You are here

Beware of tabnapping

25th June 2010

Computer experts are warning internet users about tabnapping – a new type of phishing that fraudsters are using to get people’s personal information.

All major browsers that use tabbed-browsing on Windows and MAC OS X are vulnerable to the attack.

How does tabnapping work?

Tabnapping targets people who keep multiple tabs open in their browser, often for long periods of time. The fraudsters then use JavaScript to change the contents and label of an open, but not active, tab to resemble the log-in screen of a bank, email provider or online shopping store.

When a user clicks back onto the tab to find the fake log-in screen, they assume that they have been logged out and re-enter their user information and password to log back in. When they enter these details, the personal information provided is sent straight to the fraudsters.

The url in the browser’s address bar is not necessarily altered by tabnappers, so checking the url is the legitimate url of the service provider is not a sufficient precautionary measure.

The fraudsters may even put an additional message on the fake log-in screen, saying that the session has timed out and the user needs to re-enter their log-in details. This is a message that appears on legitimate websites, particularly on banks, increasing the likelihood that the user thinks the log-in screen is trustworthy.

How can tabnapping be prevented?

  • Ensure anti-virus and anti-spyware software is up-to-date on your computer and make sure your browser’s filter is switched-on and up-to-date. These measures should block malicious sites and legitimate sites that are infected with a phishing attack code.
  • If you’re unsure about whether or not a log-in screen is legitimate, close the tab down, open a new one and type in the legitimate url of the website you want to log-in to.
  • Follow identity theft crime prevention advice to stay alert to unrecognisable transactions in your name.

Read more about tabnapping on PC Advisor, Macworld and Computerworld websites.

Please note: Action Fraud is not responsible for the content on external websites.

To report a fraud, call Action Fraud on 0300 123 2040 or use our online fraud reporting tool.

Related links:
Banking fraud - with information about online banking and shopping online 
Identity fraud and theft - how to spot it and what you should do
Online shopping fraud - more information on fraud while shopping online