How do phishing emails steal credentials?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Picture this: an employee gets an email that looks exactly like a Google Workspace security alert. "We detected a sign-in from an unrecognized device. Verify your account now or access will be suspended in 24 hours." They click the link, enter their password, and hand it straight to an attacker. That's credential phishing in a nutshell.

The whole scheme runs on urgency and fear. Attackers know that when people feel rushed or threatened, they stop checking details. That's not a weakness unique to inexperienced users. It's basic human psychology, and it works on everyone.

The mechanics, step by step

A phishing email always points somewhere. The link looks plausible ("accounts-google.com.verify-login.net" instead of "accounts.google.com") and the landing page is a near-perfect copy of a real login screen, sometimes scraped pixel-by-pixel from the actual site.

Here's what happens once someone clicks:

  1. They land on an attacker-controlled page that mirrors a legitimate site.
  2. They enter their username and password.
  3. That data goes straight to the attacker's server, usually in real time.
  4. The fake page either shows an error ("incorrect password, try again" captures a second attempt too) or quietly redirects to the real site so nothing feels wrong.

The victim often has no idea anything happened. They think they just had a brief login hiccup.

What makes a phishing page convincing

Modern phishing pages aren't obviously fake. Attackers use valid SSL certificates (the padlock icon), real company logos, correct fonts, and sometimes even live chat widgets. The padlock no longer means "this site is safe." It just means the connection is encrypted. (That distinction trips up a lot of people, and it's worth making explicit in any training you run.)

And some attackers go further with adversary-in-the-middle (AiTM) techniques, where the fake page acts as a real-time relay between the victim and the actual site. This lets attackers capture the authentication session cookie, not just the password, which means they can bypass multi-factor authentication entirely. The user sees a successful login. The attacker also logs in, silently, with the same session.

Common pretexts by industry

The story wrapped around the fake login changes depending on who's being targeted:

  • Corporate email users: "Your mailbox is over quota," "Shared document waiting for your review," "Your account was flagged for suspicious activity."
  • Finance and banking: "Unusual transaction detected," "Your payment failed," "Verify your identity to avoid account suspension."
  • HR and payroll: "Update your direct deposit information," "Your W-2 is ready to download."
  • IT and developer accounts: "Your API key is expiring," "Unauthorized access to your repository was detected."
  • Healthcare: "Patient portal update required," "HIPAA compliance action needed."

Notice the pattern. Every pretext connects to something real and important. Nobody ignores a message about their paycheck or their account being locked.

What to teach your team

Now if you're designing anti-phishing training, the goal isn't to make people paranoid. It's to give them a quick mental checklist they'll actually use under pressure:

  • Check the actual sending domain. The display name can say anything. The address behind it is what matters. "Google Security" sent from noreply@accounts-support.xyz is not Google.
  • Hover before clicking. The URL that appears in the link tooltip is where you're actually going. If it doesn't match the company's real domain, don't click.
  • Go directly, not through the email. If the email says your account has a problem, open a new browser tab and navigate to the site yourself. Don't use the email's link.
  • Be more skeptical when you feel more urgent. That urgency is the attack working on you. Slow down exactly when the email is telling you to hurry up.
  • MFA helps, but isn't a complete fix. Multi-factor authentication makes credential theft much harder. But AiTM attacks can still steal an active session even after you've completed your second factor. Account takeover can still happen even when MFA is on.

The best technical defense on the sending side is strong email authentication. SPF, DKIM, and DMARC make it much harder for attackers to impersonate your domain. But they don't protect against someone registering a lookalike domain and sending from there. That's why human training and technical controls both matter.

If you want to check how your own domain looks to attackers (and to your own employees), our free Email Header Analyzer is a good starting point. Or if you're actively dealing with a spoofing or phishing situation right now, the SOS hotline is free and we actually pick up.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Build your anti-phishing training checklist

I'm designing anti-phishing training for my team. Walk me through how a credential phishing email actually works, including the psychology that makes people fall for it. What are the most common pretexts used today, and how do they differ by industry? Give me a ranked list of the most useful things to teach employees so they can spot an attack in the moment.

Edit the yellow boxes, then send to the AI of your choice.