Mirror the legitimate service's login page - Use HTTPS (free certificates from Let's Encrypt) - Capture credentials and log access - Redirect to the legitimate service after credential capture (reducing suspicion)