Email Security Blog

Credential Harvesting: Virtually Hijacking Your Employee’s Credentials

Bank robbers have to meticulously plan the perfect get-away.  Burglars need to be careful their DNA is not left at the scene of the crime.  Car thieves must constantly dodge security cameras to avoid getting caught.  Cybercriminals, on the other hand, must live relatively stress-free lives, considering their biggest worry is whether or not you’ll type in your password.

It’s called credential harvesting and it’s largely considered the foundation of email phishing. If you think about it, the easiest way for anyone to get into your secure files is by simply using your password.  And, for many of us these days, we have a single sign-on (a.k.a one password) that provides access to the bulk of our personal and company files. 

Are you wondering how credential harvesting works?

1. The hacker sends a phishing email.

In many cases, fear is used as a distracting motivator and the topic is something that the reader can relate to. Subjects might include an unpaid parking ticket, an invoice that’s past due, or how to access money that’s coming to you.  Regardless, the sender will generally go to some lengths to make the email seem legitimate.  Expect to see logos and important titles. There may also be a deadline in the message, since we’re more apt to act without thinking if we’re rushed. 

2. You’re encouraged to click on a link and perform a task.

As mentioned above, you’re encouraged to act quickly in order to resolve some sort of issue.  Honestly, this would be a good place to stop and reread the email.  Since many credential harvesting schemes originate outside the U.S., chances are the phishing email has a number of flaws, including grammatical and spelling errors.

3. The link takes you to a web page.

Much like the phishing email, the web page will look legitimate. The truth is, however, that one of the first steps a hacker has to take to set up these elaborate phishing schemes is to make a replica of a real website to draw you in even further.  Unfortunately, behind what looks like a legitimate site, lurks a disguised IP address and the hacker’s server which detects and captures any secure information you type into the password fields.  

4. You’re tricked into entering your email address and password.

You’ll likely see a short message and be encouraged to sign-in using your cloud-based company email address and password.

5. The hacker retrieves your password from his server.

The webpage might be a clone of something legitimate, but the back end of it is set to send information right to the

6. The hacker exploits your harvested credentials.

Once they have them, cybercriminals can use your harvested credentials in a number of ways including gaining access to anything from bank records to employer files, using your email to trick those close to you into surrendering important company data or banking access. Or, your credentials can be sold on the dark web.

Now, if you think credential harvesting couldn’t happen to you, you’ll be surprised to know that there are plenty of blog posts and videos online that attempt to teach the average Joe how to set up their own successful credential harvesting scheme.  That alone should tell you two things — first, that more people than you realize (at all skill levels) could be attempting this type of email phishing scheme.  And, secondly, you should take the steps now to protect yourself, your employees, and your company.  The best way to start, is by using two-factor authentication for your logins, and also consider the many benefits of hiring a third-party email security expert to uncover these types of credential harvesting threats before they wreak havoc on your business.

INKY can protect you from becoming a victim of credential harvesting. A cloud-based email protection software, INKY protects businesses from phishing attacks by blocking spam, malware, credential harvesting, and much more. INKY uses computer vision techniques and machine learning to detect credential harvesting before it gets to your Inbox.  INKY’s email protection software also places user-friendly banners directly into the email, warning and guiding the user's actions.  With INKY, you can even report a phishing email with a click, from any device or email client. Request a demo of INKY today.

Learn more about credential harvesting and see how INKY caught an attempted harvester posing as the Department of Justice: Read INKY's Special Report on Credential Harvesting today.

This blog was updated in April 2022.


INKY® is the emerging hero in the war against phishing. An award-winning cloud-based email security solution, INKY® prevents the most complex phishing threats from disrupting or even immobilizing your company’s day-to-day business operations. Using computer vision, artificial intelligence, and machine learning, INKY® is the smartest investment you can make in the security of your organization. INKY® is a proud winner of the NYCx Cybersecurity Moonshot Challenge and a finalist in the 2020 RSAC Innovation Sandbox Competition. Learn more about INKY® or request an online demonstration today.