← Back to BlogPhishing Types

How Hackers Use Fake Login Pages to Steal Your Credentials

How Hackers Use Fake Login Pages to Steal Your Credentials

The most common outcome of clicking a phishing link isn't malware — it's a fake login page. A page designed to look exactly like the real thing, waiting for you to type in your username and password. Here's how it works, and how to spot it before it's too late.

What is a fake login page?

A fake login page (also called a "credential harvesting" page) is a website that mimics the appearance of a legitimate login screen — your bank, your email, your Microsoft 365, your ATO account — with one purpose: to capture your credentials and send them to the attacker.

How convincing are they?

Extremely convincing, in many cases. Modern phishing kits (yes, there are kit-based phishing tools sold on criminal markets) can replicate a website's design pixel-perfectly. The logo, colours, fonts, and layout are identical. Even security indicators like the padlock icon (HTTPS) can be present — criminals can obtain SSL certificates for fraudulent domains.

How to spot a fake login page:

1. Check the URL before you type anything This is the most important check. The URL in your browser bar is the truth. Look at it carefully:

  • Is it the real domain? (e.g. `microsoft.com`, not `microsofft.com` or `microsoft.secure-login.com`)
  • Is there anything in the domain that doesn't belong? (extra words, numbers, hyphens)
  • Look at the full URL, not just a portion of it

2. Don't use email links to log in — ever Get into the habit of logging into important accounts only by typing the URL directly into your browser or using a saved bookmark. If you receive an email saying "log in to your account," close the email and navigate directly.

3. Let your password manager be your canary Password managers only autofill credentials on the actual registered domain. If you navigate to `microsofft.com` and your password manager doesn't autofill your Microsoft credentials, that's a signal — it doesn't recognise the domain as the real Microsoft.

4. Look for oddities in the page Fake pages sometimes have small giveaways: slightly off colours, misaligned logos, error messages that don't make sense, forms that submit but don't redirect correctly.

What happens after you submit to a fake page:

Your credentials are sent to the attacker. You'll usually be redirected to the real site with an error message ("incorrect password") or straight to a legitimate page — designed to make you think the login just didn't work. By the time you've tried again on the real site and successfully logged in, the attacker already has your credentials.

The fix: always verify the URL

Make it a reflex. Before you type any password anywhere, glance at the address bar. Two seconds of habit can save your business.

Learn to spot fake pages and more at Phishbate →

Think you can spot a phish?

Put your knowledge to the test with the Phishbate interactive quiz. It only takes a few minutes.

Take the Quiz →