PhishWatch

Detects browser-native phishing attacks like ConsentFix, ClickFix, and Browser-in-the-Browser that bypass traditional security.

PhishWatch detects browser-native phishing attacks that bypass email filters — because these attacks don't activate until after delivery, inside your browser. Modern phishing no longer needs a suspicious-looking domain. Attackers use legitimate cloud infrastructure, AI-written language, and browser mechanics to steal credentials. With 82% of detections now malware-free (CrowdStrike 2026) and ClickFix named the #1 initial access method (Microsoft 2025), the attack surface has moved from your inbox to your browser. PhishWatch operates at this layer — where the attack must execute to succeed. ─── WHAT PHISHWATCH DETECTS ─── ▸ ClickFix Attackers trick users into copying a malicious PowerShell or terminal command — disguised as a "verification step" or "system fix" — and executing it themselves. PhishWatch detects clipboard write events and copy→navigate coupling patterns and warns before execution. Clipboard text is inspected locally on your device only — it is never transmitted. ▸ ConsentFix (OAuth Token Hijacking) Attackers route OAuth authorization codes into password fields on fake login pages, hijacking account access without ever knowing your password. PhishWatch detects when an OAuth code is pasted into a credential field and blocks the action before your authorization token is stolen. ▸ Browser-in-the-Browser (BitB) Phishing sites embed fake browser window overlays that mimic real Google or Microsoft login popups. PhishWatch detects DOM overlay patterns consistent with BitB window spoofing — fake URL bars, fake window controls, and embedded credential forms. ▸ AiTM — Adversary-in-the-Middle Reverse-proxy attacks that relay your credentials to the real login service in real time, allowing attackers to harvest session cookies and bypass multi-factor authentication entirely. PhishWatch detects credential-flow mismatches: when the origin receiving your credentials doesn't match the page you're on, combined with cross-origin network activity during login. ▸ Fake Update Detection (SocGholish) Pages impersonating browser update dialogs to trick users into downloading malware. Real browser updates never come from websites. PhishWatch detects pages combining browser brand impersonation, update urgency language, and executable download links. ▸ AI Lure Detection Pages impersonating AI services (ChatGPT, Claude, Gemini, Copilot) combined with ClickFix or ConsentFix social engineering. ChatGPT is mentioned 550% more than any other AI model in criminal forums (CrowdStrike 2026). PhishWatch detects the combination of AI brand spoofing with instruction-to-execute lures. ▸ Typosquatting Detection Domains impersonating major brands through character substitution, homoglyph swaps, and edit-distance analysis — checked against a curated brand list in real time. ▸ Newly Registered Domain (NRD) Domains registered within the last 30 days are flagged automatically via real-time domain age checking. ─── HOW IT WORKS ─── PhishWatch intercepts outbound navigation events and evaluates browser mechanics — not whether a page looks suspicious or whether a domain is on a blocklist. Detection is event-driven and activates only when risk indicators are present. Normal browsing on everyday sites proceeds without interruption. When risk is detected, PhishWatch shows an explainable warning with the specific mechanical reason — not a generic "this site may be dangerous" message. You always have the option to continue anyway. ─── PRIVACY BY DESIGN ─── PhishWatch is built local-first. Most detection runs entirely on your device. Cloud risk scoring is only triggered when local signals indicate a potential threat. When a cloud check is triggered, only the destination URL and sanitised signal metadata is transmitted — signal IDs, severity levels, timing deltas, and boolean flags. NEVER transmitted: clipboard contents, page content, form fields, passwords, cookies, session tokens, browsing history, or user identifiers. Sanitisation is enforced by an allowlist function — unknown fields fail closed. ─── DESIGNED FOR TRANSPARENCY ─── • Manifest V3 with strict permissions model • No use of eval() or dynamic script injection • Deterministic, explainable detections — no black-box AI classification • Fail-open design: uncertainty always resolves to allowing navigation • All warnings are overridable — PhishWatch never locks you out ─── WHO USES PHISHWATCH ─── Security professionals needing browser-layer visibility. Cryptocurrency users targeted by sophisticated phishing. Small businesses without enterprise security tooling. Anyone who wants runtime protection against credential theft. PhishWatch complements email filters, endpoint protection, and password managers. It operates at the one layer those tools cannot observe: inside your browser, at the moment you act. Privacy policy: https://phishwatch.io/privacy Website: https://phishwatch.io