Don’t let tabnapping or phishing leave you on the hook! | CFIB

By now we’re all aware of the dangers of opening e-mail attachments or clicking links from unknown sources – but what about e-mails which appear to be legitimate? When fraudsters pose as a company, brand, or e-mail address you recognize, it’s called phishing – and it’s the most common type of cyberattack.

A play on the word fish, the perpetrators are fishing for someone to fall for their scam by sending e-mails (usually with a link to a website) purporting to be from a reputable company. They’re hoping to trick people into giving out sensitive or personal information such as passwords or banking information.

The fraudsters disguise their messages so that they look legitimate. As they learn what is most effective at tricking people, their methods evolve – which makes it difficult to identify when you are being phished. 

Phishing is usually done through e-mail, as that is the easiest way for the fraudsters to disguise themselves; however, it can be done through a phone call or a text message (called smishing). 

Signs an e-mail is a phishing attack:

• It looks as though it comes from someone you know, but the e-mail isn’t one you’d expect from that person.
• They ask for money or personal information.
• They say the e-mail is urgent.
• There is an attachment you’re not expecting.
• The wording is awkward, or there are typos that you wouldn’t expect in a professional e-mail. 

How to prevent phishing:

• Make sure you have a spam filter on your e-mails.
• Look for tell-tale signs such as typos, grammar errors, or poor image quality.
• Don’t click links in e-mails you do not expect or trust.
• Don’t assume people or businesses are who they say they are.
• Don’t give out personal/business information unless you’re absolutely sure of who you are dealing with.
• Trust your instincts – if you’re not comfortable, contact the company directly to find out if the message is legitimate.

Other types of phishing:

Spear Phishing: the e-mail contains information unique to the recipient – your name, title, or other information easily found online

Whaling: is the same as Spear Phishing, but targets upper management – CEO, CFO, business owner, board members

Business Email Compromise: when the attackers pose as the business owner or CEO and ask for money or gift cards. It will look like an urgent request for help. 

Tabnapping

Take a look at your browser – how many tabs do you have open? And how long have they been that way? Using code, fraudsters can change the content and label of an open but inactive tab to look like the log-in for a bank, an online store, or even your e-mail provider. When you click back to the tab and find the log-in screen you assume the session has timed out and so you log back in – giving your personal information to the hackers. This is called tabnapping (or tabnabbing) and it’s a more sophisticated version of phishing.

How can you stop it happening?

• Install anti-virus and anti-spyware software on your computer – and keep it updated!
• If you’re not sure of the legitimacy of a log-in site, close the tab, open a new one and type in the address of the site you wish to visit.
• Keep an eye out for transactions in your name that you did not make.

Keep anti-malware software installed and updated and always second-guess before sharing personal information to help protect you and your business from cyber crime.