Picture this. You’ve opened up your computer’s browser, opened a few tabs, one of them being your net banking site. You login to your bank account and then switch tabs to check a few emails.
When you get back to the banking page, it asks you to login again. You do that unwittingly, thinking it’s just a security procedure from the bank, since you’ve left the tab unattended for too long, and then proceed with your banking transaction.
Can't read the entire story? Listen to it instead:
Nothing seems amiss so far, right? Wrong. Here’s a new form of phishing. While you were browsing through another tab on your browser, a phishing site replaced your actual banking site login page with a similar page. When you logged in again, it captured your username and password, and then redirected you back to your actual banking page, without you even know it.
Your login credentials have now been compromised. Welcome to ‘Tab Napping’.
How Does Tab Napping Work?
Tab napping is a more sophisticated form of phishing. Earlier ‘phishing’ sites would send you a link, possibly by email, that would mimic a genuine link from your bank or some other site you subscribe to, and invite you to login through the link. But tab napping takes it a step further.
Malicious code could infect your browser and wait for specific URLs or sites to be opened – especially netbanking sites.
The code would wait for the tab to stay inactive long enough to quickly replace the page with a similar looking phishing page. Most users would not look at the address bar again to figure out if it’s the genuine site, and hence, could easily fall into this trap.
How to Prevent Tab Napping?
As with any online transaction site, one needs to be alert to every form of activity happening on the page. Here are a few pointers to check each time you open your browser.
- Do not open suspicious links ever. Always check the email address they are sent from.
- Always look for the ‘https://’ prefix in web page URLs, which indicate they are secure addresses.
- Double check the URL in a browser window before entering your credentials. Does it match the URL of the site you want to visit? Phishing pages will have a URL that is different, sometimes very minutely, probably changing just a single letter or character.
- Always open a new window rather than a tab for banking transactions on your browser. Finish the transaction and close the window. Don’t leave banking site windows open on your browser.
- Prefer to use banking apps on your mobile phone rather than web browsers if possible, as they are more secure.
(At The Quint, we are answerable only to our audience. Play an active role in shaping our journalism by becoming a member. Because the truth is worth it.)