How to protect against credential theft

The leading cause of data compromise through security breaches is credential theft.¹ It happens when a criminal steals your digital proof of identity — most commonly your login information such as a username and password. But credentials are more than just a way to access accounts — they’re how you verify your identify online. Other examples of credentials include PINs, security tokens, one-time passcodes, and even fingerprints and facial characteristics. 

There were more than 24 billion compromised credentials in 2021 — a 65% increase over the previous year.² How are fraudsters able to steal digital identities? They typically use social engineering methods such as phishing or smishing to trick users into handing over their personal information. Criminals send fraudulent emails or texts that include links to malicious, credential-harvesting websites. Digital identity can also be stolen via unsecured internet connections like public Wi-Fi.

Nearly 50% of business security incidents involve credential theft, the majority of which result in access to an organization’s exposed web applications, such as email and web servers.³ Conversely, criminals also infiltrate web applications by exploiting vulnerabilities to steal additional credentials. The combination of these factors could create a spiral effect, with stolen credentials providing access to more credentials to be leveraged for future criminal activity.

There are many critical risks to organizations impacted by credential theft, from financial losses to data theft. Stolen employee credentials can be sold on the black market to cyber criminals looking for new targets. Criminals can then use those purchased credentials to compromise business networks of their choice.

Potential security events associated with credential theft include unauthorized access to endpoints and/or servers, which may result in fraudulent payments being initiated or data theft — including credentials and proprietary company and customer information. Or they can lead to malware infection, such as ransomware that locks users out of computers, encrypts files and holds those computers and files hostage until a heavy ransom is paid.

If a business experiences a credential security incident, several adverse outcomes beyond data theft, malware infection and financial losses may follow. News of the compromise can cause reputational harm, which damages customer, vendor, investor and shareholder trust. This often leads to lost business and lost profit. In addition, responding to the incident and remediating impacted systems can result in lost productivity and operational delays.

Criminals can also use stolen credentials to gain access to high-level targets, such as executives, finance/accounting departments and human resources. Infiltrating their communications, applications and devices enables access to sensitive data like upcoming mergers and acquisitions, product roadmaps, and employee health, salary and performance information. Criminals could then threaten to publish data or use it in other extortion schemes.

To protect against credential theft, businesses should pay attention to three key focus areas: employee education, company processes and investing in the right technology.

Employee education

Employee education is easy to neglect or put on the back burner. But your employees are your first line of defense, and credential security awareness is something that shouldn’t be ignored. Make sure to educate employees to do the following:

• Review communications with skepticism. When in doubt, return to the original source and validate before moving forward.
• Validate all change and order requests through predefined secondary communication channels.
• Refrain from reusing passwords across accounts, especially between work and personal. Compromised credentials are both a leading cause and effect of breaches, with 82% of individuals admitting to reusing passwords.⁴
• Never store passwords in unsecured locations. Strong unique passwords can be difficult to remember for multiple accounts, so consider a secure method, such as a single sign-on (SSO) service or storing them in a password manager.
• Remember, Bank of America will not send email or text messages requesting that you take action using your credentials. If in doubt, please escalate to your client team.

Company processes

Protecting against credential theft involves not only IT, but also putting in place processes that govern how employees use your company’s technology. So, take a hard look at existing policies to determine where there might be gaps:

• Consider adding two-factor or multifactor authentication, for example, when employees sign on to devices and networks. It makes credential theft that much harder to take advantage of.
• Design protocols for any time administrative changes are requested, taking extra steps to ensure identity — perhaps including managerial sign-off for certain critical changes.
• Treat transactions as must-authenticate events.
• Review your “bring-your-own-device” (BYOD) and remote-work policies to make sure that best practices are in place to either connect to networks or authorize transactions regardless of the device being used or location of the user.

The right technology

Finally, use the right technology to safeguard against credential theft. Since unauthorized access and web application vulnerabilities represent the largest share of security incidents, ensuring that all software and systems are up to date is a high priority. You can leverage evolving identity verification tools to reduce friction while strengthening and simplifying user access. Also, invest in technology that provides additional security barriers, such as robust anti-virus and -malware programs that have been optimized for the latest threats and your business needs.

Credential theft has experienced a 30% rise since 2017, cementing it as one of the most prominent methods of business compromise over the last five years.⁵ Because fallout from credential security incidents can result in lost revenue and irreparable damage to company reputation, active steps ahead of time are necessary for the security and success of your business.

¹ IBM Security and Ponemon Institute, “Cost of a Data Breach Report 2022,” July 2022.

² Savvy Security, “What Is Credential Theft? Credential Stealing Explained,” July 2022.

³ Verizon, “2022 Data Breach Investigations Report,” May 2022.

⁴ IBM Security and Ponemon Institute, “Cost of a Data Breach Report 2021,” July 2021.

⁵ Verizon, “2022 Data Breach Investigations Report,” May 2022.