How password managers help prevent phishing
If you are reading this, you already know the online vulnerabilities people face everyday on the internet. One of the most common threats is called “phishing,” where hackers with malicious intent (i.e. the bad guys) try to trick people into divulging confidential information like login credentials or bank account or social security numbers pretending to be someone or something that a person already trusts. These fake reach outs, or phishing attacks, can be surprisingly convincing, especially when they appear to come from a trusted source such as your boss, or a website for a financial institution that you use frequently, such as your bank or credit card. With more digital work and more remote work occurring every day, phishing has reached the point where everyone needs to keep themselves protected.
There are many ways to stay safe, from developing general awareness techniques to using different tools. In this post we’ll specifically discuss how a password manager can help thwart phishing attacks.
Phishing attacks can come via email, text message, or when accidentally mistyping the url for an intended website and ending up on a fake site. Any of the above can be combined into a socially engineered attack intended to convince the user to give up something valuable like a password, government identification ID, or a credit card number.
To stay alert, the basics of internet safety apply. Here are a couple of examples and recommended steps.
Imagine an email from your bank that states your account has been disabled or that there has been suspicious activity, and requesting that you log in to confirm that everything is okay. The email also includes a link, but instead of that link pointing to your real bank website, it points to a hacker website made to look like the real bank website. For example, the site might be called www.wellsfaigo.com, with an “i” instead of an “r”, which could be easy to miss.
A few recommended steps:
- Check all aspects of the email to confirm it is from the proper institution. This includes looking at the email sender name as well as the accompanying email address. It’s important to learn the difference between a displayed email address and the real one, since email addresses can be “spoofed” and misleading. Also mobile phones do not always show the full sender’s email address.
- Hover over links to confirm they go to the proper website, and in general, avoid clicking on links since they can be designed to trick users. If you are concerned about the message in the email, it is always better to log directly into the account in question, and avoid any information sent to you via a suspicious email.
- If concerned, call the institution or person who emailed you to confirm it is real.
- Do not open attachments from people you don’t know.
If you inadvertently click a link from a phishing email, you may end up on a website that looks familiar, but not quite right
- Verify URLs in your browser address bar to ensure you are in the right place. Pay close attention to minor spelling differences.
Thwarting phishing attacks with a password manager
While general awareness will serve you well to avoid phishing, sometimes it helps to have an extra layer of protection. Password managers can fill that gap.
Password managers, by their nature, keep track of the website URLs you visit. They can also show you an indication that the site visited is stored within the password manager by showing an icon in the browser bar. In this example, stackoverflow.com is one of the Logins stored in the Bitwarden Vault.
Of course, you could use the browser extension to open that site directly, and quickly autofill credentials, but let’s assume that you typed in the stackoverflow.com web address by hand, or clicked it from a trusted email.
In this case, the browser extension shows a ‘1’ in the corner of the extension icon, reminding users that there is one Login stored for stackoverflow.com in the password manager. If there were multiple Logins associated with the same website, that number would increment to ‘2’ and so on.
In this hypothetical example, if the entry was mistyped or intentionally misspelled in a phishing attack, and the website URL was not exactly correct, the icon would not appear. This would set off an awareness alarm that something is not right. Password managers are not fooled by similarly spelled website URLs, they must be exactly correct. Further inspection may then reveal that the website URL was not entered correctly.
Password managers set a secure foundation
Beyond helping to thwart phishing attacks, password managers help you use recommendations for good password hygiene that experts suggest, such as using long, complex, random, and unique passwords for every website. You can sync your passwords across all of your devices, and if working in a team, can share securely with end-to-end encryption.
Whether you want to set yourself or your business up for success, it is easy to get started with Bitwarden, an open source password manager for individuals and organizations. Visit bitwarden.com to learn more and sign up for a free account.