Warning: your computer doesn't protect you from phishing

Find out why we were were disappointed in the security offered by Windows Defender and macOS, and how it compares to free and paid-for antivirus in our tests
Callum PearsResearcher & writer

Callum pushes tech to its limits and has spent nearly three years bombarding antivirus with malware, taxing routers and inspecting computer monitors

If you treat yourself to some new tech this Black Friday, or if you're lucky enough to receive a laptop or PC for Christmas, you might assume that the native protections – Windows Defender and the security offered by macOS – will provide protection against phishing attacks.

That's why when we test free and paid antivirus, we also include built-in Apple and Windows protections, to see how they stand up against growing threats such as phishing. 

Phishing webpages are designed to coerce you into disclosing data, such as payment details, passwords or other personal information, which is then used by scammers to gain access to your online accounts or steal money. Alternatively, it can be used to trick you into clicking on a dodgy link or opening a corrupted file. These are typically infested with malware and spyware used to compromise your computer.

We bombard every software we test with tens of thousands of threats, including a variety of phishing pages, to see how many dubious websites they can detect.

Jump straight to the best Windows antivirus software and best Mac antivirus software to find out which free and paid-for antivirus will keep your devices safe

Can Windows Defender detect phishing?

The Microsoft Defender shortcut on a computer

Defender is a separate security feature within Microsoft Windows. Strictly speaking, it's not antivirus software, but it offers many of the same protections and features. It's pre-installed on all Windows 10 and 11 devices, and it works actively and quietly in the background from the moment you turn your computer on. 

While it's good to know it's there, it can't be relied on alone to protect you from phishing sites. 

Over the years, our tests have found that Defender still lags behind most third-party antivirus software, especially when protecting against phishing attacks. 

Defender uses Microsoft SmartScreen in the Edge browser to monitor for phishing – Apple does something similar with macOS (see below). 

Unfortunately, Microsoft SmartScreen was disappointing in our tests, failing to detect any of the new phishing test pages we subjected it to. 

Even the lowest-scoring Windows antivirus provides much better and broader protection against phishing than just relying on Windows Defender by itself, although obviously, we would always recommend installing a top-notch Best Buy antivirus.

Which? Tech Support package

Get a year of super-useful advice

Solve your tech issues and get expert buying advice whenever you need it, all year for only £36.75 that’s 25% off.

Join Which? Tech Support

Offer ends 8th January 2026

Already a Tech Support member? For more help and 1-2-1 technical advice, including buying advice and advice on dealing with scams and malware, go to our Tech Support online booking tool.

Can built-in macOS protect against phishing?

MacOS on a mac laptop

The Mac ecosystem is a far more strictly controlled, regulated and confined environment, and Apple oversees what third-party software is released on it. 

This ‘walled garden’, as it’s colloquially known, makes it harder and less profitable for criminals to unleash malicious software on it.

But don't mistakenly think that Macs are invulnerable to online threats, particularly when it comes to protection against phishing attacks. 

Here, like Microsoft, Apple outsources protection – it uses Google Safe Browsing to identify fraudulent websites on the Safari browser. 

In our tests earlier this year, the Apple Mac operating system (macOS) has improved slightly in tackling malware, but completely failed to detect the new phishing sites we threw at it. Similar to Windows Defender, it lags way behind even a mediocre third-party antivirus. 

So with free Mac antivirus scoring well in our tests, it’s worth considering as a boost to your otherwise lightly defended Mac.

Get more from tech

free newsletter

Cut through the jargon with our free monthly Tech newsletter.

Our free Tech newsletter delivers tech-related content, along with other information about Which? Group products and services. We won't keep sending you the newsletter if you don't want it – unsubscribe whenever you want. Your data will be processed in accordance with our privacy notice.

Common phishing attacks you need to look out for

Woman using a computer

Urgent bank issue - mimicking banking correspondence is a common tactic. By stressing urgency and consequence, the aim is to coerce you into giving your bank details or clicking on a dodgy link. Banks never ask for details in this way. If you’re ever unsure, confirm with your bank on a verifiable number.  

Account will be deactivated - a random email alerting you that a vital account will be closed is a common phishing strategy. Scammers will pretend to be widely used websites (such as Amazon, Google or PayPal) and stress that if you don’t hand over the details of your account, it will be closed. 

Social media compromised - social media accounts are treasure troves of personal information that criminals can use against you and others. Scammers can create fake login pages to allow them access and even hijack accounts. This allows criminals to spy on you, collect data and even impersonate you. 

Calendar invite deception - malicious calendar invites are a growing phishing scam. This targets people who regularly use a virtual calendar to manage appointments, as the fakes are mixed in among genuine invites. They typically include dodgy links and attachments, or request sensitive information.

Our top three phishing tips

A keyboard with a fishing hook on it

Before clicking on a link in an email or text, we always advise:

  1. Double-check the sender's details and the domain name (the bit in the address bar, for example, www.which.co.uk). Is it actually the website you thought you were going to, or is it a misspelling or something completely different? 
  2. Is the information being asked for relevant, and do you normally give this information? Is a website asking for extra payment or login details that you don’t normally provide?
  3. Were you expecting to receive the link? Did the link come from someone you rarely speak to, or is in any way out of character? Are you being asked to give information that you have previously been warned to never to hand over?

If you spot any of these three things in the message, it's most likely a scam or a phishing link. Don't click on any links or share any personal information. 

If the message is from someone you know, call them directly. Or if it's from your bank or another business, always call it on a trusted number to confirm. This can be found on the main webpage which you should search for separately - don’t click on any suspect links. 

If you come across a scam, let us know by using our scam sharer tool

More on this