Credential Harvesting

Credential harvesting is a strategy used by cybercriminals to gain access to device usernames and passwords, among other things. Credential harvesting, also known as credential phishing, involves creating fake websites designed to trick unsuspecting users into believing it is legitimate — and unwittingly reveal their real credentials to the attackers.

Examples of credential harvesting

  • Phishing emails: Credential harvesting can come in the form of emails made to appear trustworthy or from a legitimate source. The victim, acting under the impression that the email is from a trusted source, like their bank, can unfortunately reveal their login details. 
  • Harmful mobile applications: Cybercriminals will often design harmful copies of popularly used applications. Victims will download these apps and fill in their legitimate credentials, exposing them to the attacker. 

Attacks that resemble credential harvesting

Credential harvesting operates similarly to some other privacy attacks but should not get confused with them. For example, identity theft is closely related to credential harvesting. But while it aims to steal sensitive data to impersonate the victim, credential harvesting simply refers to the process of retrieving said sensitive data. 

Pros and cons of credential harvesting

To state clearly, there are no legitimate or ethical advantages to credential harvesting but we must investigate the disadvantages. In doing so, we can understand the attack from the victim’s POV.


  • Privacy breach: Credential harvesting results in data theft, data that can then be used to compromise a user’s privacy. 
  • Financial loss: If the stolen data is banking information like debit or credit card information, the attack can cost the victim significant financial loss.
  • Identity theft: The data from credential harvesting can get used to impersonate the victim, to carry out illegal activities in their name. 

How to prevent credential harvesting

  • Exercise caution when you encounter any form of unsolicited messages requesting your credentials.
  • Set up multi-factor authentication (MFA) on every account and device.
  • Frequently change your passwords, or better still, use a password manager to generate complex passwords and store them, too.