PhishWatch

Detects browser-native phishing attacks like ConsentFix, ClickFix, and Browser-in-the-Browser that bypass traditional security.

PhishWatch detects browser-native phishing attacks that bypass email filters — because these attacks don't activate until after delivery, inside your browser. Modern phishing no longer needs a suspicious-looking domain. Attackers use legitimate cloud infrastructure, AI-generated content, and browser mechanics to steal credentials. With 82% of detections now malware-free (CrowdStrike 2026) and ClickFix named the #1 initial access method (Microsoft 2025), the attack surface has moved from your inbox to your browser. PhishWatch operates at this layer, where the attack must execute to succeed. ─── WHAT PHISHWATCH DETECTS ─── ▸ ClickFix (Windows + Mac) Attackers trick users into copying a malicious PowerShell or terminal command — disguised as a verification step or system fix — and executing it themselves. PhishWatch detects clipboard write events and copy→navigate coupling patterns before execution. Clipboard text is inspected locally — never transmitted. ▸ ConsentFix — OAuth Token Hijacking Attackers route OAuth authorization codes into credential fields on fake login pages, hijacking account access without ever knowing your password. PhishWatch detects when an authorization code is pasted into a credential field and blocks the submission. ▸ Browser-in-the-Browser (BitB) Phishing sites embed fake browser windows that mimic real Google or Microsoft login popups — complete with a fake address bar. PhishWatch detects DOM overlay patterns consistent with BitB window spoofing. ▸ AiTM — Adversary-in-the-Middle Reverse-proxy attacks relay your credentials to the real login service in real time, harvesting session cookies and bypassing MFA entirely. PhishWatch detects credential-flow mismatches — when the origin receiving your credentials doesn't match the page you're interacting with. ▸ Fake Update Detection (SocGholish) Pages impersonating browser update dialogs to trick users into downloading malware. PhishWatch detects pages combining browser brand impersonation, update urgency language, and executable download links. ▸ AI Lure Detection Pages impersonating AI services (ChatGPT, Claude, Gemini, Copilot) combined with ClickFix or ConsentFix social engineering. PhishWatch detects the combination of AI brand spoofing with instruction-to-execute lures. ▸ Typosquatting Detection Domains impersonating major brands through character substitution, homoglyph swaps, and edit-distance analysis — checked against 500+ known brands in real time. ▸ Newly Registered Domain (NRD) Domains registered within the last 30 days are flagged automatically via real-time domain age checking. ─── HOW IT WORKS ─── PhishWatch intercepts navigation events and evaluates browser mechanics — not whether a page looks suspicious or whether a domain is on a blocklist. Detection is event-driven and activates only when risk indicators are present. Normal browsing proceeds without interruption. When risk is detected, PhishWatch shows an explainable warning with the specific mechanical reason — not a generic alert. You always have the option to continue anyway. ─── PRIVACY BY DESIGN ─── Most detection runs entirely on your device. Cloud risk scoring is only triggered when local signals indicate a potential threat. When a cloud check is triggered, only the domain name and sanitised signal metadata is transmitted — signal IDs, severity levels, and boolean flags. NEVER transmitted: clipboard contents, page content, form fields, passwords, cookies, session tokens, browsing history, or personal identifiers. Sanitisation is enforced by an allowlist — unknown fields fail closed. ─── DESIGNED FOR TRANSPARENCY ─── Chrome Manifest V3 with strict permissions No use of eval() or dynamic script injection Deterministic, explainable detections — no black-box scoring Fail-open: uncertainty always resolves to allowing navigation Every warning is overridable — PhishWatch never blocks permanently ─── WHO USES PHISHWATCH ─── Security professionals needing browser-layer visibility. Developers and crypto users targeted by sophisticated phishing. Small businesses and MSPs without enterprise browser security stacks. Anyone who wants runtime protection against credential theft at the moment it matters. PhishWatch complements email filters, endpoint protection, and identity providers. It operates at the one layer those tools cannot observe: inside your browser, at the moment you act. Privacy policy: https://phishwatch.io/privacy Website: https://phishwatch.io