The 2022 version 22H2 update for Windows 11 includes a new feature designed to keep you even safer from phishing attacks: bad actors attempting to get you to reveal your usernames and passwords so they can log in rather than break into your accounts.
These sneaky deceptions are typically carried out via email, but this is not always the case. Requests for your login information, disguised as coming from legitimate, trusted sources, can also arrive via instant messengers, social media platforms, and SMS texts (which is then known as smishing rather than phishing).
The new safeguards don’t require much in the way of setup or configuration—the idea is that they only work when needed. It’s still critical to understand how they work and how they keep you safe.
How Phishing Works
Phishing has been around for a long time and comes in a variety of forms. What all phishing scams have in common is that they attempt to obtain your username and password details for a specific account. This is usually accomplished through some clever deception to make it appear as if you’re dealing with someone credible (at your bank, on a social media platform, or at work) rather than a hacker.
For example, you may receive an email that appears to be from your credit card company and requests changes to your account: It would take you to a fake website designed to look authentic. When you log in with your normal credentials, the phishers have access to them.
Alternatively, you could receive an email purporting to be from your boss in the office several floors above you. It could ask you to log in to a specific company website (again, a fraudulent copy of the actual site), or it could simply email you a list of usernames and passwords as a matter of urgency.
Phishing attacks take on different forms to increase their chances of success: They typically include warnings and frequently place a time limit on responses (giving you less time to consider what you’re doing). Recent scams centered on the coronavirus pandemic included emails that concealed malevolent intentions behind health and safety information.
Many phishing attempts are deceptive and difficult to detect, but by taking your time and being cautious of any digital communication that comes your way, you can usually avoid them—if something appears suspicious, it probably is. More information about staying safe can be found in our guide to avoiding phishing scams.
Enhanced Phishing Protection
One way to protect yourself from phishing attacks is to keep your computer’s software up to date, from the operating system to your web browser. Modern applications are designed with security in mind, and the majority of phishing attacks should trigger warnings.
This brings us to the improved phishing protection included in Windows 11. As previously stated, much of it occurs in the background: When you enter a password into any application or website, Windows checks to see if there is a secure connection to a trusted location on the internet receiving that information.
If not—if your username and password data were sent somewhere unknown and potentially unsafe—you’ll see a message onscreen advising you to change your password. The idea is that you’ll be able to change your login credentials before anyone else can.
That isn’t all. The new enhanced phishing protection built into Windows will also monitor your passwords for programs and websites and alert you if any of them match the password you use to sign into Windows: It is critical to keep each of your passwords separate and unique in order to keep your accounts secure.
As you may be aware, you can also forego using a password for your Microsoft and Windows accounts in favor of a prompt on your phone to log in. This is a popular option because, while it’s not perfect (no security solution is), it’s theoretically harder for someone to physically steal your phone from you than it is to steal a password through phishing.