Cifas Just Found That 13% of UK Workers Will Sell Their Company Logins—and the More Senior the Employee, the More Acceptable They Think It Is

On May 5, the UK fraud prevention not for profit Cifas published the first edition of its Workplace Fraud Trends report dedicated to internal credential sales. The headline number — 13% of employees admit to selling a company login to a former colleague or knowing someone who has in the last twelve months — is striking enough on its own. The deeper finding, the one that should make security leaders rethink their threat model, is that tolerance for the behavior climbs steeply with seniority.

Among ordinary employees, 13% say selling a corporate login is justifiable. Among senior managers, the number jumps to 32%. Among directors, 36%. Among C-suite executives, 43%. Among business owners, 81%. The people with the most authority to enforce access controls are also the ones most likely to dismiss the controls as a formality.

Rachael Tiffen, Cifas's director of learning, did not soften the framing. "Selling login details might seem insignificant to those involved," she said in the report's launch statement, "but it can open the door to serious fraud." Joby Carpenter, an anti money laundering specialist at ACAMS who reviewed the dataset, called the findings "an unsettling reality" — not because the percentage is huge, but because it represents a meaningful minority for whom the act is no longer "beyond the line."

What "1 in 8" Actually Means at Scale

The 13% figure can be read in two ways. The conservative reading is that the employees who answered yes were saying they personally know somebody who sold a credential — not that they did it themselves. The aggressive reading is that survey respondents are systematically under-reporting their own conduct, so 13% is the floor.

Either way, Cifas's own scale calculation is the one to anchor on. In a company of 1,000 employees, around 130 people are within one degree of separation from a credential sale in the last year. That is not an isolated bad actor problem. That is a baseline rate that infiltrates almost every UK workplace of meaningful size.

The mechanism is rarely a deliberate insider threat in the cinematic sense. It is more often a former employee who still has the password to a shared mailbox, a Salesforce account, or a vendor portal, who is approached by somebody — sometimes an ex colleague, sometimes a stranger on a forum — willing to pay a few hundred pounds for ongoing access. That is enough to fund a small phishing operation against the company's customers, or to surface in the credential dumps that infostealer markets like Storm and DarkCloud resell at scale.

Why Senior Employees Are More Permissive

The Cifas seniority gradient is the most uncomfortable finding in the report. The number of executives who view credential sales as justifiable is several times higher than the equivalent number among rank and file workers. The report does not interview executives directly to explain why, but the survey allows two readings.

The first reading is that senior employees rationalize their own past behavior more permissively. People who have personally shared a login with a contractor, an EA, or a co founder are likely to view the act through the lens of how they justified it at the time. The seniority correlation may be a survival bias of having more opportunities to share credentials and more cumulative occasions to talk yourself into doing so.

The second reading is structural. Senior employees often hold credentials that effectively double as administrative tools — the founder's email, the CFO's accounting login, the CEO's Slack token. Those credentials are routinely shared with assistants and consultants in workflows that make the formal access policy look like a fiction. Once the de facto sharing is normalized, the moral distinction between "sharing" and "selling" becomes a matter of who paid whom, not whether the act crossed a real line.

For business owners, the 81% figure suggests something even simpler: when you own the company, you do not see selling your own login as an external threat. The data is your data and the system is your system. The insider threat model assumes a separation between the person and the asset that does not exist when one person owns both.

The Email Mailbox Is the High Value Credential

Not every credential is worth the same money on a forum. The ones that consistently sell are the ones that produce the most ongoing value with the least friction. Email accounts are the apex of that list, for three reasons.

First, an email account is a master key. Almost every other corporate system uses email as the password reset destination. A buyer who acquires a Microsoft 365 or Google Workspace mailbox can pivot into Slack, Salesforce, billing systems, and HR platforms without needing additional credentials. The buyer pays once and gets a tree of access.

Second, the access stays useful for months. Password resets are visible to the user. Quiet mailbox forwarding rules are not. Once a buyer logs in, sets up an inbox rule that silently CCs every incoming invoice or payroll notification to an external address, and logs out, the operation runs unattended until the rule is found. The current crop of mailbox compromise investigations show this rule lasting an average of forty to seventy days before discovery.

Third, mailbox access is the input to the most lucrative downstream fraud — business email compromise. The FBI's most recent annual fraud report puts BEC losses at over $2.7 billion in the United States alone. The buyer of a sold credential does not need to be the BEC operator. They just need to resell the access to one. The TrustNFT email fraud study put the broader email fraud cost to the U.S. economy at $22 billion last year, with most of it never reported.

Why MFA Does Not Solve This

A common reaction to the Cifas finding is to assume multi factor authentication closes the gap — a sold password is useless without the second factor. The reality is more complicated.

A current employee who wants to sell their credential can hand over the password and approve the MFA prompt at the same time. That is not a hypothetical: most session hijacking attacks rely on exactly this trick when an authorized user is willing to cooperate. The attacker is no longer trying to defeat MFA, just to be present when it fires.

Worse, the credential being sold is increasingly not a password at all but a session token or refresh token harvested from the user's own browser. Stolen Microsoft 365 refresh tokens give the buyer persistent mailbox access until the token expires or is explicitly revoked — they are not subject to the MFA challenge that the original login passed. The Storm infostealer family and similar tools turn this into a high volume process. A cooperative employee who runs a "tool" the buyer sends them is essentially pre-authenticating the session for resale.

For employers, this means the operational answer is not "more MFA." It is shorter session lifetimes, conditional access policies that tie sessions to a specific device and IP range, and aggressive token revocation on any sign of credential change.

What Employers Should Be Doing

The Cifas report stops short of prescriptive recommendations beyond training and "access governance." Drawing from the report and from current incident response patterns, six controls map directly onto the threat the survey describes.

• Tie sessions to device posture. Microsoft Entra and Okta both support conditional access that requires sessions to come from a managed, compliant device. A sold credential used from an unfamiliar device fails the policy automatically.
• Shorten refresh token lifetimes. The default Microsoft 365 refresh token lifetime of 90 days is generous for an attacker. Reducing it to 24 hours dramatically narrows the window of useful resale.
• Force token revocation on offboarding. Most leavers' accounts get disabled, but their existing OAuth tokens often remain valid until they expire. Explicit revocation is a separate step in Entra and Workspace admin consoles.
• Monitor for impossible travel and concurrent sessions. A sold credential is most often used from a different country than the original employee's. Standard SIEM rules detect this — they are usually too noisy in default settings, but tuned thresholds remain effective.
• Audit mailbox forwarding rules weekly. The single most common indicator of a compromised mailbox in the wild is an inbox rule forwarding to an external address. Microsoft 365 has a built in alert for this; turning it on takes ten minutes.
• Require unique passwords on every shared account. The credential most likely to be quietly resold is a shared one — a generic finance@ mailbox, a marketing CMS login, a Salesforce admin account. Eliminating shared accounts entirely, with named individual logins everywhere, eliminates the easy resell category.

What Individuals Should Take Away

For employees and consumers reading this, the Cifas data has implications outside the corporate context too. The same psychological drift that lets one in eight workers shrug at selling a login also lets people share Netflix, banking, and grocery delivery passwords more freely than they should. The credential markets do not distinguish — they buy whatever logs in.

Three habits that close the personal exposure:

• Treat your primary email like a master key, because it is. Use a password manager generated 20+ character password on it, hardware key MFA where supported, and a backup recovery email that is not your main one.
• Audit who else has the password. Family Netflix is one thing. The same password reused on a former employer's bookkeeping login is the kind of credential that ends up on a forum.
• Watch the inputs. Tracking pixels in marketing emails feed the behavioral profile that fraud operators use to time their phishing. France's CNIL just gave email marketers a deadline to stop the practice without consent. Closing those signals at the inbox level cuts off the targeting data that makes credential resale operations profitable.

The Bottom Line

For two decades, corporate security has framed insider threats as a deliberate, malicious minority — the disgruntled employee with a cause. The Cifas data describes something different: a permissive culture where credential sales register as a minor inconvenience rather than a betrayal, and where the people most willing to dismiss them are the ones most senior in the org chart. The fix is not catching more individuals. It is shrinking the value of every credential, so that selling one stops being worth the trouble.