What Is Credential Phishing?

You guard the keys to your home closely, right? They have their own special spot in your bag or in your front pocket. When your keys go missing, does a slight pit of unease grow in your gut? 

Our homes store many sentimental and valuable treasures within their walls. The same goes for your online accounts. Think of your login and passwords as the keys to the cozy home of your date of birth, Social Security Number, full name, and address. When you lose those keys and they fall into the hands of a criminal, the break-ins to your online home can be costly. 

In a scheme called credential phishing, online scammers seek to steal the keys to your online accounts: your login and password combinations. Just like you’d protect the keys to your house, so should you guard your online account credentials closely. 

What Is Credential Phishing? 

Credential phishing is a type of online scam where a cybercriminal devises tricks to gain one type of valuable information: username and password combinations. Once they eke this information from their targets, the thief is able to help themselves to online bank accounts, online shopping sites, online tax forms, and more. From there, they could go on a shopping spree on your dime or pilfer your personally identifiable information (PII) and steal your identity. 

There are two common ways a criminal might try to steal online account credentials. The first is through a phishing attempt that asks specifically for usernames and passwords. They may impersonate a person or organization with authority, such as your boss, a bank representative, or the IRS. Phishing attempts often threaten dire consequences if you don’t reply promptly. Handle emails, texts, and social media direct messages that demand urgency with care. If it’s truly important, your bank will find another way to get in touch with you. Additionally, be aware of your notification preferences and communication channels with important organizations. For example, the IRS only contacts people by mail. 

A second way credential phishers may try to steal your passwords is through fake login pages. You may get redirected to a fake login page by clicking on a risky link hidden in a phishing message or on a malicious website. An example of credential phishing and fake login pages in action happened to customers of a password storage company. Customers received phishing emails that contained a link to a “login page” that was actually a malicious subdomain that sent the details straight to scammers.1 

The One Rule to Foil Credential Phishers 

There’s one very simple rule to avoid a phisher stealing your credentials: never share your password with anyone! No matter how authoritative a phone call, text, or email sounds, a legitimate business nor an IT professional nor your boss will ever ask you for your password and username combination.  

If you suspect a phishing attempt, do not reply or forward the message. Additionally, do not click on any links. Artificial intelligence content creation tools like ChatGPT can make phishing messages sound convincing, as AI tools often compose messages without typos or grammar mistakes. But if anything in the tone or content of the message strikes you as suspicious, it’s best to delete it and forget about it. 

The Importance of Strong Passwords, MFA & Ultimate Secrecy 

Ultimate secrecy is a great first step in keeping your credentials a mystery. Practice these other password and online account safety best practices to keep your PII safe: 

  1. Choose a strong password. When you create a new online account, the organization is likely to have minimum character count and password difficulty requirements. Remember that a strong password is a unique password. Reusing passwords means that if your credentials are stolen for one website or if one company experiences a data breach, a criminal could use your login and password on hundreds of sites to break into multiple accounts. If you have a hard time remembering all your unique passwords, a password manager can remember them for you! 
  2. Enable multifactor authentication. Multifactor authentication (MFA) is an extra layer of protection that makes it nearly impossible for a credential thief to break into your account, even if they have your password and username. MFA requires that you prove your identity multiple ways, often through a one-time code sent to your phone or email address, or a face or fingerprint scan. 
  3. Be on the lookout. If you notice any suspicious activity on any of your online accounts, change your password immediately. 

Add Another Key to Your Online Protection 

To add extra security to your online comings and goings, consider investing in McAfee+, which includes Text Scam Detector. Text Scam Detector is an AI-powered tool that blocks risky links in your emails, texts, and on social media. This is helpful just in case you accidentally click on a link that would’ve brought you to a fake login page or to another risky site. The more you use Text Scam Detector, the smarter it gets! And should your credentials and PII ever fall into the wrong hands, McAfee+ has credit and identity monitoring tools that can alert you to suspicious activity. 

Consider McAfee as the home security system for your online life. When you log off and lock up, you can relax knowing that McAfee will alert you to breaking-and-entering attempts. 

1Cybernews, “LastPass employees and customers targeted in ‘pervasive’ phishing campaign 

Introducing McAfee+

Identity theft protection and privacy for your digital life

FacebookLinkedInTwitterEmailCopy Link

Stay Updated

Follow us to stay updated on all things McAfee and on top of the latest consumer and mobile security threats.

FacebookTwitterInstagramLinkedINYouTubeRSS

More from

Back to top