Windows is far better today at protecting your security out of the box compared to how it once was, but Windows Security and associated tools still aren’t perfect. You need to look out for threats that PC security has no answer for.
5
Phishing and Social Engineering
Many of the most common security threats you’ll face today aren’t complex malware, like old-school computer viruses. Instead, attackers use human psychology against you (called social engineering) to manipulate you into handing over private info without realizing you’re giving it to a fraudster.
This can take several forms. Phishing emails, like the “cloud storage full” phony emails I’ve been receiving regularly, are a classic example of this. By tricking you into “confirming” your credit card details or account credentials on a fake website, these attacks don’t need to crack Windows’ security tools.
While Windows Security does protect against some phishing sites (App & browser control > Reputation-based protection settings > Warn me about malicious apps and sites), it’s not perfect. When covering scams, I sometimes open the fake sites to describe them more accurately, and I don’t always have to bypass a security warning to reach them.
And sometimes, these attempts to steal from you are analog. A common form of this is the Geek Squad email scam, where you receive an email with a fake bill for something you’ve never bought, and are urged to call a phone number to “cancel the payment” (by giving them your credit card number).
The tech support scams that have become common over the last decade are another example. Either through a direct phone call or by using fake malware alerts, scammers get you on the phone. They claim to be from Microsoft or another tech company, so they can remotely connect to your PC (which Windows won’t block).
Nothing Windows does can stop you from dialing a number on your phone, then giving people information they shouldn’t have.
4
Weak Account Security and Data Breaches
While poor password habits might not be a threat to your Windows machine directly, they’re still a serious issue. If you use short, weak passwords on your accounts, Windows Security won’t alert you to this problem. It doesn’t give you guidance on whether your passwords are strong enough, or when two-factor authentication is available for one of your accounts but you’re not using it.
Data breaches are also out of Windows Security’s reach. If a website is breached, your password, credit card details, or other personal info could leak out to the internet (no matter how strong your password is). Windows’ tools also won’t warn when a website is compromised, like Have I Been Pwned? will.
Windows Security does offer some password help by visiting App & browser control > Reputation-based protection settings. You’ll find Warn me about password reuse and Warn me about unsafe password storage, which sound promising, but these are limited.
Microsoft’s documentation about these features states they’re only for “Microsoft school or work passwords” you use to sign into Windows. These protections thus aren’t nearly as robust as password managers that warn you when a site is compromised or similar.
3
Zero-Day Attacks
Zero-day attacks, by their nature, are difficult for security tools to protect against. This term refers to brand-new exploits that manufacturers have had “zero days” to address. Because it hasn’t been updated to cover the fresh attack, Windows Security won’t detect it.
The usual fix for these is an emergency patch, which illustrates the importance of keeping Windows up-to-date. Speaking of which…
2
Outdated App Exploits
The apps on your computer can be as much of an attack surface as Windows itself. Outdated apps with known vulnerabilities give malicious individuals a way to break into your system. I’m guilty of this; I have many dozens of programs installed on my machine collecting virtual dust since I rarely use them.
Unless they are Microsoft Store apps, they won’t update automatically. You’ll need to run a PC updater program like Patch My PC to install regular updates without spending an hour clicking through “next” prompts. If you don’t, attackers have another surface to cause damage to your system.
Windows Security doesn’t prompt you to update old apps, even if they have a known security vulnerability. And while it might block common attacks that use installed programs as an attack vector, one security app can’t block exploits in every possible piece of software.
1
Attacks on Other Devices
We’ve been focusing on holistic security, not just keeping your Windows device locked down. We’ve looked at how Windows Security can’t protect your data on much of the internet; being aware of common attacks on other platforms is similar.
Now, good security habits are largely consistent across devices. Android, iOS, and macOS all have security protections built in, and the same guidelines about not clicking unknown email attachments and being critical of “urgent” emails apply there. But particularly on your phone, liars can try to manipulate you in ways they won’t on your PC.
One of the most common examples of this is romance scams, where people randomly message you, pretend they contacted the wrong number, and then say they want to become friends. I documented one of these “pig-butchering” schemes in detail, showing how they try to become romantic with you and then lead you to send them crypto, pretending you’re “investing” on their amazing platform.
Even if you use Telegram on your PC and these scammers contact you there, Windows Security won’t give you a warning. The common theme we’ve seen here is that Windows Security can stop active threats, but it won’t stop you from willingly doing something wrong yourself (even if you were tricked).
Windows Security is a solid baseline security tool, and you should enable key features inside Windows Security’s menus. But you can’t blindly trust it to keep you safe from all threats. Knowing where else your digital life can be attacked and taking steps accordingly will be a huge boost to your online security.
