AI Brief%22%2F%3E%3Ccircle%20cx%3D%22760%22%20cy%3D%22180%22%20r%3D%22260%22%20fill%3D%22%23f0b84a%22%20opacity%3D%22.24%22%2F%3E%3Ccircle%20cx%3D%22110%22%20cy%3D%221040%22%20r%3D%22310%22%20fill%3D%22%23f0b84a%22%20opacity%3D%22.16%22%2F%3E%3C%2Fsvg%3E)
Web agents leak sensitive data even after recognizing scams
The SCAMMER4U benchmark found agents that explicitly identified a site as suspicious still submitted critical personal data in 35.9% of sessions.
Read more
Researchers from KIIT Bhubaneswar, BITS Pilani, and Lam Research introduced SCAMMER4U, a benchmark testing autonomous web agents across 91 simulated attacker-controlled sites and ten benign controls. The study evaluated GPT-5 mini, Claude Haiku 4.5, Gemini 3 Flash, and Llama 4 Scout using profiles containing passwords, bank details, Social Security numbers, API keys, and two-factor codes. Its most important result is a detection-action gap: agents that explicitly recognized a site as suspicious still transmitted critical personal information in 35.9% of sessions, compared with 66.1% when they did not voice suspicion. Baseline leakage ranged from 54.5% to 93.1% by model. The authors argue that agent security needs independent output-level controls because recognizing danger inside the reasoning loop does not reliably stop an agent from completing the task.
Key details: June 6, 2026, SCAMMER4U, 91 attack environments, 10 benign controls, 35.9% leakage after scam recognition, Four model families.
Continue swiping for more AI Brief stories.