TL;DR: Phishing remains a near-universal problem, with 89% of Americans encountering a scam and 61% saying they have been phished, according to 1Password’s survey of 2,000 adults. The issue is no longer obvious typos but credential capture through convincing, AI-polished messages and fake login pages, making user context and identity controls the real control plane.
NHIMG editorial — based on content published by 1Password: phishing behavior, survey findings, and a new anti-phishing feature
By the numbers:
- 89% of Americans have encountered a phishing scam.
- 61% have actually been phished.
- Only 25% of Americans said they hover over URLs before clicking them.
Questions worth separating out
Q: How should security teams reduce phishing success without relying on user vigilance alone?
A: They should move controls into the authentication flow.
Q: Why do phishing attacks so often become broader account takeovers?
A: Because the stolen secret is often reusable.
Q: What do organisations get wrong about phishing prevention?
A: They often treat phishing as a training problem instead of an identity control problem.
Practitioner guidance
- Suppress autofill on domain mismatch Configure browser and password-manager rules so credentials are not filled when the destination URL does not match the stored login, then test bypass attempts with lookalike domains and subdomain tricks.
- Block paste-based credential submission on suspicious pages Add prompts that warn users before credentials are pasted into unfamiliar login forms, and tune the message so it interrupts urgency without training users to ignore alerts.
- Remove password reuse from the phishing blast radius Enforce unique credentials across all business applications, then pair that with MFA and continuous detection so one captured password cannot authenticate everywhere.
What's in the full article
1Password's full article covers the survey detail this post intentionally leaves for the source:
- Survey methodology for 2,000 American adults, including the role mix and collection window.
- The full set of phishing context breakdowns by where people were phished at home and at work.
- The practical advice section on recognising urgent messages and reporting suspicious activity.
- 1Password's browser-extension behaviour for autofill suppression and paste warnings in more detail.
👉 Read 1Password's survey analysis of phishing behavior and anti-phishing controls →
Phishing warnings and credential controls: are your users covered?
Explore further
Human judgement is no longer a sufficient control boundary for phishing. The article shows that AI-polished scams reduce the visual cues users once relied on, which means the control gap is now structural, not merely behavioural. Credential theft succeeds because the identity layer still depends on people recognising fraud before they authenticate. Practitioners should treat user vigilance as a supplemental signal, not the primary control.
A few things that frame the scale:
- 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap, according to The State of Secrets in AppSec.
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities.
A question worth separating out:
Q: How can teams tell whether phishing controls are actually working?
A: Look for fewer successful credential submissions on lookalike domains, lower password reuse, and faster reporting of suspicious messages. If users still reach fake login pages and can submit credentials without friction, the control environment is only reducing risk on paper. The goal is to stop secrets from leaving the user’s device.
👉 Read our full editorial: Phishing prevention still depends on identity and user context