How to prevent credential harvesting

Cybercriminals harvest credentials by employing phishing emails, fake websites, and malware to trick individuals into revealing their login information. Once obtained, these credentials can be used for various reasons. 

Understanding credential harvesting

Credential harvesting is stealing login credentials, such as usernames and passwords, typically through deceptive means. In the context of email, cybercriminals use various tactics to trick individuals into revealing their credentials. According to an IBM report, this method is increasingly common, with a 71% year-over-year increase in cyberattacks that used stolen or compromised credentials. Once obtained, these credentials can be used to gain unauthorized access to email accounts, financial information, and other sensitive data, leading to potential data breaches, identity theft, and other malicious activities.

It starts with sending phishing emails that appear to be from legitimate sources, urging recipients to click on malicious links or enter their login information on fake websites. Once obtained, these credentials can be used to gain unauthorized access to email accounts, leading to data breaches, identity theft, and other malicious activities.

Credential harvesting can take the form of cyberattacks that are familiar. These include: 

• Phishing attacks
• Keylogging
• Social engineering
• Man-in-the-middle attacks
• Spear phishing

Ways credential harvesting happens 

Phishing attacks

Phishing is one of the most common methods for harvesting credentials via email. Attackers send emails that appear to be from legitimate and trusted sources, such as banks, social media sites, or even internal company departments. These emails often contain urgent messages that prompt the recipient to click on a link or download an attachment.

How it works:

• The email is designed to look authentic, often using logos, language, and email addresses that closely resemble the legitimate source.
• The email includes links to websites that mimic the legitimate login pages. When the recipient enters their credentials, the information is captured by the attackers.
• The email might warn of a security breach, account suspension, or other urgent matters to create a sense of urgency and prompt immediate action.

Spear phishing

Spear phishing is a more targeted form of phishing where attackers focus on specific individuals or organizations. These emails are personalized with information that makes them appear even more credible and relevant to the recipient.

How it works:

• The email may contain the recipient's name, job title, or other personal information to increase credibility.
• The content of the email is tailored to the recipient’s interests or role within an organization, making it more likely for them to respond.

Keylogging

Keylogging involves installing malicious software on a victim’s device that records keystrokes. It is achieved through email attachments or links that, when clicked, download and install the keylogger.

How it works:

• The email contains an attachment that, once opened, installs keylogging software on the device.
• Clicking on a link in the email directs the user to a website that exploits vulnerabilities in their browser or system to install the keylogger.

Man-in-the-middle (MITM) attacks

MITM attacks involve intercepting communications between a user and a legitimate service. The attack is executed through phishing emails that redirect the user through a malicious proxy server.

How it works:

• The attacker positions themselves between the user and the legitimate service, capturing login credentials as they are entered.
• The phishing email directs the recipient to a proxy server controlled by the attacker, which then forwards the user’s inputs to the legitimate service, making the attack harder to detect.

Social engineering

Social engineering relies on human interaction and psychological manipulation to trick people into divulging their credentials. This can be facilitated through email interactions that build trust over time.

How it works:

• Attackers may engage in email conversations with the victim, posing as a colleague, support staff, or other trusted entity.
• Once trust is established, the attacker asks for credentials directly or sends a link to a fake login page.

How to prevent credential harvesting 

1. Use HIPAA compliant email services: HIPAA compliant email services like Paubox are designed to meet the specific security and privacy requirements set by HIPAA. 

Things to look for in a HIPAA compliant email service:

• Encryption (TLS 1.2 or higher)
• Secure access controls
• Audit trails
• Business associate agreement (BAA)

2. Regular phishing simulations and testing: Conduct regular phishing simulation exercises to test employees' ability to recognize and respond to phishing attempts. Be prepared to provide immediate feedback and additional training for those who fall for simulated phishing emails.

3. Implement anti-phishing browser extensions: Encourage the use of browser extensions that provide real-time warnings of phishing sites and suspicious URLs.

4. Monitor for compromised credentials: Use tools that monitor for the appearance of your organization's credentials on the dark web or other forums where stolen credentials are traded. Organizations should be prepared to promptly change any compromised credentials and investigate the source of the breach.

5. Use secure single sign-on (SSO) solutions: Implement SSO solutions that reduce the need for multiple passwords and simplify secure access to email systems.

6. Automated response to phishing attempts: Set up automated workflows to respond to detected phishing attempts, such as isolating affected email accounts and initiating password resets.

See also: Top 12 HIPAA compliant email services

FAQs

How do phishing emails differ from other types of malicious emails?

Phishing emails specifically aim to deceive recipients into revealing personal information or login credentials by impersonating legitimate entities.

How frequently should organizations conduct security training to prevent credential harvesting?

Organizations should conduct security training at least quarterly to keep employees informed about the latest threats and best practices in preventing credential harvesting.

How can personal devices be secured to prevent credential harvesting?

Personal devices can be secured by enabling multi-factor authentication, regularly updating software, and installing reputable security apps.