Phishing, spoofed sites and account takeover: what teams miss

TL;DR: Phishing still drives a large share of breaches because attackers can steal credentials, bypass MFA with proxy kits, and reuse those credentials for account takeover before defenders detect the fraud, according to Transmit Security and cited industry data. The governance lesson is that identity controls must assume credential interception, not just password theft.

NHIMG editorial — based on content published by Transmit Security: how phishing sites are built and how the vendor says account takeover can be blocked

By the numbers:

• Phishing was involved in 36% of all data breaches in 2022.
• Breaches in 2022 caused by phishing took an average of 295 days to identify and contain.

Questions worth separating out

Q: How should security teams reduce account takeover risk from phishing sites?

A: Security teams should combine phishing-resistant authentication, domain monitoring, redirect analysis, and post-login session inspection.

Q: Why do MFA controls still fail against modern phishing campaigns?

A: MFA fails when attackers use reverse-proxy kits to relay the login flow in real time and capture the authenticated session after the second factor succeeds.

Q: What breaks when users are redirected to a spoofed login page?

A: What breaks is the trust chain between identity, device, and destination.

Practitioner guidance

• Inspect post-login session signals Correlate redirects, cookies, referrers, and browser behaviour after authentication so that a successful login does not equal a trusted session.
• Hunt lookalike domains continuously Automate detection for misspellings, hyphens, alternate TLDs, and cloned hosting footprints across all company domains and subdomains.
• Treat credential reuse as a detection trigger Alert when a username and password pair is attempted across multiple properties, especially when the source login originated from a phishing domain or a suspicious device fingerprint.

What's in the full article

Transmit Security's full blog post covers the operational detail this post intentionally leaves for the source:

• Detailed walkthrough of the phishing site creation chain, including domain spoofing, hosting, cloning, and redirect setup
• Descriptions of the specific telemetry signals used by the detection engine to score spoofed access attempts
• Examples of device fingerprinting, behavioural biometrics, and proxy-based login abuse that support fraud detection
• Operational explanation of how passkeys and passwordless MFA change the phishing response surface

👉 Read Transmit Security's analysis of phishing site tactics and account takeover controls →

Phishing, spoofed sites and account takeover: what teams miss?

Explore further

View Full Forum →  |  NHI Foundation Course →