Credential phishing: how it works and how to prevent it

Our digital presence has exponentially increased in the past decade. We rely on technology to get through a major part of our day. And to keep our day-to-day work and personal life functioning smoothly, we sign up for multiple applications and online services. While there are many services we use on the personal front, the number of apps used for work and businesses is overwhelming. With every application that we use, some of our data is stored online.

This can include personally identifiable information (PII), sensitive documents, and most importantly, account credentials. With the vast number of applications that we use, there are so many usernames, passwords, and pins that need to be remembered. And the credentials that you use to sign up for these applications is of utmost importance.

Credentials are the gateway of access for all of the sensitive information stored in your organization's accounts. There's an abundance of confidential data residing in business and personal accounts. The only thing guarding this data are the credentials that you've configured for your account. By gaining access to these credentials, hackers can get their hands on all of the sensitive information in your account. The confidentiality of the information and the full access that this offers make credentials a lucrative target for hackers.

In this article, we'll take a look at the means hackers use to steal credentials, the techniques used, the consequences of hackers gaining access to credentials, and the ways in which these attacks can be spotted and prevented.

What is credential phishing?

Credential phishing, which is otherwise called credential harvesting, refers to the type of phishing threat in which hackers emulate legitimate messages that manipulate the recipients into entering their account credentials. The aim of credential phishing attacks is to trick the recipients into believing that the message or email is from an authentic source and nudge them to reveal the credentials of their email, social media accounts, bank accounts, or other such platforms that contain sensitive information.

The credentials give hackers complete access to the account. The hackers use these legitimate accounts to monitor and extract sensitive information about a company, make money transfers from the hacked accounts to their own accounts, or even lock the owners out of their accounts entirely. They often demand that a ransom be paid by the users to give them access to their accounts.

How does credential phishing work?

Credential phishing attacks begin with the hacker creating a convincing email or message that they intend to send to their target. They make the email appear legitimate so as not to arouse suspicion. In the most common type of credential phishing attacks, the hackers embed a malicious URL that directs the recipient to an authentic-looking website. This website looks like a login page where the users will have to enter their credentials, which is later sent to the hackers.

While the above-mentioned method is the most common type of credential phishing, other methods are also used. Hackers spread malware through emails and install keyloggers on their systems to track the activities performed by their target. Using the information collected by the keylogger, hackers extract the account credentials and use this for their attacks.

Capturing these credentials gives the hackers full access to the account they attempt to hack. They use this account to carry out a much larger attack or use it to their monetary benefit.

Components of a credential phishing attack

There are three important components that contribute to the success of a credential phishing attack. Mostly, they begin with an email. The first step hackers take is to craft an email that looks legitimate. The next important factor is the URL that's embedded within the email. Finally, the webpage that the URL leads to must look authentic. The data entered on this page will be captured and sent to the hackers.

The email

The first contact the hacker makes with their target is through the initial email that they send. If the target is suspicious of this email, they won't proceed to the next steps. Therefore, the hacker takes great care in constructing this email. The other factor the hackers need to consider while creating the email is ensuring that the email evades detection by email providers' security filters. So they avoid the pattern and language followed by most phishing emails, which helps them go undetected by email providers.

Some hackers create phishing toolkits with the help of AI and publish them on the dark web. Other hackers can purchase these kits and use them for creating emails that can avoid detection. Using such technologies, hackers create the phishing email. These emails usually contain an attention-grabbing subject line that compels the target to open the email. Within the body of the email, hackers emulate the communication patterns of the sender they're emulating. They even use the email templates, logos, and signatures that the sender uses.

In addition to these tactics, hackers also personalize the email to suit the recipient. This gives them a feeling of authenticity and nudges the recipient to perform the requested action.

The malicious link

The next important component in a credential phishing attack is the link that's embedded in the body of the email. Instead of giving the link directly, hackers use various tactics to disguise the original identity of the link. One of the common techniques deployed is using a URL shortener. URL shorteners are used to give a short version of an otherwise long URL. When the phishing URL is shortened, the target fails to see the original link it redirects to, and they don't get suspicious of the URL.

Another tactic hackers use is hyperlinking. In this technique, hackers enter the URL they're feigning as text in the email and use the hyperlink option to link the phishing URL. When the email recipient sees this, they assume that the URL displayed is the one hyperlinked, and they proceed to click on it without exercising any caution. The URL leads to the website where the hacker will collect the credentials.

The phishing website

Once the target clicks on the link in the email, they'll be directed to the phishing website. This website is designed to look like a login page where the user has to enter their account credentials. To make the website look authentic, hackers emulate the interface of the brand they're impersonating. For example, if the hacker is impersonating Amazon, the logo, images, trademark, and other interface elements that are used on Amazon's legitimate login page are duplicated and used in the phishing website.

Hackers deploy phishing toolkits to achieve this level of authenticity. When the website is this convincing, the targets enter the requested username and password. The website is designed such that the entered details are captured and sent to the hacker. Most websites are designed to ensure that the target doesn't suspect any malicious intent even after the credentials are revealed. If it arouses suspicion, the target might update their password. Because that would disrupt the attack, hackers are careful to display a success message that is in alignment with the initial intent of the email.

Steps involved in the attack

Like every other cyber threat, credential phishing is also carried out in multiple stages. In each stage, the hacker does their best to feign authenticity to ensure that the recipient falls prey to the email.

Receipt of the email

In the first stage, the hackers draft the email that's intended to trick their targets. Apart from ensuring that the target trusts the email, hackers also need to make sure that the email evades the security filters of the email provider and lands in the target's mailbox. To achieve this, hackers create legitimate domains and configure SPF, DKIM, and DMARC protocols to ensure the domains are authenticated. Credential phishing emails don't usually have any attachments containing malware or viruses. This, combined with the content that doesn't arouse any suspicion, evades detection by the email provider.

These techniques aid with email delivery, and the only step left is for the user to trust the email.

Recipient falling prey to the email

Threat actors deploy various methods to trick their targets into believing that the email is legitimate. They either use a legitimate account or brand that they've taken over, or they create a close look-alike of the brand they're impersonating. Now all that's left is for the hackers to ensure that the email content and subject look convincing. To attain this, the email content emulates the email templates of the brand, along with similar logo placements, signatures, and images. Even the URL in the email is disguised under a legitimate one to arouse no suspicion.

In addition, these emails usually nudge the recipients to take action immediately or within a small timeframe. This forces the email recipient to click on the link present and enter their credentials without further thought.

Misuse of credentials by the hacker

The credentials, once entered, are immediately sent to the hacker. The hacker then uses these details for their own benefit. If the hacked account is a bank account, the hacker transfers money to their own account, emptying the funds from the source account. In case the credential is that of an email account, the hackers take over control of the account and demand a ransom payment. If they're planning a larger attack, they silently monitor the activities of the account and make note of the confidential information being shared, and proceed with the further course of action.

Targets of credential phishing attacks

The credentials of all individuals, and leading to all types of accounts, are of interest to hackers. However, the ones that are most lucrative for them are the credentials belonging to C-suite employees in the company. The most sensitive data is present in these accounts, and they usually have the highest level of access to all other organization-related platforms and services. This lets the hacker perform all sensitive operations.

Apart from senior management and executives, hackers also target the accounts of the organization's administrators. Because they have the access to restrict or deny access for other users in the company, these accounts are also an interesting target for hackers. They can restrict access to all other users while the attack is carried out and perform operations that might benefit them.

Consequences of credential phishing

Once hackers gain access to the credentials they've been waiting to get their hands on, they use them in many ways to gain maximum benefit from them. These consequences might have far-reaching implications because these attacks aren't always immediately exposed and might take time to come to light, if the hacker has meticulously planned the attack.

Loss of account access

One of the most common consequences of credential phishing attacks is the loss of access to accounts. Once the hacker gets the credentials to an account, they're just one step away from locking the account owner out. This is beneficial to the hacker because most owners are so desperate to get back access to their account that they would be willing to cooperate with the hackers' needs. Playing on their vulnerable state, hackers demand exorbitant amounts of money from the organization or the account owner and threaten them with data deletion.

Financial loss

Hackers are interested in gaining access to different types of accounts. But the most popular is bank accounts. Gaining access to a bank account means that the hackers can immediately witness the fruits of their hack. Once they secure access to accounts that can transfer money, they focus on immediately emptying the source account of its funds. These transfers are usually done to offshore accounts that can't be traced back to them. For this reason, they target organizational accounts because the funds present in them tend to be higher.

Data leak

The least common consequence of credential phishing attacks is a data leak. This involves elaborate planning on the hackers' part, and unless they're planning a larger attack, they wouldn't aim to leak data. That said, data is currency in the digital age. Competitor organizations might be willing to pay the hackers millions if they reveal a design or a prototype that's unique to the target organization. They might even get paid by many if they leak such sensitive information on the dark web. Data leaks are another consequence of credential harvesting to be wary of.

How to prevent credential phishing attacks

Credential harvesting attacks are meticulously designed and involve careful planning on the hackers' part. Even though these attacks are cleverly disguised, there are certain ways in which credential harvesting emails can be spotted or prevented.

Multi-factor authentication

Multi-factor authentication (MFA) refers to a method of added security in which additional forms of authentication are required to gain access or log into an account. Organizations must mandate MFA to add an extra layer of security for their employees' accounts. If MFA is configured, users have to enter their username and password, followed by a PIN, an OTP, or perform a QR code scan using a secondary device, which must be registered to the users' account. With MFA in place, even if a hacker gets an account's credentials, they'll be stuck in the next step, and they won't be able to gain access to the account.

Therefore, it's best for the admin to enforce MFA across the organization to ensure that their business's data is secure.

Strict password policies

Similar to MFA enforcement, an organization-wide password policy also needs to be implemented. In the password policy, the administrator should enforce mandates regarding the length of the password and the use of numbers, symbols, lower case, and uppercase characters. They should also set the frequency that passwords need to be changed and the repetition of previous passwords.

There's another factor that needs to be kept in mind while setting up a new password. The account owner should create unique passwords for each of their accounts. This way, even if a particular password is leaked, it prevents hackers from gaining access to other accounts that might use the same password. Though this can't be enforced in the password policy, admins should ask their employees to follow this practice.

Verify the email source

Check if the email has been sent from a legitimate source. Verify the sender's email address and the username to see if they match. Then, check the email content to see if the request posed is legitimate. For example, if you receive an email mandating a password reset, check if the frequency of the previous requests matches with the current request. Also hover over the URL to ensure that the redirection is as mentioned and the URL has a secure (https://) connection. Additionally, verify if the email passes the SPF, DKIM, and DMARC authentication mechanisms.

Monitor for anomalies

If a hacker has gained access to an account's credentials, there will be certain account activities that appear different from the usual practices. If the hacker has accessed the account as part of a larger attack, monitoring for such anomalous activities will help the admins exercise caution and take the necessary action. Any account logins that are done at odd times, simultaneous sessions from different locations, and logins at locations never logged in from before are all examples of anomalies, and they need to be investigated immediately.

Train and educate your employees

None of the security measures you adopt to prevent and spot credential leakage will be effective if your employees haven't been trained to handle them efficiently. Conduct security awareness trainings to educate your employees about the latest trends in email security and the possible threats to their emails. Train them about how to best spot these emails and the way forward to ensure that the organization's admins are notified and appropriate action is taken. You can also simulate credential phishing emails to verify if your employees are alert and avoid engaging with such emails.

Adopt an email security solution

While all of these measures will help mitigate the effects of credential phishing emails, the best solution is to keep these emails away from your organization's mailboxes. This can be done by deploying an extra layer of security between the email recipient server and your mailboxes. An email security solution will help you achieve exactly that. Email security solutions have advanced threat detection capabilities that spot such emails based on the sender data, email content, and embedded URLs, keeping them away from users' mailboxes. This will help protect your organization from credential phishing emails and other such advanced threats.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.