single most common way attackers gain access to corporate systems. The Verizon 2025 Data Breach Investigations Report found that credential abuse was the initial access vector in 22% of breaches, more than any other, and that 88% of basic web application attacks involved stolen credentials. Understanding the attack methods, and what employees can do to recognize them, is one of the highest-value things a security awareness program can deliver.
In this article:
-
What credentials are and why attackers want them
-
The six main credential attack types explained
-
How a credential phishing attack unfolds, step by step
-
Red flags employees should know
-
Five defenses that actually work
What are credentials and why are they so valuable?
Credentials are the combination of identifiers and secrets used to verify who you are: usernames, passwords, PINs, security tokens, and increasingly biometric data. They are the keys to your digital world: email, financial accounts, HR systems, cloud storage, internal tools.
For an attacker, one set of valid credentials is often worth more than a sophisticated exploit. They do not need to break through a firewall if they can simply log in as a legitimate user. And because people reuse passwords across accounts, work and personal, a single compromised credential can cascade into access across dozens of systems.
The six main types of credential attacks
Credential phishing (social engineering). A fake login page mimicking a trusted service, such as Microsoft 365, a bank, or an HR portal, harvests usernames and passwords when the victim enters them believing the site is real.
Credential stuffing (automated). Attackers take username and password pairs from previous breaches and automatically try them across other services. It works because most people reuse passwords.
Brute force and password spraying (automated). Systematically trying common passwords against known usernames. Password spraying tries one common password against many accounts to avoid triggering lockouts.
Keylogging (malware). Malicious software on a device records every keystroke, including login credentials, and silently sends them to the attacker.
Man-in-the-middle (network). On unsecured networks such as public Wi-Fi, an attacker intercepts communication between a user and a legitimate service, capturing credentials in transit.
Pretexting and vishing (social engineering). An attacker poses as IT support, a bank, or a vendor over phone or email and convinces the victim to hand over their credentials directly.
Step by step guide
How credential phishing works, step by step
Credential phishing is the most common and most employee-facing of all credential attacks. Here is exactly how it unfolds.
1. Reconnaissance
The attacker researches the target through LinkedIn, the company website, and social media to gather names, job titles, and email addresses. For spear phishing, they identify which systems the target uses, such as Microsoft 365 or a specific HR tool, to make the fake login page believable.
2. Crafting the lure
A convincing email is sent from a spoofed or lookalike address. It typically creates urgency: "Your account has been suspended," "A document is waiting for your signature," "Your password expires today." The email is designed to trigger an emotional response, not rational evaluation.
3. The fake login page
The link leads to a page that looks identical to the real service: correct logo, correct layout, sometimes a valid-looking HTTPS URL. The victim enters their credentials believing they are on the genuine site. The attacker captures them instantly.
4. Access and lateral movement
With valid credentials, the attacker logs into the real system. They may exfiltrate data immediately, or, more dangerously, move quietly through the network for weeks, gathering more access before striking. Corporate email accounts are particularly valuable: they can be used to launch further phishing attacks on colleagues and clients that are extremely hard to detect.
A real-world example
A real-world example: $1 million stolen via a fake payroll portal
In 2023, a fraudulent website was set up to mirror an official payroll system used by postal workers. Employees were directed to the fake site, where they entered their login credentials believing they were accessing their genuine pay portal. The attackers used those credentials to redirect salary payments. At least 460 employees were affected and approximately $1 million was stolen before the scheme was detected. The attack required no malware and no technical exploit, just a convincing fake website and a believable pretext.
Red flags
Red flags every employee should recognize
You are asked to log in via a link in an email. Legitimate services almost never require you to click a link to re-enter your password. Go directly to the site through your browser instead.
The sender address does not match the domain. "Microsoft Support" sending from support@microsofft-help.net is a classic sign. Check the actual address, not just the display name.
The URL is slightly off. Attackers register lookalike domains: micros0ft.com, paypa1.com, company-name-login.com. Check the full URL carefully before entering any credentials.
The message creates urgency or fear. "Your account will be deleted in 24 hours." Urgency is a manipulation tactic designed to bypass critical thinking.
Someone asks for your password. No legitimate IT team, bank, or service provider ever needs your password. If someone asks for it, even someone you know, treat it as a red flag and verify through a separate channel.
You received it unexpectedly. A document to sign you did not request, a password reset you did not trigger, an invoice from an unknown sender. Unsolicited messages requiring login or action should always be verified before acting.
5 tips that work
Five defenses that actually work
1. Multi-factor authentication (MFA)
Even if credentials are stolen, MFA prevents access without a second factor. Microsoft's research has estimated that MFA blocks over 99% of automated credential attacks, making it the single most effective technical control against credential theft.
2. Unique passwords per service
A password manager makes this practical. Reusing passwords is what makes credential stuffing so devastating: one breached site unlocks many others.
3. Passkeys where available
Passkeys replace passwords entirely with cryptographic keys that cannot be phished. Adoption is growing; enable them wherever the option exists.
4. Verify via a separate channel
If you receive an unexpected request, even from a known contact, verify it by calling them directly or messaging through a different channel before acting.
5. Regular awareness training
Technical controls help, but the first line of defense is an employee who recognizes the attack before clicking. Ongoing security awareness training and simulated phishing build that recognition reliably.
How Nimblr helps
Credential phishing is consistently one of the top attack vectors in Nimblr's simulation data across Nordic and European organizations. Our platform sends realistic credential-harvesting simulation emails and smishing texts to employees, the exact scenarios described above, and tracks who clicks, who enters credentials, and who reports the attempt.
When an employee falls for a simulation, they receive immediate, non-punitive feedback that explains exactly what they missed and why. Over time, click rates drop and, crucially, reporting rates rise. That combination is what transforms a vulnerable workforce into an active early-warning system.
Find out who in your organization would fall for a credential attack. Book a demo and see where your gaps are before an attacker finds them.
FAQ
FAQ: Credential threats
What is the difference between credential phishing and credential stuffing?
Credential phishing tricks a victim into entering their real credentials on a fake site; it is a social engineering attack. Credential stuffing is automated: attackers take username and password pairs leaked from previous breaches and try them against other services. Both exploit human behavior, but in different ways.
Does HTTPS mean a website is safe?
No, and this is a critical misconception. HTTPS means the connection is encrypted, not that the site is legitimate. Attackers routinely use HTTPS certificates on fake login pages. A padlock icon is not a trust signal for the site's identity.
What should an employee do if they have entered credentials on a suspicious site?
Act immediately: change the compromised password right away, report the incident to IT or the security team, and change it on any other service where the same password was used. If MFA was enabled, check the account's activity log for unexpected login attempts.
How effective is MFA against credential theft?
Microsoft's research estimates that MFA blocks over 99% of automated credential attacks. It is not perfect: sophisticated attackers use real-time phishing proxies to capture MFA tokens. But it remains one of the most cost-effective security controls an organization can implement.
Can credential threats be prevented through training alone?
Training significantly reduces risk but should be combined with technical controls: MFA, password managers, email filtering, and monitoring for anomalous logins. The strongest defense is layered: reduce the likelihood of credentials being stolen, and reduce the damage if they are.
