The Bitwarden Blog
How password managers help prevent phishing
September 7th, 2020
Phishing attacks frequently attempt to exploit users’ fears, curiosity, or helpfulness, sometimes with an element of urgency intended to prompt an immediate interaction. Phishing attacks can have different objectives. They may try to trick people into divulging confidential information like login credentials, bank account or social security numbers, or redirect victims to websites harboring drive-by malware downloads.
These fake reach outs, or phishing attacks, can be surprisingly convincing. Phishers can use social engineering techniques to research an intended victim prior to deploying a phishing attack so the phishing email appears to come from a trusted source such as your boss, or a website for a financial institution that you use frequently.
With more digital work and more remote work occurring every day, phishing has reached the point where everyone needs to keep themselves protected. There are many ways to stay safe, from developing general awareness techniques to using different tools. In this post we’ll specifically discuss how a password manager can help thwart phishing attacks.
Phishing attacks can come via email, text message, voice message, chat apps, or when accidentally mistyping the URL for an intended website and ending up on a fake site. Any of the above can be combined into a socially engineered attack intended to convince the user to give up something valuable like a password, government identification ID, or a credit card number.
To stay alert, the basics of internet safety apply. Here are a couple of examples and recommended steps.
Imagine an email appearing to come from your bank that states your account has been disabled or that there has been suspicious activity. The email requests that you log in to confirm everything is okay. The email also includes a link, but instead of that link pointing to your real bank website, it points to a hacker website made to look like the real bank website. For example, the site might be called www.wellsfaigo.com, with an “i” instead of an “r”, which could be easy to miss.
A few recommended steps:
- Check all aspects of the email to confirm it is from the proper institution. This includes looking at the email sender name as well as the accompanying email address. It’s important to learn the difference between a displayed email address and the real one, since email addresses can be “spoofed” and misleading. Also mobile phones do not always show the full sender’s email address.
- Hover over links to confirm they go to the proper website, and in general, avoid clicking on links since they can be designed to trick users. If you are concerned about the message in the email, it is always better to log directly into the account in question, and avoid any information sent to you via a suspicious email.
- If concerned, call the institution or person who emailed you to confirm the email is real.
- Do not open attachments from people you don’t know – or unexpected attachments from people you do know without checking first. It is possible that their email accounts may have been compromised in a separate phishing attack.
If you inadvertently click a link from a phishing email, you may end up on a website that looks familiar, but not quite right
- Verify URLs in your browser address bar to ensure you are in the right place. Pay close attention to minor spelling differences.
While general awareness will serve you well to avoid phishing, sometimes it helps to have an extra layer of protection. Password managers can fill that gap.
Password managers, by their nature, keep track of the website URLs you visit. They can also show you an indication that the site visited is stored within the password manager by showing an icon in the browser bar. In this example, stackoverflow.com is one of the Logins stored in the Bitwarden Vault.
Password managers retain known and confirmed URLs
Of course, you could use the browser extension to open that site directly, and quickly autofill credentials, but let’s assume that you typed in the stackoverflow.com web address by hand, or clicked it from a trusted email.
In this case, the browser extension shows a ‘1’ in the corner of the extension icon, reminding users that there is one Login stored for stackoverflow.com in the password manager. If there were multiple Logins associated with the same website, that number would increment to ‘2’ and so on.
Password managers confirm via an icon flag when landing on a known site
In this hypothetical example, if the entry was mistyped or intentionally misspelled in a phishing attack, and the website URL was not exactly correct, the icon would not appear. This would set off an awareness alarm that something is not right. Password managers are not fooled by similarly spelled website URLs, they must be exactly correct. Further inspection may then reveal that the website URL was not entered correctly.
A malicious site would not trigger the known login icon on the browser extension
Beyond helping to thwart phishing attacks, password managers help you use recommendations for good password hygiene that experts suggest, such as using long, complex, random, and unique passwords for every website. You can sync your passwords across all of your devices, and if working in a team, can share securely with end-to-end encryption.
Whether you want to set yourself or your business up for success, it is easy to get started with Bitwarden, an open source password manager for individuals and organizations. Visit bitwarden.com to learn more and sign up for a free account.
Editor’s Note This blog was originally posted on October 28, 2020 and updated on September 7, 2021.
Back to Blog