Warning: your computer doesn't protect you from phishing

Find out why we were were disappointed in the security offered by Windows Defender and macOS, and how it compares to free and paid-for antivirus in our tests
Callum PearsResearcher & writer

Callum pushes tech to its limits and has spent nearly three years bombarding antivirus with malware, taxing routers and inspecting computer monitors

If you treat yourself to some new tech this Black Friday, or if you're lucky enough to receive a laptop or PC for Christmas, you might assume that the native protections – Windows Defender and the security offered by macOS – will provide protection against phishing attacks.

That's why when we test free and paid antivirus, we also include built-in Apple and Windows protections, to see how they really stand up against growing threats like phishing. 

Phishing webpages are designed to coerce you into disclosing data, such as payment details, passwords or other personal information, which is then used by scammers to gain access to your online accounts or steal money. Alternatively, it can be used to trick you into clicking on a dodgy link or opening a corrupted file. These are typically infested with malware and spyware used to compromise your computer.

We bombard every software we test with tens of thousands of threats, including a variety of phishing pages, to see how many dubious websites they can detect.

Jump straight to the best Windows antivirus software and best Mac antivirus software to find out which free and paid-for antivirus will keep your devices safe

Can Windows Defender detect phishing?

The Microsoft Defender shortcut on a computer

Defender is a separate security feature within Microsoft Windows. Strictly-speaking it's not antivirus software, but it offers many of the same protections and features. It's pre-installed on all Windows 10 and 11 devices, and it works actively and quietly in the background from the moment you turn your computer on. 

While it's good to know it's there, it can't be relied on alone to protect you from phishing sites. 

Over the years our tests have found that Defender still lags behind most third-party antivirus, especially when it comes to protecting against phishing attacks. 

Defender uses Microsoft SmartScreen in the Edge browser to monitor for phishing – Apple does something similar with macOS (see below). 

Unfortunately Microsoft SmartScreen was disappointing in our tests, failing to detect any of the new phishing test pages we subjected it to. 

Even the lowest-scoring Windows antivirus provides much better and broader protection against phishing than just relying on Windows Defender by itself, although obviously we would always recommend installing a top-notch Best Buy antivirus.

Can built-in macOS protect against phishing?

MacOS on a mac laptop

The Mac ecosystem is a far more strictly controlled, regulated and confined environment and Apple oversees what third-party software is released on it. 

This ‘walled garden’, as it’s colloquially known, makes it harder and less profitable for criminals to unleash malicious software on it.

But don't mistakenly think that Macs are invulnerable to online threats, particularly when it comes to protection against phishing attacks. 

Here, like Microsoft, Apple outsources protection – it uses Google Safe Browsing to identify fraudulent websites on the Safari browser. 

In our tests earlier this year the Apple Mac operating system (macOS) has improved slightly in terms of tackling malware, but it completely failed to detect the new phishing sites we threw at it. Similar to Windows Defender, it lags way behind even mediocre third-party antivirus. 

So with free Mac antivirus scoring well in our tests, it’s worth considering as a boost to your otherwise lightly defended Mac.

Get more from tech

free newsletter

Cut through the jargon with our free monthly Tech newsletter.

Our free Tech newsletter delivers tech-related content, along with other information about Which? Group products and services. We won't keep sending you the newsletter if you don't want it – unsubscribe whenever you want. Your data will be processed in accordance with our privacy notice.

Common phishing attacks you need to look out for

Woman using a computer

Urgent bank issue - mimicking banking correspondence is a common tactic. By stressing urgency and consequence, the aim is to coerce you into giving your bank details or clicking on a dodgy link. Banks never ask for details in this way. If you’re ever unsure, confirm with your bank on a verifiable number.  

Account will be deactivated - a random email alerting you that a vital account will be closed is a common phishing strategy. Scammers will pretend to be widely used websites (such as Amazon, Google or PayPal) and stress that if you don’t hand over your account details, it will be closed. 

Social media compromised - social media accounts are treasure troves of personal information that criminals can use against you and others. Scammers can create fake login pages to allow them access and even hijack accounts. This allows criminals to spy on you, collect data and even impersonate you. 

Calendar invite deception - malicious calendar invites are a growing phishing scam. This targets people who regularly use a virtual calendar to manage appointments, as the fakes are mixed in among genuine invites. They typically include dodgy links and attachments, or request sensitive information.

Our top three phishing tips

A keyboard with a fishing hook on it

Before clicking on a link in an email or text, we always advise:

  1. Double-check the sender's details and the domain name (the bit in the address bar, for example www.which.co.uk). Is it actually the website you thought you were going to, or is it a misspelling or something completely different? 
  2. Is the information being asked for relevant and do you normally give this information? Is a website asking for extra payment or login details that you don’t normally provide?
  3. Were you expecting to receive the link? Did the link come from someone you rarely speak to, or in a way that is out of character? 

If you spot any of these three things in the message, it's most likely a scam or a phishing link. Don't click on any links or share any personal data. 

If the message is from someone you know, call them directly. Or if it's from your bank or another business, call them on a trusted number or type the URL directly into your browser (use a search engine if you aren't sure). 

Then, check the website for the best way to contact the company. This may take a little longer, but you’ll know you aren’t being scammed.

Keep ahead of the game with the latest scam alerts from Which? If you come across a scam make sure to let us know by using our scam sharer tool

Sign up for Which? Tech Support

  • One-to-one support from our friendly Tech Support team, ready to respond to unlimited member queries 
  • Receive the UK's largest computing and technology title, published six times a year
  • Easy, jargon-free advice so you can make the most of your tech products.

You can sign up online to Which? Tech Support, or contact our helpful customer service team today on 029 2267 0000.

More on this