51.6% of clickers submit their password: what our 85,000-email phishing analysis reveals
Summary: In our phishing simulations, 51.6% of people who clicked went on to submit their password. The risk doesn’t end in the inbox - it peaks on the fake login page. This post explains why, and what to change in your security strategy to stop credential loss.
The stat that should change your programme
Across 85,000 simulated phishing emails sent via Spear Shield's Managed Phishing Simulation Service, we saw a consistent pattern: once someone clicks a phishing link, there’s a strong chance they’ll finish the journey. Our average click-to-credential (C2C) rate came out at 51.6% - more than half of clickers entered their password into a fake login page.
This finding reframes the problem. We’ve all invested heavily in spotting dodgy emails, but the decisive moment is often after the click, on a convincing credential page that looks and feels familiar.
Why it happens: the turnstile effect
It’s like getting checked at the turnstile at an events venue. Once your ticket is scanned and you step inside, your guard drops - everything feels legitimate. If someone backstage asks for “one more check”, most of us comply without thinking.
Phishing works the same way:
-
Context carry-over: The brain assumes continuity from a “legit-looking” email to a “legit-looking” web page.
-
UI mimicry: Attackers copy brand elements and design patterns, so visual cues feel right.
-
Time pressure: “Session timed out”, “important document”, “payroll update” - urgency nudges quick decisions.
We train hard on the email. We train far less on the web login. Attackers exploit that gap.
Design your defences for the post-click moment
1) Branded login pages with custom domains (helpful, not a silver bullet)
-
Standardise all sign-ins on company-owned domains (e.g., login.company.co.uk) with consistent URL patterns.
-
Educate: logos can be copied; domain ownership can’t.
-
Minimise redirects and surprises - predictability helps users spot fakes.
2) Phishing-resistant MFA and SSO
-
Prioritise FIDO2/passkeys or platform authenticators over SMS/OTP.
-
Use SSO with conditional access/device trust to reduce odd login prompts.
-
If you use push-based MFA, enable number matching and contextual prompts to mitigate risk of approval fatigue.
3) Password managers as passive domain checkers
-
Roll out an enterprise password manager.
-
Train users: if it won’t auto-fill, stop and check the URL - that mismatch is a red flag.
4) Enhanced web security controls
-
Enforce DNS filtering/Safe Browsing to block known phishing domains at the network layer.
-
Consider browser isolation for links opened from email.
-
Apply Zero Trust (ZTNA) for internal apps so access depends on user and device posture.
5) Train for the landing page, not just the inbox
-
Include credential-harvesting pages in simulations so users practice domain checks and certificate cues.
-
Track Click-to-Credential (C2C) rate and Time-to-Report as headline metrics, not just click rate.
-
Vary tactics: QR codes, SMS (smishing), voice (vishing), OAuth consent, SSO look-alikes.
6) Operational playbook: what to do if someone submits credentials
-
Reset the password and revoke active sessions immediately.
-
Review MFA activity, OAuth app grants, and inbox rules/forwarding.
-
Run an EDR sweep on the endpoint and monitor for suspicious access.
Practical checklist for your users
-
Pause before you type: Read the domain bar, not just the page design.
-
Use bookmarks: Navigate to logins via your saved bookmark, not email links.
-
Trust auto-fill logic: No password-manager auto-fill = don’t proceed.
-
Expect consistency: Only enter credentials on known, standard company login domains.
-
Report quickly: If you clicked (or submitted), report it - speed limits damage.
FAQ (fast answers)
What percentage of clickers entered their password?
51.6% in our simulations across 85,000 emails.
Do branded login pages stop phishing?
They help, particularly with custom, company-owned domains, but they’re not a silver bullet. Domain verification and phishing-resistant MFA matter more.
What should I do if I entered my password on a fake page?
Reset password, revoke sessions, check MFA/OAuth, audit inbox rules, and alert IT for an endpoint sweep.
How do I check a domain quickly?
Focus on the registrable domain (e.g., login.microsoft.com is legit; microsoft.com.login-secure.co is not). When in doubt, navigate directly.
Which MFA is best against phishing?
FIDO2/passkeys. If unavailable, use push with number matching rather than SMS/OTP.
How Spear Shield can help
-
Managed Phishing Simulation Service: Full-journey simulations that measure and reduce click-to-credential risk, not just clicks.
-
Human-centric security programme: that combines Spear Phish simulations with training tailored to each individual, so users practice the whole journey from inbox to login. We layer in adaptive, risk-based DLP and behavioural-AI email protection to catch threats and mistakes in real time - cutting click-to-credential rates, improving time-to-report, and duplicating vigilance to the critical post-click moment.
-
Advisory & configuration: covering SSO/MFA hardening, enterprise password managers, DNS filtering, and ZTNA -anchored by a device-native secure web gateway that enforces policy everywhere your users work. It performs real-time page evaluation (including look-alike login detection), applies inline controls without backhauling traffic, and stops credential harvesting the instant a link is clicked. The result: consistent, low-latency post-click protection that meaningfully cuts click-to-credential risk.
Ready to reduce your C2C rate? Speak to the Spear Shield team - your trusted cybersecurity partner for superior security outcomes.
Free Managed Phishing Assessment
Gain and understanding of what the baseline level of risk looks like in your organisation.
For more details, visit our Free Managed Phishing page here.
Want to learn more?
Book a call with our team or drop us a message today.
📩 hello@spearshield.co.uk
📞 01473 948980
🌐 www.spearshield.co.uk
