Test driving Internet Explorer 7's phishing filter

, posted: 10-Jun-2006 11:39

A phish for Kiwibank arrived in my Windows Live Mail inbox, so I thought it would be a useful "guinea pig" to see how IE7's phishing filter handles these things. With the phishing filter set to automatically check sites, I click on the link in the message - which doesn't do anything, because Windows Live Mail is suspicious of the message, and has disabled images and links in it. Good stuff that. I'm liking Live Mail more and more actually.

For the sake of this test, I disable Live Mail's security measures and click through to the site. It's clearly a phishing site as the URL is different from the expected www.kiwibank.co.nz :

Kiwibank logon

But, even though the URL is bogus and it's not an HTTPS secured logon page, IE7's automatic phishing filter doesn't bat an eyelid. I ask the phishing filter to check it manually, but again, IE7 says all's well:

IE7 nophish

Hmm, OK. It's just one example so it's not a conclusive test of the phishing filters capabilities. However, I do have a problem with the sentence This website is not a suspicious or reported phishing website. If you think about it, Microsoft and IE7 have just told you the website is fine, so I expect some people at least will trust that statement. This is borderline stupid, actually. The dialogue text needs to be rephrased so as not to fool people into trusting fraudulent websites that the phishing filter fails to recognise.

As IE7 didn't recognise it, I decide to do the community thing and report the phishing website. You can do this straight from the Phishing Filter -> Report This Website item in the Tools menu on IE7.

It's straightforward webform so I won't bother with a screenshot of it. You see the URL for the website you want to report, and asked to confirm the language of the site, plus tick a box that indicates you believe it's a phishing site. Then you press a Submit button and see this sort of rather elaborate Captcha that really isn't easy to read:

I suspect that many non-technical users will stumble on this page. After you've figured out the Captcha characters and entered them correctly, you Continue to the confirmation:


That's it - no indication as to what happens next. How long before the site is checked? Microsoft doesn't give any time estimate as to that, unfortunately. Furthermore, there's no way to locally mark phishing sites as such, which is a real miss. When you check the site again manually, you get the dialogue that states it's not a phishing site. This really isn't well thought out.

I'm giving the IE7 phishing filter low marks for usability because of this and the "trust us, it's safe" dialogue above. Microsoft needs to have a think about the above before the final version of IE7 is released.

Other related posts:
Fighting with Windows 8
The Windows Phone 7.5 bouncing tiles bug
Windows Live Essentials betas seem good, but oh so flaky

comments powered by Disqus


Google News search
IT News
PC World New Zealand
Computerworld NZ
PC World and Computerworld Australia
PC World US
Computerworld US
NZ Herald
Virus Bulletin

Content copyright © Juha Saarinen. If you wish to use the content of my blog on your site, please contact me for details. I'm usually happy to share my material as long as it's not for spamblogs and content farms. Please attribute with a link back to this blog. If you wish to advertise on my blog, please drop me an email to discuss the details.
Comments policy All comments posted on this blog are the copyright and responsibility of the submitters in question. Comments commercial and promotional in nature are not allowed. Please ensure that your comments are on topic and refrain from making personal remarks.