Phishing warnings and credential controls: are your users covered?

TL;DR: Phishing remains a near-universal problem, with 89% of Americans encountering a scam and 61% saying they have been phished, according to 1Password’s survey of 2,000 adults. The issue is no longer obvious typos but credential capture through convincing, AI-polished messages and fake login pages, making user context and identity controls the real control plane.

NHIMG editorial — based on content published by 1Password: phishing behavior, survey findings, and a new anti-phishing feature

By the numbers:

• 89% of Americans have encountered a phishing scam.
• 61% have actually been phished.
• Only 25% of Americans said they hover over URLs before clicking them.

Questions worth separating out

Q: How should security teams reduce phishing success without relying on user vigilance alone?

A: They should move controls into the authentication flow.

Q: Why do phishing attacks so often become broader account takeovers?

A: Because the stolen secret is often reusable.

Q: What do organisations get wrong about phishing prevention?

A: They often treat phishing as a training problem instead of an identity control problem.

Practitioner guidance

• Suppress autofill on domain mismatch Configure browser and password-manager rules so credentials are not filled when the destination URL does not match the stored login, then test bypass attempts with lookalike domains and subdomain tricks.
• Block paste-based credential submission on suspicious pages Add prompts that warn users before credentials are pasted into unfamiliar login forms, and tune the message so it interrupts urgency without training users to ignore alerts.
• Remove password reuse from the phishing blast radius Enforce unique credentials across all business applications, then pair that with MFA and continuous detection so one captured password cannot authenticate everywhere.

What's in the full article

1Password's full article covers the survey detail this post intentionally leaves for the source:

• Survey methodology for 2,000 American adults, including the role mix and collection window.
• The full set of phishing context breakdowns by where people were phished at home and at work.
• The practical advice section on recognising urgent messages and reporting suspicious activity.
• 1Password's browser-extension behaviour for autofill suppression and paste warnings in more detail.

👉 Read 1Password's survey analysis of phishing behavior and anti-phishing controls →

Phishing warnings and credential controls: are your users covered?

Explore further

View Full Forum →  |  NHI Foundation Course →