What is credential harvesting?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Credential harvesting is when an attacker tricks you into typing your username and password into a fake login page that looks exactly like the real one. The goal is simple: steal your credentials so they can access your actual account later.

Here's how it works in email. You get a message that looks like it's from your bank, your email provider, or a service you use every day. The email says your account is locked, or there's suspicious activity, or you need to verify your payment method. You click the link, land on a login page that looks legitimate (same logo, same colors, same layout), and type in your username and password. Except that page isn't real. It's a copy. The attacker now has your credentials.

Why credential harvesting works so well: it doesn't require technical skill to bypass security. The attacker doesn't crack passwords or exploit server vulnerabilities. They just build a convincing fake and wait for someone to hand over their login.

Common tactics attackers use: fake login pages hosted on lookalike domains ("rnyemail.com" instead of "myemail.com"), URL shorteners that hide the real destination, urgent subject lines that bypass skepticism ("Your account will be suspended in 24 hours"), and mobile targeting (because phone screens make it harder to spot fake URLs).

The strongest defense is Multi-Factor Authentication (MFA). Even if an attacker steals your password through a fake page, they can't log in without the second factor (usually a code sent to your phone or generated by an authenticator app). MFA doesn't stop the harvesting attempt, but it makes the stolen password useless. Now if you're a sender, credential harvesting matters because attackers target YOUR users. When they harvest credentials for your service, they can impersonate real users, send spam from compromised accounts, and damage your domain reputation. Educating your users about fake login pages is part of protecting your sending infrastructure.

Mailbox providers fight credential harvesting with phishing detection filters that scan for fake login pages, URL reputation checks that flag known harvesting domains, and user warnings when an email contains suspicious links. But user education is still the biggest defense. If someone doesn't click, the attack fails.

Want to see how vulnerable your domain is to impersonation? Our free Blocklist Checker can tell you if your domain is already flagged for phishing or spoofing. And if you're building login flows or password reset emails, worth reading how to design them so they don't accidentally train users to click on fake pages.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get tailored advice for YOUR setup

I read this on the Email Almanac about credential harvesting: "Credential harvesting is when an attacker tricks you into typing your username and password into a fake login page. The attacker doesn't crack passwords or exploit servers. They just build a convincing fake and wait for someone to hand over their login. The strongest defense is Multi-Factor Authentication (MFA). Even if an attacker steals your password, they can't log in without the second factor." Help me understand how this applies to MY situation. I need: 1. How credential harvesting attacks target my users or domain 2. What I can configure to reduce risk (MFA, phishing filters, user education) 3. How to design login flows and password reset emails that don't accidentally train users to trust fake pages 4. What to monitor for signs of compromised accounts (unusual login locations, spam sent from real accounts) My details: - Email platform/ESP: e.g. Mailchimp, SendGrid, custom auth system - Do you send login links or password resets?: yes/no - Current MFA setup: required, optional, none - User base size: 100 users, 10k users, etc. - What prompted this: saw phishing attempt, building login system, user got hacked

Edit the yellow boxes, then send to the AI of your choice.