their email address is checked against the attacker’s database, via JavaScript-based validation scripts on the page, before the fraudulent credential stealing login form is displayed.