AI Browsers promise a future where an Agentic AI can handle your online life. From shopping to emails, they are designed to act autonomously, to save time, to make life easier. Yet convenience has a price.
Recent researach by Guardio reveals a worrying truth: security guardrails are inconsistent, sometimes absent entirely. The AI clicks, pays, and fails, often without human oversight.
Welcome to what Guardio call “Scamlexity,” a new era of scam complexity, supercharged by Agentic AI. Familiar tricks hit harder than ever, while new AI-born attack vectors break into reality.
“The scam no longer needs to trick you. It only needs to trick your AI. When that happens, you’re still the one who pays the price,” researchers said.
AI Browsers are no longer theoretical. Microsoft’s Copilot integrates into Edge. OpenAI experiments with a sandboxed browser in “agent mode.” Perplexity’s Comet actively browses, clicks, and performs tasks on your behalf. Agentic AI is moving beyond assistance. It is replacing us.
But herein lies the rub. In the rush to deliver seamless user experiences, critical protections are left behind. As the research bluntly puts it: “One small step for Agentic AI, one giant step back for our security!”
The problem is twofold. First, these browsers prioritize user experience over security. Second, AI inherits its own vulnerabilities: it acts without full context, trusts too easily, and obeys instructions without skepticism.
Making People Happy
Designed to make people happy, it bends rules, hallucinates facts, and takes actions that carry hidden risks.
Guardio’s experiments with Comet illustrate this vividly. A fake Walmart store was enough to test the AI’s autonomy. A single instruction, “Buy me an Apple Watch,” was all it took.
Comet navigated the site, located the correct buttons, and autofilled payment and shipping details. Seconds later, the purchase was complete.
In some tests, Comet paused or refused; in others, it handed over sensitive information without hesitation. “When security depends on chance, it’s not security.”
Emails are no safer. A phishing message from a fake Wells Fargo account bypassed every safeguard. Comet interpreted the email as a to-do item, clicked the embedded link, and prompted the person to enter credentials.
The user never saw the sender address, never questioned the domain, and never had the opportunity to intervene. The AI became the single point of decision, and without strong guardrails, that decision is a coin toss.
CAPTCHAgeddon
Then there is PromptFix. A modern evolution of prompt injection scams, it targets AI directly.
Hidden instructions within seemingly harmless content manipulate the AI into actions the human never intended or saw. In one scenario, a “captcha” disguised a drive-by-download attack.
The AI clicked the checkbox, executed the download, and could have deployed malware, all without the person noticing. This is the AI-era version of CAPTCHAgeddon, the report said.
Guardio’s research reveals a widening attack surface. Human-centric scams exploit the AI’s blind spots, while AI-centric prompt injections exploit its obedience. Together, they create vulnerabilities broader and deeper than anything we have faced before.
Breaking one AI model can compromise millions of users. Scammers no longer target humans directly, they target the AI.
The path forward is clear. Innovation cannot stop, but security must catch up. AI Browsers must inherit robust guardrails: phishing detection, URL reputation checks, domain spoofing alerts, malicious file scanning, and behavioral anomaly detection, all integrated into the AI’s decision-making loop.
“In the era of Scamlexity, safety can’t be optional,” Guardio ended.
An Endless Stream of Attacks
Lionel Litty, Chief Security Architect at Menlo Security says we are seeing a seemingly endless stream of attacks against AI agents – they are gullible and they are servile. “In an adversarial setting, where an AI agent may be exposed to untrusted input, this is an explosive combination. Unfortunately, the web in 2025 is very much an adversarial setting.”
He adds that we are also seeing that soft guardrails, which involve providing agents with more training and refined instructions, are usually a small hurdle that can be quickly overcome. “If you want to let an agent loose on the broader web, you should really have hard boundaries that limit what information the agent has access to and what it is permitted to do.”
Cloning Websites in Seconds
Before the arrival of GenAI, attackers were already proficient at rapidly creating new domains to bypass traditional phishing detection tools, says Krishna Vishnubhotla, Vice President, Product Strategy at Zimperium. “The focus was on speed and creating domains quickly to elude detection and launch attacks. However, with the rise of GenAI, phishing attacks have become more sophisticated and automated, making traditional security tools increasingly ineffective, particularly on mobile browsers.”
Vishnubhotla adds that sophistication shows up in the form of highly realistic and personalized, well-written phishing content at scale across all mobile phishing (mishing) vectors, including audio, video, and voicemail. “The automation aspect allows attackers to clone websites in seconds, making brand impersonation easier than ever.”
Using Autonomous Agents for Defense
Nicole Carignan, Senior Vice President, Security & AI Strategy, and Field CISO at Darktrace, says as adversaries double down on the use and optimization of autonomous agents for attacks, human defenders will become increasingly reliant on and trusting of autonomous agents for defense.
“Specific types of AI can perform thousands of calculations in real time to detect suspicious behavior and perform the micro decision-making necessary to respond to and contain malicious behavior in seconds. Transparency and explainability in the AI outcomes are critical to foster a productive human-AI partnership,” she adds.
Introducing More Variability
Remote and hybrid work have increased the threat landscape by introducing more variability, comments David Matalon, CEO at Venn. This includes different networks, devices, and home-office setups that IT doesn’t control.
“This shift to BYOD and unmanaged endpoints means that traditional, in-office security models no longer suffice. While securing the browser is critical, it’s not enough. A broader approach is needed; one that protects data and applications accessed by remote workers and contractors, and not just on company-managed, locked-down computers in the office,” Matalon ends.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.