TL;DR: Phishing still drives a large share of breaches because attackers can steal credentials, bypass MFA with proxy kits, and reuse those credentials for account takeover before defenders detect the fraud, according to Transmit Security and cited industry data. The governance lesson is that identity controls must assume credential interception, not just password theft.
NHIMG editorial — based on content published by Transmit Security: how phishing sites are built and how the vendor says account takeover can be blocked
By the numbers:
- Phishing was involved in 36% of all data breaches in 2022.
- Breaches in 2022 caused by phishing took an average of 295 days to identify and contain.
Questions worth separating out
Q: How should security teams reduce account takeover risk from phishing sites?
A: Security teams should combine phishing-resistant authentication, domain monitoring, redirect analysis, and post-login session inspection.
Q: Why do MFA controls still fail against modern phishing campaigns?
A: MFA fails when attackers use reverse-proxy kits to relay the login flow in real time and capture the authenticated session after the second factor succeeds.
Q: What breaks when users are redirected to a spoofed login page?
A: What breaks is the trust chain between identity, device, and destination.
Practitioner guidance
- Inspect post-login session signals Correlate redirects, cookies, referrers, and browser behaviour after authentication so that a successful login does not equal a trusted session.
- Hunt lookalike domains continuously Automate detection for misspellings, hyphens, alternate TLDs, and cloned hosting footprints across all company domains and subdomains.
- Treat credential reuse as a detection trigger Alert when a username and password pair is attempted across multiple properties, especially when the source login originated from a phishing domain or a suspicious device fingerprint.
What's in the full article
Transmit Security's full blog post covers the operational detail this post intentionally leaves for the source:
- Detailed walkthrough of the phishing site creation chain, including domain spoofing, hosting, cloning, and redirect setup
- Descriptions of the specific telemetry signals used by the detection engine to score spoofed access attempts
- Examples of device fingerprinting, behavioural biometrics, and proxy-based login abuse that support fraud detection
- Operational explanation of how passkeys and passwordless MFA change the phishing response surface
👉 Read Transmit Security's analysis of phishing site tactics and account takeover controls →
Phishing, spoofed sites and account takeover: what teams miss?
Explore further
Phishing is an identity assurance failure, not just a user-awareness problem. The attacker succeeds by impersonating the trust conditions that users and login systems expect to see, then reusing what the victim supplies. That makes the central issue one of assurance collapse across the login path, not simply weak passwords or careless clicks. Practitioners should treat phishing as a control-plane problem that spans identity, device, and session trust.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Lack of credential rotation is cited as the top cause of NHI-related attacks by 45% of organisations, followed by inadequate monitoring and logging at 37% and over-privileged accounts at 37%.
A question worth separating out:
Q: Who is accountable when phishing leads to customer fraud and account takeover?
A: Accountability is shared across identity, fraud, and application owners because the attack crosses authentication, session handling, and transaction risk. The security programme should define who owns lookalike domain detection, who owns session abuse detection, and who decides when to step up or block access after suspicious login behaviour is detected.
👉 Read our full editorial: Phishing is still defeating account controls before detection catches up