How password managers help prevent phishing

Phishing attacks frequently attempt to exploit users’ fears, curiosity, or helpfulness, sometimes with an element of urgency intended to prompt an immediate interaction. Phishing attacks can have different objectives. They may try to trick people into divulging confidential information like login credentials, bank account or social security numbers, or redirect victims to websites harboring drive-by malware downloads.

These fake reach outs, or phishing attacks, can be surprisingly convincing, especially in the new era of generative AI. Phishers can use social engineering techniques to research an intended victim prior to deploying a phishing attack so the phishing email appears to come from a trusted source such as your boss, or a website for a financial institution that you use frequently.

There are many phishing attack prevention methods, from developing general awareness techniques to using different tools. In this post we’ll specifically discuss how a Bitwarden protects you from phishing.

Bitwarden stores the Uniform Resource Identifier (URI) on a vault item. For a login this is the URL of the website that login is for. When you are on the webpage with the correct URL, Bitwarden detects the URI match and shows a counter on the extension icon for the number of matches in your vault. In this example, stackoverflow.com is one of the logins stored in the Bitwarden vault.

Let's view an example with stackoverflow.com. In this case, the browser extension shows a ‘1’ in the corner of the extension icon, reminding users that there is one Login stored for stackoverflow.com in the password manager. If there were multiple Logins associated with the same website, that number would increment to ‘2’ and so on.

If a user was on a lookalike website where the URL used clever text tricks, and the website URL was not exactly correct, the icon would not appear. This would set off an awareness alarm that something is not right. Password managers are not fooled by similarly spelled website URLs, they must be exactly correct. Further inspection may then reveal that the website URL was not entered correctly. Bitwarden will not autofill the login on this page.

The URI match settings can be configured for each individual vault item, and an enterprise organization can set a policy to modify the default behavior.

If you are on a page where the URI didn't match a specific login and you try to initiate autofill from the browser extension, Bitwarden will provide a warning, asking if you are certain that this website is safe.

Similarly, in a scenario where a website could be compromised, it is possible for a malicious iFrame to steal credentials. Bitwarden will detect this iFrame and provide the user a warning, requiring confirmation before proceeding.

When a vault item is saved, rather than browsing to the website or typing in the URL manually, simply find it in the vault and click the launch icon to go directly the the saved page. This prevents accidental mistakes that might lead to a typosquatting attack, where a hacker sets up a malicious website at a URL that might have been mistyped.

To make this easier, users can designate favorites to keep most-commonly used items handy. Admins can also set up favorites in their IdP dashboard and set up Automatic login with SSO, ensuring the correct website is always visited and users don't need to question whether or not to autofill.

In an upcoming release, Bitwarden will prevent users from even accessing a known phishing site. When a user tries to browse to a website that is in a phishing database, Bitwarden phishing blocker will prevent the user from visiting, requiring additional confirmation to continue.

Phishing attacks can come via email, text message, voice message, chat apps, or when accidentally mistyping the URL for an intended website and ending up on a fake site. Any of the above can be combined into a socially engineered phishing attack intended to convince the user to give up something valuable like a password, government identification ID, or a credit card number.

To stay alert, the basics of internet safety apply. Here are a couple of examples and recommended ways to stop a phishing attack.

Imagine an email appearing to come from your bank that states your account has been disabled or that there has been suspicious activity. The email requests that you log in to confirm everything is okay. The email also includes a link, but instead of that link pointing to your real bank website, it points to a hacker website made to look like the real bank website. For example, the site might be called www.wellsfaigo.com, with an “i” instead of an “r”, which could be easy to miss.

A few recommended steps:

• Check all aspects of the email to confirm it is from the proper institution. This includes looking at the email sender name as well as the accompanying email address (See Emails from Bitwarden). It’s important to learn the difference between a displayed email address and the real one, since email addresses can be “spoofed” and misleading. Also mobile phones do not always show the full sender’s email address.

• Hover over links to confirm they go to the proper website, and in general, avoid clicking on links since they can be designed to trick users. If you are concerned about the message in the email, it is always better to log directly into the account in question, and avoid any information sent to you via a suspicious email.

• If concerned, call the institution or person who emailed you to confirm the email is real.

• Do not open attachments from people you don’t know – or unexpected attachments from people you do know without checking first. It is possible that their email accounts may have been compromised in a separate phishing attack.

YOU MIGHT LIKE: Bitwarden Send for secure one-to-one data sharing

If you inadvertently click a link from a phishing email, you may end up on a website that looks familiar, but not quite right

• Verify URLs in your browser address bar to ensure you are in the right place. Pay close attention to minor spelling differences.

Beyond helping to thwart phishing attacks, password managers help you use recommendations for good password hygiene that experts suggest, such as using long, complex, random, and unique passwords for every website. You can sync your passwords across all of your devices, and if working in a team, can share securely with end-to-end encryption.

Whether you want to set yourself or your business up for success, it is easy to get started with Bitwarden, an open source password manager for individuals and organizations. Visit bitwarden.com to learn more and sign up for a free account.

Ready to try out Bitwarden today? Quickly sign up for a free Bitwarden account, or register for a 7-day free trial of our business plans so your business and team can stay safe online.