Credential Harvesting Success Rate Benchmarks: How Often Employees Enter Passwords on Fake Login Pages

Security awareness programs spend enormous attention on phishing click rates—the percentage of employees who click malicious links in simulated phishing emails. That metric matters, but it is incomplete. Clicking a link creates risk. Entering credentials on the fake login page that appears after clicking converts that risk into actual compromise.

Industry data from the Verizon 2025 Data Breach Investigations Report (DBIR) reveals a critical finding: credential abuse remains a top initial access vector, and credential submission rates do not track proportionally with click rates. An organization with a 25 percent click rate might show a 15 percent credential submission rate—or it might show a 22 percent credential submission rate. The difference between those outcomes represents the gap between employees who recognize the fake login page as fraudulent and those who proceed to enter their username and password despite encountering warning signs.

Credential submission rate is the metric that measures actual account compromise in phishing simulations. It is the closest proxy available for measuring how many employees would hand over working credentials in a real credential harvesting attack. Understanding how credential submission rates vary across industries, across spoofed platforms, and across different types of login pages is essential for designing training that addresses the actual moment of compromise rather than the preliminary click.

This guide provides detailed credential submission rate data across industries and platforms, explains the factors that drive variation in submission behavior, and offers a framework for using these benchmarks to improve training effectiveness where it matters most—at the moment employees decide whether to trust a login page.

Why Credential Submission Rates Matter More Than Click Rates

Click rates measure whether employees recognize and avoid clicking suspicious links. Credential submission rates measure whether employees recognize and avoid entering credentials on fake login pages. These are related but distinct security failures, and the second is more operationally damaging.

An employee who clicks a phishing link but recognizes the subsequent fake login page as fraudulent and closes the browser has created temporary risk—their click may have registered with the attacker, confirming the email address is active—but has not provided working credentials. An employee who clicks the link and then enters their username and password on the fake login page has handed the attacker the keys to their account.

The operational difference is substantial. Attackers who harvest working credentials can access email accounts, infiltrate systems, steal data, impersonate the compromised employee to launch further attacks, and maintain persistent access even after the initial phishing campaign is blocked. Attackers who collect click data without credentials can send more phishing emails but gain no system access.

This distinction is sometimes lost in security awareness program design. Many programs measure and report only click rates, treating credential submission as an assumed consequence of clicking rather than as a separate behavior requiring separate measurement and training. Organizations that make this assumption significantly underestimate the effectiveness of their training—employees who have learned to recognize fake login pages provide substantial defensive value even if they occasionally click suspicious links.

Credential submission rate is also more directly actionable than click rate for training design. Employees who click links but do not submit credentials are demonstrating partial success—they are failing the initial email recognition test but passing the login page recognition test. Training can build on that partial success by reinforcing the behaviors that are working (login page scrutiny) rather than solely addressing the behaviors that are not (link clicking). Programs that only measure clicks cannot make this distinction.

Healthcare: High Submission Rates, Trusted Platform Exploitation

Healthcare organizations show credential submission rates that track closely with their click rates, typically achieving submission rates that are 70 to 85 percent of their click rate. An organization with a 30 percent click rate commonly shows a 22 to 26 percent credential submission rate.

This close tracking—where most employees who click proceed to submit credentials—reflects the time pressure and distraction that characterizes healthcare work environments. Clinical staff who click a link while managing patient care demands rarely have the cognitive capacity to carefully scrutinize the login page that appears. If the page resembles a familiar system—EHR login, hospital portal, email authentication—they are likely to enter credentials reflexively.

The platform spoofing that produces highest credential submission rates in healthcare involves clinical systems rather than general enterprise platforms. Fake Epic login pages, fake Cerner authentication screens, and fake hospital VPN portals achieve credential submission rates 15 to 25 percentage points higher than fake Microsoft 365 or Google Workspace login pages in healthcare environments.

This elevated effectiveness of clinical system spoofing reflects both familiarity and urgency. Healthcare workers authenticate to EHR systems dozens of times per shift, making the login workflow deeply habitual. The systems are also critical to patient care, creating urgency that overrides careful scrutiny. An employee who encounters what appears to be an EHR login prompt during a patient care task is likely to authenticate immediately rather than questioning whether the prompt is legitimate.

Healthcare organizations that achieve credential submission rates significantly below their click rates—showing 12 to 15 percent submission when click rates are 25 to 30 percent—tend to be those that have implemented training specifically focused on login page verification rather than solely on email recognition. The training teaches employees to verify URL authenticity, to recognize indicators of fake login pages (HTTP instead of HTTPS, misspelled domains, missing security indicators), and to use password managers that will not autofill credentials on fraudulent domains.

The challenge in healthcare is that the same time constraints that drive high click rates also limit the time available for careful login page verification. Training that requires employees to check five different indicators before authenticating is unlikely to be followed in practice. The verification behavior must be simple enough to execute in seconds or it will not become habitual.

Financial Services: Lower Submission Rates, Security-Conscious Workforce

Financial services organizations show credential submission rates that are notably lower relative to their click rates compared to most industries. Organizations with click rates in the 18 to 25 percent range commonly show credential submission rates in the 10 to 16 percent range—a submission-to-click ratio of 55 to 65 percent.

This gap—where a substantial percentage of employees who click do not proceed to submit credentials—reflects the sector's security-conscious culture and the presence of security training that specifically addresses login page verification. Financial services employees are trained to recognize fraudulent login pages as part of broader fraud awareness programs that emphasize verification before action.

Financial services organizations also benefit from widespread password manager adoption. Employees using password managers encounter a natural verification step: the password manager fails to recognize the fraudulent domain and does not offer to autofill credentials. That failure serves as a warning sign that prompts additional scrutiny. Organizations that have achieved high password manager adoption rates show credential submission rates 20 to 30 percent lower than organizations where employees manually type credentials.

The platform spoofing patterns in financial services differ from other industries. Microsoft 365 and Google Workspace spoofing remains common, but attackers increasingly target financial-services-specific platforms: Bloomberg Terminal login screens, trading platform authentication, proprietary banking system portals, and financial data service logins. These specialized platform spoofs achieve higher credential submission rates than generic email platform spoofs because employees are less familiar with their legitimate appearance and because the platforms are accessed less frequently, making credential manager protection unavailable.

Financial services credential submission rates also show significant variation by role. Trading desk personnel, wealth management advisers, and client-facing staff who operate under time pressure show submission rates 25 to 40 percent higher than back-office operations, risk management, and compliance staff. The role-based variation suggests that time pressure and task focus—not lack of awareness—drive credential submission in financial services, and that role-specific training addressing realistic work scenarios produces better outcomes than generic awareness training.

The regulatory environment in financial services creates accountability for credential compromise that does not exist in most other industries. Financial institutions that experience credential-related breaches face regulatory examination, potential enforcement actions, and mandatory disclosure requirements. This regulatory pressure drives investment in credential harvesting prevention that exceeds what pure financial ROI would justify.

Technology: Lowest Submission Rates, Technical Sophistication

Technology sector organizations achieve the lowest credential submission rates across industry benchmarks, typically showing submission rates that are 40 to 55 percent of click rates. Organizations with 15 percent click rates commonly show 6 to 8 percent credential submission rates.

Multiple factors contribute to this substantial gap between clicking and credential submission. Technology employees are more likely to use password managers that fail to autofill on fraudulent domains, providing automatic warning. They are more likely to notice URL irregularities—misspelled domains, unexpected subdomains, HTTPS certificate warnings—because they work with web technologies professionally. They are more likely to use multi-factor authentication, which creates an additional verification step that prompts scrutiny.

Technology sector training also emphasizes technical indicators of fraudulent login pages rather than behavioral heuristics alone. Training that teaches employees to check browser address bars, to verify SSL certificate validity, and to recognize domain spoofing techniques produces lower credential submission rates than training that only teaches generic "be suspicious" messaging.

However, technology sector credential submission rates show dramatic internal variation. Technical employees—engineers, security staff, IT personnel—show submission rates as low as 3 to 5 percent even when click rates reach 12 to 15 percent. Non-technical employees in the same organizations—sales, marketing, HR, finance—show submission rates of 12 to 18 percent when click rates are 22 to 28 percent. The internal variation is larger than the variation between technology organizations and organizations in most other industries.

This disparity creates strategic vulnerability. Attackers targeting technology companies increasingly focus credential harvesting on non-technical roles that provide access to valuable information but that lack the technical sophistication to recognize sophisticated login page spoofing. Sales teams with access to customer data, finance teams with access to payment information, and HR teams with access to employee PII become the path of least resistance for credential harvesting.

Technology organizations that address this internal variation through role-specific training—providing sales, marketing, and administrative staff with simplified verification procedures appropriate to their technical baseline—can reduce non-technical employee submission rates to 8 to 12 percent, substantially closing the gap with technical staff performance.

Education: High Submission, Platform Familiarity Exploitation

Educational institutions show credential submission rates that closely track click rates, typically achieving submission-to-click ratios of 75 to 90 percent. Organizations with 32 percent click rates commonly show 26 to 29 percent credential submission rates.

The factors that drive education's elevated phishing susceptibility extend to credential submission behavior. Faculty and staff are accustomed to authenticating to numerous systems—learning management platforms, email, student information systems, library systems, payroll portals—creating habitual authentication behavior that attackers exploit.

Educational institutions also show particularly high vulnerability to single sign-on platform spoofing. Universities that use centralized authentication systems—where a single login provides access to multiple campus services—create a single high-value target for credential harvesting. A fake Shibboleth login page or fake campus portal authentication screen achieves credential submission rates 20 to 30 percentage points higher than generic email platform spoofs in education environments.

The student population represents a distinct credential submission risk profile. Students are digital natives who should theoretically recognize fake login pages, but student credential submission rates in phishing simulations typically exceed staff rates by 10 to 15 percentage points. The difference reflects lower stakes—students rarely experience direct consequences from compromised accounts—and less security training.

Educational institution credential submission rates also reflect the diversity of the workforce. Faculty members in humanities departments show different credential submission patterns than computer science faculty. Administrative staff show different patterns than IT personnel. Facilities and grounds workers show different patterns than librarians. The heterogeneity makes organization-wide training challenging because the baseline technical sophistication varies so widely.

Education sector organizations that achieve submission rates meaningfully below their click rates—showing 18 to 22 percent submission when click rates are 30 to 35 percent—typically do so through partnership with IT departments that provide technical training on URL verification and HTTPS indicators alongside behavioral security awareness training. The combination of technical and behavioral training proves more effective than either alone.

Government and Public Sector: Platform Spoofing Variation

Government organizations show credential submission rates with substantial variation by agency type and technical maturity. Federal agencies with mature security programs typically achieve submission-to-click ratios of 55 to 70 percent. State and local governments without dedicated security programs often show ratios of 75 to 85 percent.

The variation reflects differences in security awareness maturity and password manager adoption. Federal agencies operating under FISMA requirements and other cybersecurity mandates provide regular security training that includes login page verification. Many federal agencies also mandate or strongly encourage password manager use, providing technical protection against credential submission on fraudulent domains.

State and local government employees often receive less comprehensive security training and are less likely to use password managers, creating elevated credential submission vulnerability. Government employees who manually type credentials into login prompts multiple times daily develop habitual authentication behavior that does not include careful URL verification.

Government credential harvesting attacks increasingly target government-specific platforms rather than generic email systems. Fake GovDelivery login pages, fake MAX.gov authentication screens, fake state employee portal logins, and fake benefits system portals achieve higher credential submission rates than Microsoft 365 or Google Workspace spoofs because government employees encounter these platforms regularly but may be less familiar with their legitimate appearance than with consumer email platforms.

The public availability of government email addresses—often published on agency websites, in public directories, and in official documents—makes government employees easy targets for credential harvesting campaigns. Attackers can assemble targeted lists of government employees by domain without the reconnaissance effort required to target private sector organizations.

Government organizations that implement technical controls—requiring VPN access before internal system authentication, implementing smart card authentication for sensitive systems, enforcing password manager use—achieve credential submission rates 30 to 50 percent lower than agencies relying solely on employee awareness and voluntary compliance with best practices.

Retail and Hospitality: Time Pressure and Credential Reuse

Retail and hospitality organizations show credential submission rates that track closely with click rates, typically achieving submission-to-click ratios of 70 to 85 percent. Organizations with 26 percent click rates commonly show 20 to 22 percent credential submission rates.

The time pressure that characterizes retail and hospitality work extends from email interaction to credential entry. Employees who click suspicious links while managing customer service demands are unlikely to pause to carefully scrutinize the login page that appears. If the page requests credentials for what appears to be a familiar system—email, scheduling, payroll, inventory management—they are likely to enter them reflexively.

Retail and hospitality credential harvesting also faces elevated risk from credential reuse. Industry data suggests that retail and hospitality employees reuse passwords across multiple accounts at rates 25 to 40 percent higher than employees in financial services or technology sectors. When credential harvesting succeeds in capturing a reused password, the compromise extends beyond the immediate organizational account to personal email, banking, and other accounts using the same credentials.

The seasonal workforce variation in retail and hospitality creates predictable credential submission vulnerability. Temporary employees hired for peak seasons—holiday retail, summer tourism, major event staffing—receive minimal security training and show credential submission rates 30 to 50 percent higher than permanent employees. Organizations that process thousands of seasonal hires annually face persistent populations of high-vulnerability employees.

Retail and hospitality organizations that achieve credential submission rates significantly below their click rates—showing 12 to 16 percent submission when click rates are 24 to 28 percent—typically do so through simplified technical controls rather than enhanced training. Single sign-on implementations that reduce the number of authentication prompts employees encounter, password managers provided as standard tools, and biometric authentication on point-of-sale systems all reduce credential submission opportunities.

Platform-Specific Submission Rates: Microsoft 365 vs. Google Workspace vs. VPN

Credential submission rates vary substantially based on which platform the fake login page impersonates, with differences that are consistent across industries even though absolute rates vary by sector.

Microsoft 365 fake login pages achieve the highest credential submission rates across all industries, typically producing submission rates 15 to 25 percentage points higher than generic credential harvesting pages. Employees encounter Microsoft 365 authentication prompts regularly—often multiple times daily—creating habitual authentication behavior. The ubiquity of Microsoft 365 also means that fake login pages can closely replicate the legitimate experience because the legitimate experience is familiar to attackers.

Google Workspace fake login pages achieve slightly lower credential submission rates than Microsoft 365, typically running 5 to 10 percentage points lower. The difference appears to reflect Google's implementation of additional authentication indicators—security key support, advanced phishing protection warnings, device verification prompts—that create more friction for attackers attempting to closely replicate the legitimate login experience.

VPN login page spoofing achieves credential submission rates that vary dramatically by organization. In organizations where VPN access is required daily and where employees authenticate from multiple locations and devices, fake VPN login pages achieve submission rates comparable to Microsoft 365. In organizations where VPN is used infrequently, fake VPN login pages achieve lower submission rates because employees are less habituated to the authentication workflow and more likely to scrutinize unexpected prompts.

Banking and financial platform spoofing—fake Bank of America logins, fake Chase authentication, fake PayPal credential requests—achieves lower credential submission rates than workplace platform spoofing in phishing simulations. Employees appear to apply greater scrutiny to financial authentication prompts than to workplace system prompts, perhaps because personal financial loss feels more tangible than workplace credential compromise.

The platform-specific variation in submission rates suggests that training should address platform-specific verification rather than teaching generic login page skepticism. Training that teaches employees how to verify Microsoft 365 login page authenticity specifically—checking the full URL, recognizing Microsoft's authentication indicators, using password managers—produces better outcomes than training that teaches generic advice applicable to any login page.

The MFA Bypass Problem: Credential Harvesting Is Not Solved

Organizations that implement multi-factor authentication often assume that credential harvesting becomes ineffective because harvested usernames and passwords cannot be used without the second factor. Industry data demonstrates that this assumption is dangerously incomplete.

Sophisticated credential harvesting attacks increasingly implement adversary-in-the-middle (AitM) techniques that harvest not just usernames and passwords but also the MFA tokens or push approvals that follow. The attacker's fake login page proxies the authentication to the legitimate service in real-time, capturing the username and password, forwarding them to the real login page, capturing the MFA token the employee enters, forwarding that token to complete authentication, and stealing the resulting session token that allows the attacker to access the account without re-authenticating.

Industry data on AitM credential harvesting effectiveness is limited because these attacks are more sophisticated and less common than simple username/password harvesting. However, organizations that have run simulations including AitM techniques report that credential submission rates on AitM-enabled fake login pages are comparable to submission rates on simple credential harvesting pages—employees do not recognize that entering an MFA code on what appears to be a familiar login page represents compromise.

The strategic implication is that MFA provides valuable protection against credential harvesting but does not eliminate the risk. Organizations cannot afford to relax credential harvesting prevention efforts because they have deployed MFA. Training must address both the initial credential submission decision and the MFA token protection decision—employees need to understand that entering an MFA code on an unexpected or suspicious login prompt is as dangerous as entering a password.

Hardware security keys—FIDO2/WebAuthn tokens that cryptographically verify the login page domain before authenticating—provide stronger protection against credential harvesting including AitM attacks. Organizations that deploy hardware keys report credential submission rates that measure employee willingness to enter credentials but that do not result in actual compromise because the key refuses to authenticate to fraudulent domains. The security key effectively separates the measurement problem (how many employees would submit credentials) from the operational risk problem (how many employees successfully compromise their accounts).

Using Credential Submission Benchmarks to Improve Training

Understanding your organization's credential submission rate relative to click rate and relative to industry benchmarks informs several specific training design decisions.

If your credential submission rate closely tracks your click rate—showing a submission-to-click ratio above 75 percent—the training opportunity is teaching login page verification behaviors. Employees who click are proceeding to submit credentials without applying scrutiny to the page that appears. Training that teaches URL checking, HTTPS verification, and password manager use can create meaningful separation between clicking and credential submission.

If your credential submission rate is substantially below your click rate—showing a submission-to-click ratio below 60 percent—your training is already producing login page verification behavior. The opportunity is reinforcing and expanding that existing success. Understanding what verification behaviors are working allows training to amplify them.

If your credential submission rate varies significantly by department or role—with some groups showing submission-to-click ratios of 50 percent and others showing 85 percent—the strategic question is whether that variation represents different operating constraints or different training effectiveness. Role-based analysis often reveals that elevated submission rates in specific departments reflect lack of targeted training rather than inevitability.

If your credential submission rate is elevated for specific platforms—showing high submission rates on Microsoft 365 spoofs but lower rates on other platform spoofs—the training opportunity is platform-specific verification training. Teaching employees how to verify Microsoft 365 login authenticity specifically, rather than teaching generic login verification, produces faster improvement.

In all cases, credential submission rate should be measured separately from click rate and reported as a distinct metric. Organizations that only measure and report clicks significantly underestimate the effectiveness of training that teaches login page recognition. Organizations that measure both metrics can distinguish between training that reduces clicking and training that reduces credential submission—and can optimize for the behavior that matters more.

PhishSkill measures credential submission rates separately from click rates in every simulation, revealing whether your training teaches employees to recognize fake login pages or only to avoid clicking links. Because the difference between clicking and credential submission is the difference between temporary risk and actual account compromise.

Related Reading

Credential harvesting is how phishing becomes account takeover. For the broader context of how attackers use harvested credentials, see Dark Web Credential Exposure. For the defenses that stop credential harvesting even when employees click, read MFA Is Not Enough. To understand how credential submission rates fit into social engineering measurement, see Phishing Resilience Score.