National Police: "If you have too many windows open in your browser, you could become the perfect victim of tabnabbing."

Getting into the habit of keeping numerous browser windows open could put your computer or mobile phone at risk. This common habit, especially among those who work or browse the internet daily, can make users easy targets for increasingly frequent social engineering attacks. The National Police warn that this behavior can facilitate cybercriminals' access to sensitive information without the user's knowledge.

The technique in question is known as tabnabbing , a variant of phishing that takes advantage of inactive tabs to replace their content with fake pages that imitate legitimate websites. " The cybercriminal will replace one of those websites that you yourself opened with a malicious copy with a similar appearance. When you return to one of those tabs and with the excuse that the session has expired, they may ask you for passwords, personal or banking information that you may provide thinking you are on the website that you yourself opened," the agent explained on TikTok.

What is tabnabbing and why is it so dangerous?

This digital scam takes two main forms, according to the National Cybersecurity Institute (Incibe) . Classic tabnabbing occurs when a seemingly secure page remains open and, in the background, changes its content to fake content that mimics services like Gmail, Facebook, or banking institutions. On the other hand, reverse tabnabbing is triggered by clicking on a link that opens a new tab. This new window can automatically modify the previous one, causing the user to fall into the trap upon returning without noticing the change.

Both methods have something in common: they exploit users' trust in tabs they've opened on their own, making them believe they're still browsing in a secure environment. The most direct consequence is the theft of personal data, bank details, or passwords that can compromise not only individual accounts but also corporate platforms.

The police indicate how to avoid these types of attacks with a simple change of habits: "Keep only the tabs you're currently using open and close all other tabs." They also remind you of the importance of verifying the web address at all times: "Check the URL of websites that request your information again to verify that it hasn't been replaced with a malicious copy."

Other protective measures recommended by Incibe's cybersecurity experts include not reusing passwords across different services—which could facilitate mass access if a single platform is compromised—and opting for secure password managers such as Bitwarden, 1Password, or LastPass. It's also a good idea to activate two-factor authentication (2FA) whenever possible and keep your browser updated, as the latest versions fix known vulnerabilities. Additionally, there are browser extensions that help block malicious content. These include uBlock Origin , which filters suspicious ads and scripts, and NoScript , designed for advanced users who want more precise control over which scripts run on each page.