Helping people with computers... one answer at a time.

You can prevent phishing attacks several ways; the most common is to never click on an emailed link. Bookmarks can be also be used to prevent phishing.

Let's say I know the correct address of my bank and I log in the first time I use my account. Once logged in, I click on a random link within the bank's web site, and make sure that the next page is an https page and the security lock is present. If I bookmark this page, and use only the bookmark as my means of accessing the web site, is there any possibility I can be phished?

"Any possibility" is kind of a strong statement, but in general the approach you describe is sound and something I'd feel safe doing myself. In fact, by virtue of using a password safe such as Roboform, it's pretty much exactly what I am doing.

There are still ways you can be compromised, though, so we need to look at just what a phishing attack is, and how you can prevent phishing, and more.

In the broad sense, phishing is just an attempt to get you to click on a link in email that claims to be one place, but is in fact something else. If you do click through a phishing link, the destination site may well look like what you expected, but if you look closely at the domain in the address bar you'll typically see that it's not what you intended at all. Enter, say, your user name and password, and you've just given it to a phisher.

"The conventional advice is to never click on links in email for sensitive sites, but rather always type them in by hand."

The conventional advice is to never click on links in email for sensitive sites, but rather always type them in by hand.

Using a bookmark of some sort is an acceptable approach as well, because you're going to a site/page/URL that you know is correct, because you saved it earlier from a known safe visit to that site. Use that, and it's pretty much the same as having typed in by hand.

In either case, you'll have sidestepped the phishing attempt simply by not clicking on a link in email or on some other site that was questionable, but somehow entering it yourself.

However, in theory, things could still be compromised in other ways.

As one example: a virus infecting your machine could alter your bookmarks. Use the bookmark you thought was for your bank, and you might get taken to a phishing site. For the record, I've not heard of any virus that actually does this, probably because once you've been infected there are simpler approaches to redirecting you to a phishing site.

That simpler approach is to modify your "hosts" file. This is actually a fairly common approach some viruses take. The hosts file can contain "overrides", if you will, that allow the attacker to redirect the actual domains of banks, anti-virus vendors, and more to servers of their own choosing. When this happens, "paypal.com" may not actually take you to Paypal, but to a malicious web site posing as Paypal.

Using a bookmark in this case doesn't save you, but then neither does typing in a URL by hand. If the malware has hijacked the very meaning of "paypal.com" on your machine, then there's little you can do about it.

The good news is that because this is a common attack by malware most all good anti-malware software will protect you from it.

And it also illustrates once again why prevention, not just through anti-malware software, but by learning good internet safety habits is so important.

So absolutely, use the bookmark - I do. But remember that you must also continue to rely on the rest of your internet safety strategies as well.

Article C3727 - May 9, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

8 Comments
Gigi
May 12, 2009 8:51 AM

The described procedure has a major weak point: for security reasom most banks log you out from your account when you leave their site; so, when you connect again to a page in which you previously entered after login, you would (at best) get bumped to a generic (non secure) page or - usually - you get an error.
The safest way is to type the site's URL yourself, ideally in a Live-CD OS - no chance of infection so no chance of hyjacking. Otherwise bookmark the site before login.

Brad
May 12, 2009 11:15 AM

I don't understand the basis of the queestion for this tip. Any bank that allows you to bookmark ANYthing other than their 'front page' or login screen is NO bank I'd want to do business with. What gigi said is true. TRY to bookmark anything 'inside' the bank site. If you CAN bookmark that page...change your bank.

Yikes, that seems kinda harsh. For the record, I disagree. Being able to bookmark a page is benign. One way or another, it's going to happen. Rather than disallowing it, banks should simply be handling the security implications of people using them. Depending on the implementation that could mean, as another commentor has stated, bouncing to a secure login page. But disallowing bookmarks completely is not only overkill, but ineffective.
- Leo
13-May-2009

George
May 12, 2009 12:15 PM

I agree with the previous comments, you should not be able to bookmark a secure banking site, it should go to the main login page only. In addition I use the ip number for the bank instead of a normal url. This still only takes you to the main login page. I type in the IP# such as 143.0.XXX.XXX. You can also save that in a program such as KeePass or Roboform and it will take you there immediately with auto login if you set it up correctly. Almost the same as using a url, but less chance of being redirected to some phony page.
(`._.nsv˷._.)
www.nscave.com

Linda
May 12, 2009 8:12 PM

I'm with all of you. Any bank that keeps you logged in to a secure site is NOT a bank I want to deal with. My bank has a 10 minute interval until you must sign in again. I like it.

For the record, this has nothing to do with bookmarking. It's very reasonable to have a bookmark deep in the bank's site, and have it boucne you to a login page if that's required. (The best will then return you to the page you bookmarked, after you've logged in).
- Leo
13-May-2009

J. Y.
May 17, 2009 10:02 AM

Back to the phishing problem... Another circumventing possibility? You can right-click on any link within an email, copy the shortcut and paste it to your browser address bar, see whether it is, indeed, the correct address before actually going to the site.

howiem
June 3, 2009 1:21 PM

I should have mentioned in my initial question that when one finishes a banking session, one should always log out and then close the browser window/tab. But this is not always possible (if the browser crashes, for example, in which case I restart the browser, log in and log out again. I also use Sandboxie and have separate sandboxes dedicated to each bank I use, plus No-Script and various web analysis tools to alert me to bad web sites.

One of the reasons for using an https bookmark is that as I understand it, a request to visit a web site goes through a Domain Name Server (DNS). Some are secure and some are not. By using the https bookmark, the request to visit a web site goes to a secure DNS and is redirected to the log-in page. Typing in an IP number will go to a non-secure DNS, and if it has been compromised (called DNS poisoning) it will make no difference if you use the normal URL or the IP number. But when using a bookmarked https address, the site visit request will go through a secure DNS, and I have not heard of any of those being compromised to date. Leo, correct me if I am wrong on this.

Using bookmarks do not have any effect of the banking session length, and because using https bookmarks is more secure, why in the world would a bank want to prevent bookmarking them?

I am curious as to how typing the correct IP number makes any difference in security. The request still has to go to an unsecure DNS. If you type the name of the site correctly, the DNS translates it to an IP number anyway, so while there might be a tiny increase in speed, it is no more secure than typing in the CORREC name. And one can make a typo on an IP number just as one can mistype a word. Using a password manager is always a good idea, though, as long as you are sure you are on the genuine web site.

Build A Site
September 4, 2010 9:49 PM

Thanks for the effort you took to expand upon this post so thoroughly. I look forward to future posts.

WhatInTheWorldIsThis
November 14, 2010 1:01 PM

After opening my cable computer account I noticed in my address book , there was a Q=14454451545541445......................., Bookmark My Account was also shown as the contact. I have asked a couple of IP guys that I know and they do not seem to know what this is? Leo please help!

Sorry. No idea.
Leo
15-Nov-2010

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.