Slipping through the net – Google Chrome only preventing a quarter of phishing attacks

Despite being the most used web browser in the UK, Google Chrome is the worst for detecting and blocking phishing attacks like the links to fake Royal Mail sites that appear in delivery scam texts, according to a new Which? investigation.

Phishing attacks can happen in a number of different ways including via emails, SMS texts or as a dodgy online advert. If a user attempts to visit the web address by searching for it in their web browser, Which? would expect a good browser to detect a phishing attempt and block the user from accessing the site.

Phishing attacks are designed to trick users into entering sensitive data, such as payment details, passwords and other personal information. This data can then be used by cybercriminals to gain access to online accounts and steal money. Hacker sites can impersonate any type of website such as banks or delivery companies, but scammers also often impersonate UK government services, such as HMRC and DVLA.

In Which?’s test, Google Chrome was found to be the worst for detecting phishing attacks as it only prevented investigators from reaching 28 per cent of the phishing sites they tried to access on Windows and only 25 per cent on Mac – far below the 85 per cent achieved by the best performer.

In order to test whether each web browser was able to adequately detect phishing attacks, Which?’s tests involved searching the web addresses of 800 newly-discovered phishing sites very shortly after they were first discovered into each web browser.

The test also checked to see whether the best performing browsers were simply overly-aggressive with blocking sites, throwing up ‘false positives’ that make browsing the web unnecessarily cumbersome to use.

The web browser that performed best and prevented 85 per cent of phishing attacks on Windows and 78 per cent on Mac was the Firefox browser made by the not-for-profit Mozilla Foundation.

Firefox prevented more phishing attacks than Microsoft Windows default browser Edge which blocked 82 per cent of the phishing attacks, and the Apple MacOS default browser Safari which blocked 77 per cent of the attacks. Opera meanwhile only managed to prevent 56 per cent on both Mac and Windows operating systems.

Web browsers should be able to efficiently detect and block known phishing sites by accessing a database. However, browsers should also be able to detect new and emerging phishing attempts and block them as fast as possible.

Phishing sites do not tend to last very long. Once they have been detected, they can be blocked but some still slip through the net and the scammers can launch new URLs very quickly.

Google Chrome users may get phishing protection from other services, such as an email or messaging platform. However, most people would expect more from the most popular web browser on the market.

When Which? shared its testing information and results, Google questioned the findings, however Which? believes they show that the company needs to do more to detect and prevent phishing attacks on Chrome. If browsers such as Firefox can do this there is no reason the UK’s most popular browser should be falling short.

Google, like all companies, has a duty to prevent online fraud on its platforms.

Lisa Barber, Which? Computing Editor, said:

“It’s incredibly alarming to see that a huge company like Google is allowing the security of its users to be exposed in this way – a gift to fraudsters who are constantly trying to use phishing attacks as a launchpad for scams that can have a devastating impact on victims.

“If you are worried about your safety online, remaining vigilant when clicking a link, installing a top quality free or paid antivirus package, keeping your browser up to date and signing up to our free scams alerts email will all massively increase your protection from malicious websites.”

ENDS

Notes to editors:

Which? has a wealth of free tips and advice on how to stay safe from scams, including our Scam Alerts email and our guide on How to spot a fraudulent or scam website is full of useful tips on how to avoid getting caught out. 

Businesses can also take steps to differentiate their legitimate communications from fraudulent messages by signing up to the SMS best practice guide.

Which? research

How browsers performed in Which?’s independent tests, depending on which operating system they were installed on. The percentage score is the proportion of phishing sites the browser prevented the user from reaching.

Windows

• 85% Mozilla Firefox 
• 82% Microsoft Edge 
• 56% Opera
• 28% Google Chrome 

Mac

• 78% Mozilla Firefox 
• 77% Apple Safari 
• 56% Opera
• 25% Google Chrome 

*Google Chrome is used by 67.3% of computer users online, according to web analytics company Statcounter, making it by far the most popular web browser. Therefore its performance in our phishing test might come as a surprise. 

*Our top-scorer, Firefox, doesn’t have a huge user base (just 7.5%). However, it is slightly ahead of the Microsoft Windows default browser Edge, and the Apple MacOS default browser Safari. Plus it’s some distance ahead of Opera and miles ahead of Chrome.

How you can stay safe from phishing attacks

Our tests of the best antivirus software focus not just on malware, but also on phishing protection. We’ve found that even free anti-phishing tools can massively increase your protection from malicious websites and are well worth installing if you’re worried. 

Our top three phishing tips

Some basic diligence you should always do when clicking on a new link shared with you includes:

1. Double-check the domain name (the bit in the address bar, such as which.co.uk). Is it actually the website you thought you were going to, or is it a misspelling or something completely different? 
2. Is the information being asked for relevant and do you normally give this information? Is a website asking for extra payment or login details that you don’t normally provide?
3. Were you expecting to receive the link? Did the link come from someone you rarely speak to, or in a way that is out of character? 

If you spot any of these three things, it could be a scam or a phishing link. 

Google ROR

When presented with Which?’s testing information and findings a spokesperson said: 

‘Like many other popular browsers, Chrome uses Google’s Safe Browsing API to protect users from phishing and malware. In addition to standard Safe Browsing protection, Chrome offers anti-phishing features such as Predictive Phishing Protection and Enhanced Safe Browsing.

‘With very little context on the methodology of this report, it is difficult to comment and until seeing the report, we question the validity of its findings.’

Google then provided an updated quote just before publication, a spokesperson said:

“This study’s methodology and findings demand scrutiny. For more than 10 years, Google has helped set the anti-phishing standard — and freely provided the underlying technology — for other browsers. Google and Mozilla often partner to improve the security of the web, and Firefox relies primarily on Google’s Safe Browsing API to block phishing – but the researchers indicated that Firefox provided significantly more phishing protection than Chrome. It’s highly unlikely that browsers using the same technology for phishing detection would differ meaningfully in the level of protection they offer, so we remain sceptical of this report’s findings.”

About Which?

Which? is the UK’s consumer champion, here to make life simpler, fairer and safer for everyone. Our research gets to the heart of consumer issues, our advice is impartial, and our rigorous product tests lead to expert recommendations. We’re the independent consumer voice that influences politicians and lawmakers, investigates, holds businesses to account and makes change happen. As an organisation we’re not for profit and all for making consumers more powerful.

The information in this press release is for editorial use by journalists and media outlets only. Any business seeking to reproduce information in this release should contact the Which? Endorsement Scheme team at endorsementscheme@which.co.uk.

Press Release: Apple Mac, Browser, Email, google, Google Chrome, internet browser, Lisa Barber, Microsoft Windows, phishing scams, scams, search engine, SMS Text