Walk into most organizations and you’ll find a familiar stack: antivirus, a VPN, a password manager, MFA, a spam filter, and an annual training module. Each is valuable. None of them was built to stop the specific thing a phishing page does — persuade a human to hand over a credential or a token, in real time, on a page that looks legitimate. Here’s the honest breakdown.
Antivirus & EDR
Excellent at catching malicious files and processes on a device. But a credential-phishing page drops no file — the user simply types a password into a web form. Endpoint tools largely can’t see what happens inside the browser tab, which is exactly where modern phishing lives.
VPN
A VPN encrypts your traffic and hides your IP. It does nothing about a phishing site you choose to visit — the connection to the attacker is simply encrypted. “We use a VPN” is one of the most common phishing misconceptions.
Password manager
Genuinely helpful: a good manager won’t auto-fill credentials on a look-alike domain, which quietly stops some attacks. But users can still copy a password in manually, and it offers nothing against QR-code lures, voice scams, or malicious attachments.
MFA
Essential — it blocks more than 99.2% of account-compromise attacks. [1] But attackers stopped beating MFA and started going around it: adversary-in-the-middle kits relay your real login and steal the session token issued afterward, which bypasses MFA, SSO and Conditional Access entirely. [2][3]
Email gateway / spam filter
Catches known and bulk threats well. It struggles with never-before-seen pages, links that turn malicious after delivery, QR codes, browser-in-the-browser pop-ups, and anything that arrives outside email.
Awareness training
The one defense aimed at the human — and the evidence shows its effect is small and fades within months, because the human can always be fooled in the 21 seconds it takes to click. [4]
The gap they all share
Line them up and the pattern is clear: each tool guards a different layer — the file, the network, the password vault, the inbox, the human — but none of them judges the actual page at the moment of the click. That’s the seam phishing is designed to slip through.
The missing layer
SafeToOpen analyses the page and the email in real time, at the point of click — catching the zero-day phishing site the rest of your stack can’t see. It complements MFA and the tools you already run.
See how it works →The takeaway
Keep every one of these — they’re all worth having. But owning them isn’t the same as being protected against phishing. The honest question isn’t “do we have security tools?” It’s “what judges the fake page itself, the instant a person is about to trust it?”