Google Chrome ‘worst browser for stopping phishing attacks’
The popular browser only blocks a quarter of phishing attacks, according to a Which? investigation.
Researchers found that Google Chrome only prevented investigators from reaching 28% of the phishing sites they tried to access on Windows and only 25% on Mac. In comparison, the best performer Firefox, made by the not-for-profit Mozilla Foundation, stopped 85% of phishing attacks on Windows and 78% on Mac.
Phishing attacks can happen in a number of different ways including via emails, SMS texts or as a dodgy online advert. If a user attempts to visit the web address by searching for it in their web browser, a good browser would detect a phishing attempt and block the user from accessing the site.
Phishing attacks are designed to trick users into entering sensitive data, such as payment details, passwords and other personal information. This data can then be used by cybercriminals to gain access to online accounts and steal money.
Hacker sites can impersonate any type of website such as banks or delivery companies, but scammers also often impersonate UK government services, such as HMRC and DVLA.
In order to test whether each web browser was able to adequately detect phishing attacks, Which?’s tests involved searching the web addresses of 800 newly-discovered phishing sites very shortly after they were first discovered into each web browser.
The test also checked to see whether the best performing browsers were simply overly-aggressive with blocking sites, throwing up ‘false positives’ that make browsing the web unnecessarily cumbersome to use.
Top performer Firefox prevented more phishing attacks than Microsoft Windows default browser Edge which blocked 82% of the phishing attacks, and the Apple MacOS default browser Safari which blocked 77% of the attacks. Opera meanwhile only managed to prevent 56% on both Mac and Windows operating systems.
Which? said web browsers should be able to efficiently detect and block known phishing sites by accessing a database. However, browsers should also be able to detect new and emerging phishing attempts and block them as fast as possible.
Phishing sites don’t tend to last very long. Once they have been detected, they can be blocked but some still slip through the net and the scammers can launch new URLs very quickly.
When Which? shared its testing information and results, Google questioned the findings.
A Google spokesperson said: “This study’s methodology and findings demand scrutiny. For more than 10 years, Google has helped set the anti-phishing standard — and freely provided the underlying technology — for other browsers.
“Google and Mozilla often partner to improve the security of the web, and Firefox relies primarily on Google’s Safe Browsing API to block phishing – but the researchers indicated that Firefox provided significantly more phishing protection than Chrome. It’s highly unlikely that browsers using the same technology for phishing detection would differ meaningfully in the level of protection they offer, so we remain sceptical of this report’s findings.”
However, Which? believes the investigation shows that the company needs to do more to detect and prevent phishing attacks on Chrome.
Lisa Barber, Which? Computing editor, said: “It’s incredibly alarming to see that a huge company like Google is allowing the security of its users to be exposed in this way – a gift to fraudsters who are constantly trying to use phishing attacks as a launchpad for scams that can have a devastating impact on victims.
“If you are worried about your safety online, remaining vigilant when clicking a link, installing a top quality free or paid antivirus package, keeping your browser up to date and signing up to our free scams alerts email will all massively increase your protection from malicious websites.”