Headline
Windows 11 Now Offers Automatic Phishing Protection
You’re safer than ever—here’s how.
The latest September 2022 version 22H2 update for Windows 11 includes a new feature designed to keep you even safer than before from phishing attacks: the practice of bad actors attempting to get you to reveal your usernames and passwords so they can log in rather than break in to your accounts.
These sneaky deceptions are usually carried out over email, but they don’t always have to be. Requests for your login details—made up to look like they’re from genuine, respected sources—can also arrive over instant messengers, social media platforms, and SMS texts (which is then known as smishing rather than phishing).
The new protections don’t need much in the way of setup or configuration—the idea is they just work when required. It’s still important to be aware of how they work, and how they keep you safe.
How Phishing Works
Phishing attacks often arrive over email.
Photograph: Silas Stein/Getty Images
Phishing has been going on for a long, long time and takes many different forms. What phishing scams all have in common, however, is that they try to get you to part with your username and password details for a particular account. This is typically done through some smart subterfuge to make it look as though you’re dealing with someone credible (at your bank, on a social media platform, or at your work) rather than a hacker.
For example, you might get an email that looks as though it’s from your credit card company and asks for changes to be made to your account: It would redirect you to a scam website mocked up to look authentic. Once you innocently log in with your normal details, they’re then in the hands of the phishers.
Or you might get an email purporting to be from your boss in the office several floors above you. It could ask you to log in to a particular company website (which again would be a fraudulent copy of the actual site), for instance, or it might ask you to simply email over a list of usernames and passwords as a matter of urgency.
Phishing attacks shape-shift to maximize their chances of success: They typically contain warnings and often put a time limit on responses (giving you less time to think about what you’re doing.) Recent scams focusing on the coronavirus pandemic involved emails that hid malevolent purposes behind health and safety information.
Many phishing attempts are cleverly done and difficult to spot, but by taking your time and being cautious about any kind of digital communication that comes your way, you can usually steer clear of them—if something seems suspect, then it probably is. We’ve written more about staying safe in our guide to avoiding phishing scams.
Enhanced Phishing Protection
You’ll see warnings like this from the new enhanced phishing protection.
Screenshot: Microsoft
One way to stay safe against phishing attacks is to keep your computer’s software—from the operating system to your web browser—up to date. Modern-day applications are built with security in mind and should throw up warnings when the majority of phishing attacks are detected.
This brings us to the enhanced phishing protection now available in Windows 11. As we mentioned above, a lot of it works in the background: Whenever you enter a password into any application or website, Windows will check whether or not there’s a secure connection to a trusted place on the web receiving that information.
If not—if your username and password data have been sent somewhere unknown and potentially untrustworthy—you’ll see a message onscreen advising you to change your password to something different. The idea is that you’ll be able to modify your login credentials before anyone has been able to exploit them.
That’s not all. The new enhanced phishing protection built into Windows will also keep an eye on passwords that you use for programs and websites and warn you if any of them match the password you also use to sign into Windows: Keeping each of your passwords separate and unique is important for keeping your accounts safe.
As you might already know, you can also ditch the password for your Microsoft and Windows accounts and use a prompt on your phone to log in instead. This is an option that’s becoming increasingly popular—while it’s not 100 percent perfect (no security solution is), it’s theoretically harder for someone to physically steal your phone off you than it is to steal a password through phishing.