by Tim Leogrande, BSIT, MSCP, Ed.S.
FEBRUARY 19 2026 • 6 MIN 29 SEC READ
Artificial intelligence (AI) companies are increasingly integrating their bots into web browsers and deploying software agents which can automate a variety of user tasks. However, recent discoveries suggest that some of these agents struggle to consistently recognize key warning signs of phishing websites and emails, raising questions about their reliability in real-world use.
When the Comet browser from Perplexity was repeatedly directed by security researchers at Guardio Labs to visit a phony Walmart website with a request to "buy an Apple Watch," it often added the item to the shopping basket, entered credit card information, and clicked the "buy" button without any user prompts or checks along the way.
While businesses are concerned about raising employee security awareness, browser-based agents have the potential to nullify most of that training, so these agents are on the verge of becoming a new class of insider threat that CISOs must worry about.
Cloudera reports that an overwhelming 96% of businesses have plans to expand their use of agentic AI, yet are ill-prepared for the increased threats that these agents present — such as how to distinguish between actions conducted by an agent and those taken by a person via a web browser. AI agents must be proficient not just at completing tasks, but also at identifying and thwarting possible security risks to employees and corporate data.
Managing an email inbox is another key function of AI browsers. They can mark to-do items, examine new messages, and even respond to them. So the same researchers evaluated Comet's ability to handle a phishing email from a bank — one of the oldest online traps — by writing a phony email that appeared to be from a Wells Fargo investment manager, but it was actually sent from a brand-new ProtonMail address.
The email contained a link to a real phishing page that had been up for a few days and had not been detected by Google Safe Browsing. Upon receiving the email, Comet intrepidly marked it as a task from the bank and clicked the embedded link. The attacker's page was accessed directly without any pre-navigation warning or URL check. Comet determined the phony Wells Fargo login page was authentic as it loaded. It even assisted the user in filling out the form by prompting them to submit their credentials.
The outcome was an otherwise reliable trust chain gone awry. Comet essentially endorsed the phishing page by managing the full exchange from email to website. The user never had the opportunity to question the domain, never hovered over the link, and never spotted the questionable ProtonMail sender address. Instead, they were taken straight to what appeared to be a genuine Wells Fargo login page and, since it was delivered by their trusty AI copilot, they felt secure.
These two incidents demonstrate how even the most well-known scamming techniques become increasingly risky when encountered by agentic AI. The true game-changer here is the break in the trust chain, which normally prevents people from directly interacting with dubious content, helps them recognize warning signs, and gives them the opportunity to form their own opinions.
<aside> 💡
We are currently seeing an endless stream of attacks against AI agents, which are apparently as gullible as they are servile.
</aside>
This is a potent combination in an adversarial environment where an AI agent could be subjected to unreliable input. Comet operates within the user's browser, accessing cookies and authenticated sessions, which gives the agent a lot of flexibility — and a lot of rope to hang itself.
ChatGPT agent mode is also capable of performing browser-mediated actions such as navigation, button clicks, tab management, and limited service integrations. The agent doesn’t directly access a user’s cookies or browsing history; however, when operating within an active browser context, it may interact with pages that are already authenticated via existing user sessions. This creates a security boundary that depends heavily on runtime safeguards and permission controls.
Because large language models treat inputs as untrusted text streams rather than strongly typed instructions, they may be vulnerable to instruction confusion or prompt-injection scenarios in which system directives and ordinary page content are not reliably distinguishable. Without robust isolation and policy enforcement, this ambiguity can introduce meaningful security risks.
Some agents act without user oversight, but a more frequent scenario is that the agents themselves are tricked by a malicious URL or a phishing attack and are rendered unable to provide notification to the user, removing many of the red flags which might normally indicate that something is wrong.
Rapid injection, the number one vulnerability on OWASP's top 10 list of risks for LLMs and generative AI, is often a key component of these attacks. So businesses should shift from "trust, but verify" to "doubt, and double verify" — effectively stalling automation until an AI agent has proven it can always complete a workflow safely and accurately.
Every time a user delegates control to agentic AI they have created a new trust boundary that adversaries will attempt to exploit. The risk isn’t just AI talking to data that it shouldn't, but threat actors that attempt to become a peer node to a conversation either for the purposes of exfiltration, LLM poisoning, or any number of techniques which could be used to erode trust in these platforms.
<aside> 💡
Accordingly, enterprises may want to wait until AI developers provide improved visibility, control, and security before integrating these agents into any process that requires security and dependability.
</aside>
Understanding how employees use AI is essential to securing it effectively, so organizations that want to integrate AI into agent-based workflows can benefit from a holistic approach.