A new report exposes how “agentic AI” browsers can be tricked into scams, raising urgent questions about the future of cybersecurity.
We’ve all heard about scammers using AI to make deepfakes or write slick phishing emails—but what if the AI itself is the one being scammed?
That’s the unsettling finding from a new cybersecurity study that shows how next-gen “agentic AI” browsers—tools designed to shop, email, and click on our behalf—are dangerously easy to trick.According to a report by Guardio, these AI-powered agents can be manipulated into visiting phishing sites, handing over payment details, and even executing hidden malicious commands—all without the user noticing.
Welcome to the age of “Scamlexity.”
Why Agentic AI Is So Vulnerable
Unlike a traditional search engine, agentic AI doesn’t just recommend—it acts. It can fill out forms, click links, and check out with saved payment info. The problem? AI lacks the natural skepticism that humans apply online.
Its primary goal is to complete tasks quickly and efficiently—even if that means ignoring red flags like a sketchy URL or an unfamiliar sender.
Guardio’s researchers tested this by creating a fake Walmart site and asking the AI to “buy an Apple Watch.” The AI not only found the product but proceeded to checkout and autofilled credit card details—all on a fraudulent page.
Old Scams, New Victims
What makes this research even more striking is that the scammers didn’t need bleeding-edge tactics.
A simple phishing email—pretending to be from Wells Fargo—was enough to trick the AI into clicking a malicious link, bypassing the warnings a human user would have spotted.
The report shows that when an AI assistant gets duped, it essentially vouches for the scam, making the human more likely to trust the attack.
When AI Becomes Its Own Attack Vector
Beyond old-school phishing, the team showcased a new AI-specific exploit called PromptFix. This method hides malicious instructions inside a seemingly normal web element, like a CAPTCHA.
Because the AI is programmed to be helpful, it follows the hidden commands—potentially downloading malware or leaking files without the user ever realizing.
This signals the start of an AI-versus-AI arms race: attackers using AI to train scams that bypass the defenses of other AI systems.
The Bigger Picture: A New Security Crisis
The implications are massive. Instead of millions of humans being targeted one by one, attackers can now aim directly at centralized AI systems that serve millions of users.
Once a weakness is found, it can be scaled instantly.
Guardio argues that AI agents need built-in security—such as URL reputation checks and behavioral anomaly detection—rather than relying on tools like Google Safe Browsing, which proved insufficient in their tests.
As more of our digital lives get delegated to AI, the stakes rise. If we can’t trust our AI assistants to act safely, the entire convenience promise of agentic AI comes under question.
Why This Matters Beyond Cybersecurity Circles
For consumers, this is a wake-up call: the AI helping you order groceries today could be handing your credit card to a scammer tomorrow.
For businesses, it’s a reminder that rushing to integrate AI without building strong defenses could expose both their customers and their reputation.
On a broader scale, this trend echoes the early days of the web—when convenience raced ahead of security, and phishing exploded as a result. The difference now is speed. AI accelerates everything: the good and the bad.
Final Takeaway
Agentic AI might be the future of browsing, shopping, and productivity—but only if it learns to protect itself from scams as effectively as we’ve learned to protect ourselves.
What do you think—should AI be allowed to act on our behalf before it’s proven safe, or should security come first, even if it slows down innovation?
