Helping people with computers... one answer at a time.

Phishing scams are difficult for computers to identify and difficult to protect against. Ultimately you are the best defense against phishing scams.

What free phishing program do you recommend?

I'll start by assuming you're looking for an anti-phishing tool, to protect you from phishing scams, just like we refer to anti-virus programs to protect us from viruses and anti-spyware tools to protect against spyware.

If you're looking for software to create phishing scams ... well, you came to the wrong place.

Phishing is interesting, and difficult to protect against.

But I do have a strong recommendation for the absolute best anti-phishing tool.


You are the best anti-phishing tool. In fact, in some cases you are the only possible anti-phishing tool.

Yes, I'll discuss some software solutions, since I know that's what you really mean, but phishing is so unique that they simply can't do the same job that you can.

"Phishing attempts are all about fooling you, not the computer."

It's all about education, common-sense and healthy skepticism.

The problem is that phishing uses something we've come to call "social engineering". Phishing attempts aren't software, they're not some program that gets deposited on your computer, they're not even necessarily web sites or bad URLs that you might be able to check for.

Phishing attempts are all about fooling you, not the computer.

Consider the classic case: you have a Hotmail account and you receive an email warning that you will lose your account unless you reply with important information like your social security number, your email address and your password.

No software. No viruses or malware. No malicious web sites. Just an email.

An email that's attempting to fool you into doing something that you absolutely should not. Follow that email's instructions and that is what'll cause your account to disappear as it's then immediately accessed by the bad guys who sent that email.

That's phishing.

That's tricking you into doing something that you shouldn't do.

There's no software in the world that's going to somehow magically make that go away.

Yes, anti-malware software may kill most forms of viruses or spyware that try to present phishing attacks, link checkers may identify many of the links to known malicious sites that attempt to present phishing attacks, and even spam filters may attempt to block messages that are obvious phishing attempts.

But a) that's not their primary function, and b) I guarantee you they won't stop them all.

Only you can do that by knowing what to look for (education), being real about what to expect (common sense) and being cautious before giving away any of your personal information (healthy skepticism).

Some great rules of thumb:

  • Email that asks for your login ID and password is bogus (or incredibly stupid). Delete it.

  • If it's too good to be true, it's not true. (You didn't win the lottery that you never entered.)

  • Unless you're positive, never click that emailed link. Go to the website yourself. Type (or copy/paste) the link into your browser yourself.

There's probably much more, but that's a great start.


Start with the basics: a firewall, a good anti-virus tool and a good anti-spyware tool. (My recommendations.)

Add to that a good spam filter - I happen to use Google Mail as my spam filter and it works very well.

And if you like, add a web site reputation monitor like Web of Trust, MacAfee's Site Advisor or others. Warning: reputations can be manipulated, both for good and bad, so don't throw your common sense out the door when using services like this. Continue to pay attention; use these services as an additional bit of information before going to a site you're unsure of.

Article C4488 - October 15, 2010 « »

Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Mike C
October 15, 2010 12:07 PM

Caveat: I've only recently started following your Twitter feed, so I won't know if you've covered this before.

Personally, I started using Thunderbird for email about 7-8 months ago and find it has helped as well. Aside from its adaptive Junk filter and ability to connect to both IMAP and POP3, it has a Scam Warning indicator to help provide additional clues to when an email might be a phishing attempt.

Just thought I'd throw it out there.

I use Thunderbird myself, and even recommend it. However I do have a gripe with its scam detection: way too many false positive scam notifications, including my weekly newsletter.

Mark Jacobs
October 16, 2010 3:31 AM

I took your advice on sending all of my email to a gmail account to filter spam and I can say it drastically reduced the spam I was getting. A great antiphishing tool is Web of Trust It not only works against phishing but it warns you of nearly all the dangerous sites that you might click on from a web site.

I like WOT, but my biggest concern is that since the site ratings are user-generated they can be gamed and artificially given ratings that aren't appropriate.

David Hutchins
October 19, 2010 9:31 AM

Can't help but notice that some of the phishing attempts are looking more and more genuine. I almost fell for one recently, as the e-mail I got looked so authentic. I thought about it and realized that what they were asking for didn't quite make sense. The scammers are getting adept at copying actual screens from trusted sites, so you have to be ever vigilant.

My biggest fear is that phishers and scammers will learn proper English. 90% of the scams out there can be readily identified by that alone.

Glenn P.
October 19, 2010 10:30 AM

Great minds think alike, Leo -- I knew exactly what you were about to say before you even said it! Phishing is just a variety of "social engineering" (now how's that  for fancyspeak! The word they want is "trickery", pure & simple) and for that, the only "program" that will really suffice is the "program" that's stored in the computer that sits between your own two ears!

Remember that, folks. It can save you a lot of heartache someday. A lot of it.

October 19, 2010 10:46 AM

I been using Thunderbird for about 3 years and I'm using Cloudmark DesktopOne Add-on to filter the scams.

Jim H
October 19, 2010 1:49 PM

Among my anti phishing schemes is I use all 5 email addresses my ISP allows me to have. One I use exclusively for financial purposes such as banking, bill pay, and credit card payments. Another is exclusively for eBay while the others are for professional use, for forums, and for correspondence with family and friends. If I get a phishing email like I did earlier today from a bank wanting me to update my information, a quick glance at the address it was sent to told me right away it was bogus. I also use a free account for subscriptions I sigh up for because it helps keep the eventual spam contained and when it gets too out of hand I close it and open another, moving all my subscriptions to there. O also ask friends and family to NOT forward me jokes, funny pictures and the like from web sites where they enter my email address. Another tactic, especially with Facebook, is if I get a friend request I always check the address it was sent to. People have become very good a faking Facebook notifications. Even if that checks out, I go to Facebook by entering the URL into my browser. I NEVER click on the enclosed link. All legit requests and notifications will appear on your home page at the top, usually indicated by a small red balloon. It's the same with eBay and the other auction sites. If you get a message or notification from them it will be in your inbox on the site. If it isn't, you've been phished. An older scam I haven't seen in a while but is still active is a notice from PayPal (if you use it)that an email address has been added to your account and a link will be provided to log in and remove it. Don't do it! It's bogus, but if you want to be sure log into PayPal the long way and check. Typing in a URL for any site that contacts you rather than clicking on an embedded link is just a smart move when dealing with a questionable email. The degree to which some phishers get all the details of the page exact is remarkable, so if you do click an embedded link don't think because it looks right that it is. If you think you have been compromised, change your password! Remember that many sites request an alternate email address to send you password to if you request it. Check that as well because if the person who hacked your account changed that to his/her address, all they need do when they can't log in to your account is click the request forgotten or lost password link and they are back in business.

October 19, 2010 6:58 PM

Love it. Your answer was exactly as I was expecting it to be. Reminds me of the calendar block quote, "Show me a man who wants to earn a million dollars and I will show you a million men who expect to WIN a million dollars." Wise up people and be responsible for your own actions sometimes.

Terry Hollett
October 20, 2010 6:42 AM

I have received a number of these emails including a number of Nigerian Letters over the years. My experiences:

Just a comment about Nigerian letters: Even if Nigerian letters where where real they are asking you to pretend to be someone your not to get an inheritance you have no right to. In the process you would be committing a number of international offenses. Fraud, Forgery, Money Laundering even.

Glenn P.
November 2, 2010 2:08 AM

Further comment on Nigerian schemes (and Spam) from a different writer --

Even if they were legal, they would be immoral.

And even if they were moral, they would be unethical.

I mean, "Ack!" What more is there to say...!?

Before you fall for Spam, consider what it is asking you to do.

And then, don't do it. Just delete  it.

(Sheesh. Did I really need to say  that?)

Agustin Velasco
January 11, 2011 12:41 PM

Yes, seems that the question was anti-phishing tool.

Phishing program tools are also programs that do physically install on computers; which also can be consider malwares... samples of phishing programs are those fake antivirus that install automatically from infected websites.

Fake antivirus also suggest to purchase the software in order to clean or eliminate detected supposed infections....Infections that does not exist. (The program is asking for your credit card numbers, collected and sending to the creator of this fake program).

Unfortunately this type of mal-wares are installed even when there is an antivirus in place. Like Leo said, you are the cure... some of these fake programs takes over and won't allow you to do anything with a Windows machine. Most Antimalware won't clean it. You have to manually perform a cleaning or call a computer technician.

Avoid those geeksquads, backstage and any consulting desks...they will wipe out your computer; Unless that is what you want.

Hasta la vista muchachos.

January 3, 2012 12:19 AM

I have recently been hit with several phishings purporting to be from paypal:'your account is about to be limited.....this is the final warning,etc'.
Login details requested.
Sent by :
Beware! They are persistent and have evaded all my filters:(I have complained to my ISP and blacklisted the address).

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.