Email Security Blog

Credential Harvesting: Virtually Hijacking Your Employee’s Credentials

Bank robbers have to meticulously plan the perfect get-away. Burglars need to be careful that their DNA is not left at the scene of the crime. Car thieves must constantly dodge security cameras to avoid getting caught. Cybercriminals, on the other hand, must live relatively stress-free lives, considering their biggest worry is whether or not you’ll type in your password.

It’s called credential harvesting and it’s largely considered the foundation of email phishing. If you think about it, the easiest way for anyone to get into your secure files is by simply using your password. And, for many of us these days, we have a single sign-on (a.k.a one password) that provides access to the bulk of our personal and company files.

Consider these terrifying password statistics:1

  • 50% of people use the same password for all their logins.
  • The most common password in the world is “123456”.
  • The average password is eight characters or less in length
  • Only 31.3% of internet users update their passwords once or twice a year.
  • 90 out of 10 passwords are vulnerable to attack.

Are you wondering how credential harvesting works?

Here are the basic steps:

  1. The hacker sends a phishing email.
    In many cases, fear is used as a distracting motivator and the topic is something that the reader can relate to. Subjects might include an unpaid parking ticket, an invoice that’s past due, or how to access money that’s coming to you. Regardless, the sender will generally go to some lengths to make the email seem legitimate. Expect to see logos and important titles. There may also be a deadline in the message since we’re more apt to act without thinking if we’re rushed.
  2. You’re encouraged to click on a link and perform a task.
    As mentioned above, you’re encouraged to act quickly in order to resolve some sort of issue. Honestly, this would be a good place to stop and reread the email. Since many credential harvesting schemes originate outside the U.S., chances are the phishing email has a number of flaws, including grammatical and spelling errors.
  3. The link takes you to a web page.
    Much like the phishing email, the web page will look legitimate. The truth is, however, that one of the first steps a hacker has to take to set up these elaborate phishing schemes is to make a replica of a real website to draw you in even further. Unfortunately, behind what looks like a legitimate site, lurks a disguised IP address and the hacker’s server which detects and captures any secure information you type into the password fields.
  4. You’re tricked into entering your email address and password.
    You’ll likely see a short message and be encouraged to sign in using your cloud-based company email address and password.
  5. The hacker retrieves your password from his server.
    The webpage might be a clone of something legitimate, but the back end of it is set to send information right to the hacker.
  6. The hacker exploits your harvested credentials.
    Once they have them, cybercriminals can use your harvested credentials in a number of ways including gaining access to anything from bank records to employer files and using your email to deceive those close to you into surrendering important company data or banking access. Or, your credentials can be sold on the dark web.

Now, if you think credential harvesting couldn’t happen to you, consider the fact that a business falls victim to a ransomware attack every eleven seconds.1 This is especially true in the U.S., which has millions more reported cybercrimes than any other country.2 In 2021 alone, the FBI reported $6.9 billion in losses with phishing attacks being the top culprit.2 It might even make you wonder where these cybercriminals are coming from. Well, sadly, becoming a hacker or cyber thief is easier than you think. In fact, there are plenty of blog posts and online videos that attempt to teach the average Joe how to set up their own successful credential harvesting scheme. That alone should tell you two things — first, more people than you realize (at all skill levels) could be attempting this type of email phishing scheme. And, secondly, you should take the steps now to protect yourself, your employees, and your company. The best way to start is by using two-factor authentication for your logins, and also consider the many benefits of hiring a third-party email security expert to uncover these types of credential harvesting threats before they wreak havoc on your business.

INKY can protect you from becoming a victim of credential harvesting. A cloud-based email security platform, INKY proactively and instantly scans inbound, internal, and outbound emails to eliminate phishing and malware. INKY's patented technology sanitizes all emails, detects foul play, disarms phishing emails, and reconstructs each email using safe and standard HTML5. From there, INKY’s Email Assistant injects a user-friendly HTML banner with one or more of nearly 60 warning messages to educate the recipient with specifics of the threat. With INKY, you can even report a phishing email with a click, from any device or email client. Request a demo of INKY today.

Learn more about credential harvesting and see how INKY caught an attempted harvester posing as the Department of Justice: Read INKY's Special Report on Credential Harvesting.


INKY is an award-winning, cloud-based email security solution developed to proactively eliminate phishing emails and malware while simultaneously providing real-time assistance to employees handling suspicious emails so they can make safer decisions. INKY’s patented technology incorporates sophisticated computer vision, machine learning models, social profiling, and stylometry algorithms to effectively sanitize emails, rewrite malicious links, detect and block security threats, mitigate sender impersonation, and more. Cost-effective and powerful, the INKY platform was developed for mobile-first IT organizations and works seamlessly on any device, operating system, and mail client. Learn more about INKY™ or request an online demonstration today.