What is tabnabbing? How it works and what you can do to prevent it

Tabnabbing is a type of phishing attack that manipulates inactive web pages. It occurs when people click away from an open tab, giving criminal hackers the opportunity to redirect the site to a duplicate one that they control.

The objective of tabnabbing is the same as traditional phishing, in which attackers link victims to their site via an email or link.

They hope that the target won’t notice the difference and will hand over their login details and other sensitive information believing that they are giving them to a legitimate site.

Unfortunately, tabnapping is harder to prevent than other forms of phishing, because it doesn’t rely on the victim making a mistake – i.e. clicking a link that they shouldn’t.

Rather, the damage has already been done; the attacker has compromised the network and are waiting for an opportunity to strike.

That doesn’t necessarily mean that there is nothing you can do to prevent tabnabbing though, as we explain below.

Examples of tabnabbing

You’re most likely to fall victim to tabnabbing when you have multiple tabs open. This is standard practice for a lot of people – particularly at work, where you are often multitasking throughout the day.

When several tabs are open, it’s easy for pop-ups to appear without you noticing. You’ll probably assume that you opened the site yourself and forgot about it.

Even if you weren’t intending to visit the site, simply seeing the tab open is enough of an incentive to log in.

Alternatively, you might mistake the malicious site for a page you already have open. For example, you may have logged in to Facebook earlier, and when you see a Facebook login page, you might assume that you’d been automatically logged out.

Many sites do this as a security measure, and you’re probably used to providing your credentials at regular intervals throughout the day.

How to prevent tabnabbing

Here are four things you can do to prevent tabnabbing:

1. Have as few tabs open as possible. People often struggle with this, but it’s probably easier to open a new tab and enter the address than it is to look through dozens of open tabs to find the right one.

2. Keep tabs in different windows according to what you use them for. So, for example, you might have one window with your inbox and intranet, one for your work tasks and another for non-work-related activities.

This won’t make you less likely to be targeted by tabnabbing, but you are more likely to notice when a tab has been infected, because it will probably be in the wrong place.

3. Check the address bar if something doesn’t seem right. The site’s content might change, but the address won’t match it.

This might be obvious to spot, or the criminals may have imitated the genuine URL. However, a closer examination should reveal clues about its true nature.

4. Take a close look at the page. There may well be differences between it and the genuine site. You should look for spelling mistakes, poor phrasing and unusual layouts.

Get your staff on the same page

As with all types of phishing, attackers can target anyone at any time. For organisations to ensure their systems aren’t infected, they need to train staff to identify and defend against attacks.

You can help your staff understand the threat with our Phishing Staff Awareness E-learning Course.

They’ll learn everything they need to know about phishing, including how they can spot a bogus message and what happens if they fall victim.


A version of this blog was originally published on 30 October 2018.