by Tim Leogrande, BSIT, MSCP, Ed.S.
19 FEB 2026 • 4 MIN 18 SEC READ
Artificial intelligence (AI) companies are increasingly integrating their bots into web browsers and deploying software agents which can automate a variety of user tasks. However, recent discoveries suggest that some of these agents struggle to consistently recognize key warning signs of phishing websites and emails, raising questions about their reliability in real-world use.
For example, when the Comet browser from Perplexity was recently directed by security researchers at Guardio Labs to a phony Walmart website with the request to "buy an Apple Watch," it often added the item to the shopping basket, entered credit card information, and clicked the "buy" button without any user prompts or checks along the way. Businesses have invested a lot of money and effort into teaching employees how to spot phishing websites and risky emails, but the widespread use of AI browsers like Comet could seriously reverse those gains.
Cloudera reports that an overwhelming 96% of businesses have plans to expand their use of AI agents, yet are ill-prepared for the increased threats that these agents present — such as how to distinguish between actions conducted by an agent and those taken by a person via a web browser. AI agents must be proficient not just at completing tasks, but also at identifying and thwarting possible security risks to employees and corporate data.
Managing your inbox is another key function of AI browsers. They can mark to-do items, examine new messages, and even handle them for you. So, the same researchers evaluated Comet's ability to handle a phishing email from a “bank" — one of the oldest online traps — by writing a phony email that appeared to be from a Wells Fargo investment manager but it was actually from a brand-new ProtonMail address.
The email contained a link to a real phishing page that had been up for a few days and had not been detected by Google Safe Browsing. Upon receiving the email, Comet boldly marked it as a task from the bank and clicked the embedded link. The attacker's page was accessed directly without any pre-navigation warning or URL check. Comet regarded the phony Wells Fargo login as authentic as it loaded. It even assisted the user in filling out the form by prompting them to submit their credentials.
An otherwise reliable trust chain gone awry was the outcome. Comet essentially endorsed the phishing page by managing the full exchange from email to website. The user never had the opportunity to question the domain, never hovered over the link, and never spotted the questionable ProtonMail sender address. Instead, they were taken straight to what appeared to be a genuine Wells Fargo login and, since it was delivered by their trusty AI copilot, they felt secure.
These two incidents demonstrate how even the most tried-and-true scammer techniques become increasingly risky when encountered by agentic AI browsers. The true game-changer here is the break in the trust chain, which prevents people from directly interacting with dubious content, helps them recognize warning signs, and gives them the opportunity to form their own opinions.
<aside> 💡
We are currently seeing an endless stream of attacks against AI agents, which are apparently as gullible as they are servile.
</aside>
This is a potent combination in an adversarial environment where an AI agent could be subjected to unreliable input. Comet operates within the user's browser, accessing cookies and authenticated sessions, which gives the agent a lot of flexibility — but also a lot of rope to hang itself.
For instance, the ChatGPT agent mode browses, clicks buttons, opens tabs, and can connect to some services, and doesn’t have access to the user's cookies and browsing history. But it runs in the web browser and has access to authenticated sessions on all tabs, and this lack of security guardrails is capable of creating serious issues. Specifically, the input of an LLM is text, so the bot can't readily distinguish between some system commands and user prompts.
As a result, while businesses are concerned about raising employee security awareness, browser-based agents have the potential to reverse most all of that training and these agents are now on the verge of becoming a new class of insider threats that CISOs must worry about.
While some agents act without user oversight, a more frequent scenario is that the agents themselves are tricked by a malicious URL or a phishing attack and unable to provide notification to the user, removing many of the red flags which might normally indicate that something is wrong.
Rapid injection, the top vulnerability on OWASP's top 10 list of risks for LLMs and generative AI, is a key component of these attacks. So businesses should shift from "trust, but verify" to "doubt, and double verify" — effectively stalling automation until an AI agent has proven it can always complete a workflow safely and accurately.
Every time a user delegates control to agentic AI they have created a new trust boundary that adversaries will attempt to exploit. The risk isn’t just AI talking to data that it shouldn't, but threat actors that attempt to become a peer node to a conversation either for the purposes of exfiltration, LLM poisoning, or any number of techniques which could be used to erode trust in these platforms.
<aside> 💡
Accordingly, businesses should most likely wait until AI developers provide improved visibility, control, and security before integrating these agents into any business process that requires security and dependability.
</aside>
Gaining insight into how employees use AI is also essential to securing it. So businesses looking to integrate AI into agent-based processes should concentrate on a holistic approach. First, determine all of the AI services in their employees’ workflow using a cloud access security broker, or other method of service monitoring. Next, develop a list of authorized tools and an AI usage strategy in light of these findings because employees must understand the basics of AI safety and what it means to give these bots information or privileges to do things on their behalf. Finally, the organization should monitor usage, enforce policy, and provide ongoing training on how to safely interact with any AI service.