What is credential harvesting?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Credential harvesting is when an attacker tricks you into typing your username and password into a fake login page that looks exactly like the real one. The goal is simple: steal your credentials so they can access your actual account later.
Here's how it works in email. You get a message that looks like it's from your bank, your email provider, or a service you use every day. The email says your account is locked, or there's suspicious activity, or you need to verify your payment method. You click the link, land on a login page that looks legitimate (same logo, same colors, same layout), and type in your username and password. Except that page isn't real. It's a copy. The attacker now has your credentials.
Why credential harvesting works so well: it doesn't require technical skill to bypass security. The attacker doesn't crack passwords or exploit server vulnerabilities. They just build a convincing fake and wait for someone to hand over their login.
Common tactics attackers use: fake login pages hosted on lookalike domains ("rnyemail.com" instead of "myemail.com"), URL shorteners that hide the real destination, urgent subject lines that bypass skepticism ("Your account will be suspended in 24 hours"), and mobile targeting (because phone screens make it harder to spot fake URLs).
The strongest defense is Multi-Factor Authentication (MFA). Even if an attacker steals your password through a fake page, they can't log in without the second factor (usually a code sent to your phone or generated by an authenticator app). MFA doesn't stop the harvesting attempt, but it makes the stolen password useless. Now if you're a sender, credential harvesting matters because attackers target YOUR users. When they harvest credentials for your service, they can impersonate real users, send spam from compromised accounts, and damage your domain reputation. Educating your users about fake login pages is part of protecting your sending infrastructure.
Mailbox providers fight credential harvesting with phishing detection filters that scan for fake login pages, URL reputation checks that flag known harvesting domains, and user warnings when an email contains suspicious links. But user education is still the biggest defense. If someone doesn't click, the attack fails.
Want to see how vulnerable your domain is to impersonation? Our free Blocklist Checker can tell you if your domain is already flagged for phishing or spoofing. And if you're building login flows or password reset emails, worth reading how to design them so they don't accidentally train users to click on fake pages.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.