It is now 24 hours since I received an obvious phishing email in my inbox and reported it through both IE7 and FireFox 2.0. Two hours ago, IE7 still said, “This is not a reported phishing website”. Now it’s finally made it:

If this is typical, then the IE7 phishing filter is little use. Phishing sites don’t last long, usually only a few days. Most victims will click that link the moment it turns up in their inbox, not a day later. Speed is of the essence. After 22 hours, most of the damage will already have been done. 

Actually, the IE7 phishing filter could be worse than useless. The message, “This is not a reported phishing website” imparts a false sense of security, making it more likely that someone will tap in their personal information.

Checking again in Firefox, it now catches the phish on its downloaded-list settings, which is the default. Using the dynamic query option in Firefox caught it earlier, but even that won’t catch a brand new phish.

Let me add that anyone clicking one of these links is ignoring plentiful advice from banks and from the media; and in this case the lack of an SSL connection is another sure-fire indication that this is a forgery. But some phishing attempts are cleverly phrased, making you think that someone has placed an order in your name, or hacked your paypal account, or damaged your eBay reputation. In the heat of the moment, it is easy to make mistakes.

Conclusion: Don’t rely on phishing filters to protect you; and if you want to use the one in FireFox, turn on dynamic queries (which means sending a record of your browsing activity to Google).