Saved in:
Bibliographic Details
Main Authors: Roy, Soham, Halder, Sarthakbrata, Bharaty, Arya, Bhaskar, Vaibhav, Sinha, Yash, Kumar, Dhruv, Panda, Srikant, Mandal, Murari
Format: Preprint
Published: 2026
Subjects:
Online Access:https://arxiv.org/abs/2606.00497
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866914619729117184
author Roy, Soham
Halder, Sarthakbrata
Bharaty, Arya
Bhaskar, Vaibhav
Sinha, Yash
Kumar, Dhruv
Panda, Srikant
Mandal, Murari
author_facet Roy, Soham
Halder, Sarthakbrata
Bharaty, Arya
Bhaskar, Vaibhav
Sinha, Yash
Kumar, Dhruv
Panda, Srikant
Mandal, Murari
contents Deceptive web content, widely instantiated across the internet and commonly known as \textit{social-engineering attacks}, manipulates autonomous web agents into submitting users' personally identifiable information (PII) to attacker-controlled endpoints. In this paper, we show that social-engineering attacks are highly effective at extracting critical-tier PII from frontier web agents, posing a severe risk to deployed agentic systems. To quantify this risk, we introduce \textbf{\textsc{Scammer4U}}, a pre-registered benchmark of 91 attacker-controlled environments and 10 benign-twin baselines, spanning 8 attack vectors and 16 site categories on an 8-axis factorial taxonomy that isolates the causal contribution of individual attack design factors. Across frontier agents, we find that critical-tier PII leakage reaches 54--93\% under no privacy guidance, compared to 0\% on benign-twin baselines, confirming that leakage is attack-attributable rather than incidental form-filling. Escalating prompt-level mitigation yields sharply model-dependent reductions across the four families and remains insufficient to reliably prevent critical PII submission at the pooled level. Most critically, we identify a detection--action gap: agents whose reasoning an independent LLM judge confirms has flagged the site as suspicious still submit critical PII in 35.9\% of sessions, versus 66.1\% when no suspicion is verbalized, a 30.2\% gap robust across all four model families. Our findings reveal that defenses conditioned on the agent's own recognition of an attack are gating on the wrong signal, motivating output-level interception of outbound submissions that operates independently of the agent's reasoning loop.
format Preprint
id arxiv_https___arxiv_org_abs_2606_00497
institution arXiv
publishDate 2026
record_format arxiv
spellingShingle "I Strongly Suspect This Website Is a Scam": Benchmarking PII Leakage and Detection without Defense in Autonomous Web Agents
Roy, Soham
Halder, Sarthakbrata
Bharaty, Arya
Bhaskar, Vaibhav
Sinha, Yash
Kumar, Dhruv
Panda, Srikant
Mandal, Murari
Cryptography and Security
Computation and Language
Deceptive web content, widely instantiated across the internet and commonly known as \textit{social-engineering attacks}, manipulates autonomous web agents into submitting users' personally identifiable information (PII) to attacker-controlled endpoints. In this paper, we show that social-engineering attacks are highly effective at extracting critical-tier PII from frontier web agents, posing a severe risk to deployed agentic systems. To quantify this risk, we introduce \textbf{\textsc{Scammer4U}}, a pre-registered benchmark of 91 attacker-controlled environments and 10 benign-twin baselines, spanning 8 attack vectors and 16 site categories on an 8-axis factorial taxonomy that isolates the causal contribution of individual attack design factors. Across frontier agents, we find that critical-tier PII leakage reaches 54--93\% under no privacy guidance, compared to 0\% on benign-twin baselines, confirming that leakage is attack-attributable rather than incidental form-filling. Escalating prompt-level mitigation yields sharply model-dependent reductions across the four families and remains insufficient to reliably prevent critical PII submission at the pooled level. Most critically, we identify a detection--action gap: agents whose reasoning an independent LLM judge confirms has flagged the site as suspicious still submit critical PII in 35.9\% of sessions, versus 66.1\% when no suspicion is verbalized, a 30.2\% gap robust across all four model families. Our findings reveal that defenses conditioned on the agent's own recognition of an attack are gating on the wrong signal, motivating output-level interception of outbound submissions that operates independently of the agent's reasoning loop.
title "I Strongly Suspect This Website Is a Scam": Benchmarking PII Leakage and Detection without Defense in Autonomous Web Agents
topic Cryptography and Security
Computation and Language
url https://arxiv.org/abs/2606.00497