Read this before you try an AI browser: it can hand over your credit card to scammers in seconds
Agentic AI can do your online chores for you without supervision. However, it also gets fooled and scammed by crooks just as you would.
AI browsers are supposed to fully automate your tasks – handle your emails, shopping, and travel planning, among other things. Unfortunately, new research shows that they also interact with phishing pages and fake shops, risking your data and your money.
Guardio, a security company that focuses on the browser ecosystem, built and tested a few scenarios to see whether it’s safe to entrust browsers with autonomous browsing.
“They inherit AI’s built-in vulnerabilities – the tendency to act without full context, to trust too easily, and to execute instructions without the skepticism humans naturally apply,” Guardio said.
Designed to please humans at any cost, an AI model will bend the rules to get what it needs, and that could lead to a significant data breach. In practice, it means that an AI browser can click on phishing links, download malicious content, and hand over sensitive data just to “help” you out.
“Imagine asking it to find the best deal on those sneakers you’ve been eyeing, and it confidently completes the purchase… from a fake e-commerce shop built to steal your credit card,” Guardio researchers noted.
Their primary test subject was the Perplexity Comet browser, which was first prompted to buy an Apple Watch.
Researchers prompted the browser to look for the gadget on a fake Walmart shop that they created using the Lovable coding app.
Even though the fake site had plenty of clues that it wasn’t actually a Walmart, the model disregarded them. It added an Apple Watch to the cart, autofilled address and credit card details without asking for confirmation, and was done with the purchase mere seconds later.
“One prompt, a few moments of automated browsing with zero human oversight, and the damage was done. While the human waits for a shiny new Apple Watch, the scammers are already spending their money,” Guardio said.
They ran this test a couple of times, and Comet sometimes refused to follow through or asked to complete the checkout manually. However, in quite a few instances, it handed over sensitive personal and payment data to the fake website, which the researchers took only a few seconds to set up.
Comet also failed the phishing test. Researchers sent a fake email pretending to be a Wells Fargo investment manager with a malicious link inside. Comet marked it as a to-do item, and it clicked on the link. The phishing page prompted Comet to enter user credentials, and the browser assisted with filling in the form, designed to extract sensitive user information.
“Human intuition to evade harm is excluded from the process and AI becomes the single point of decision. Without strong AI guardrails, that decision is essentially a coin toss – and when your security is left to chance, it’s only a matter of time before it lands on the wrong side,” Guardio noted.
In the blog post, the security company says we don’t need to halt innovation to protect ourselves. However, AI browsers are mostly designed with user experience, and not security, in mind.
“The trust we place in Agentic AI is going to be absolute, and when that trust is misplaced, the cost is immediate.”
