X

Google Chrome can now warn you in real time if you're getting phished

Before you give that website your username and password, Google wants to check to make sure it's not a fake created by hackers.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read
password-art-cropped-for-door

Google Chrome now offers phishing protection in real-time, the company said on Tuesday. 

Graphic by Pixabay/Illustration by CNET

Figuring out if the link you clicked on is legitimate can be extremely difficult -- if you don't think so, take this quiz and see how many phishing pages you can spot. For the rest of us, Google is offering real-time checks on potential phishing links through its Chrome browser, the company announced Tuesday. 

Phishing is a common hacking method in which attackers steal usernames and passwords by tricking victims into clicking on malicious links and then typing in their login credentials. The malicious pages can be an exact copy in some cases -- tricking even seasoned political operatives.  

Between July and September, Google sent more than 12,000 warnings about state-sponsored phishing attacks targeting its users in the US. According to Verizon's annual cybersecurity report, phishing is the leading cause of data breaches, and Google said in August that it blocked about 100 million phishing emails every day

But phishing links don't just come in emails: They can also appear in malicious advertisements, or through direct messages on chat apps. For those of you using a Chrome browser, Google is launching an extra level of protection against phishing through real-time checks on site visits. 

You can turn it on by enabling "Make searches and browsing better" in your Chrome settings. 

This protection was already available for Chrome's Safe Browsing mode, which checked the URL of every website visited and made sure it was not on Google's block list. The block list is saved on devices and only synced every 30 minutes, allowing savvy hackers to bypass the filter by creating a new phishing URL before the list updates.

Watch this: Cyberattack: How we were phished by professional hackers

On Tuesday, Chrome announced that the phishing protection would expand to check visited URLs with Google's block list in real time, instead of the locally stored list that's updated every 30 minutes.

The company said it won't be keeping a log of every website you're visiting. Instead of checking the full URL, Google said it checks a partial fingerprint of it -- an encrypted version of the link -- meaning that the company doesn't see the actual URL you're visiting. 

In a blog post, Google said that this change led to a 30% increase in finding new malicious websites. 

Several other password protection tools that Google released in the past as Chrome extensions are now getting baked into the browser by default, the company announced. 

In February, Google released an extension called Password Checkup, which warns people if their login credentials had been stolen in a breach and prompts them to change those credentials. Hackers often count on people reusing their passwords across multiple accounts, and this tool was designed to prevent that. 

That extension is now a part of the Chrome browser, and you can enable or disable it through the "Sync and Google Services" setting. 

As with the phishing protections, Google said that it only stores encrypted versions of people's usernames and passwords, and that it doesn't keep a log of people's credentials. 

Google said these features would be rolled out gradually following the release of Chrome 79 on Tuesday.