Follow : Add us as a preferred source on Google.

Key takeaways

• AI tools now help phishing gangs create highly realistic fake websites.
• 1Password warns users when they paste passwords into fake sites.
• Pairing this tool with multi-factor authentication boosts protection.

Businesses may struggle to achieve much benefit from artificial intelligence, but criminal gangs have figured out how to transform AI into online gold. Thanks to readily available tools, it's become easier than ever to build a realistic-looking fake website with sophisticated graphic design and use it in a high-volume phishing campaign.

That's the conclusion of some recent research conducted by the developers of 1Password, who surveyed 2,000 American adults to discover how prevalent phishing attacks are. The results are sobering: 89% of Americans have encountered a phishing scam, and 61% have actually handed over their credentials to a phishing attack at least once.

Also: The best VPN services (and how to choose the right one for you)

To deal with the threat, 1Password has added a new feature to its popular password management app and service . The phishing protection feature inserts a crucial sanity check into the login process -- and that extra check might be enough to prevent a distracted user from accidentally falling for an artfully constructed fraudulent website.

What's the threat?

The criminal gangs behind most phishing attacks work from a predictable playbook -- create a tempting piece of bait that convinces the recipient to click a link that leads to their website. According to 1Password's survey, the most common vectors for phishing attacks are personal emails, text messages, and social media. The bait is usually something that creates a sense of urgency, such as getting a special deal or tracking a delivery or package.

Also: What's a passkey? The easy explanation - for anyone done with passwords

When phishing gangs target individuals, the survey said, the ultimate goal is usually short-term financial gain. But phishing attacks on companies can be far more destructive. 1Password reports that 36% of the workers surveyed admitted they had clicked on a suspicious link in a work email. Of those, 26% were responding to messages they thought were from HR or their boss, with potentially devastating results.

As 1Password reports:

Phishing attacks on companies are often far more sophisticated and may be the first stage of a more elaborate scheme. Indeed, phishing attacks are the leading vector in ransomware attacks. In this scenario, an attacker's goal is to gain deep access to a company's systems to steal or encrypt data. And their biggest asset is an employee's password that will give them the access they want.

That's what happened last summer, in an attack documented by StripeOLT, a UK-based cybersecurity provider. That campaign used tailored emails that impersonated internal HR communications, leading recipients to a fake OneDrive site to enter their corporate credentials.

Also: How I easily set up passkeys through my password manager - and why you should too

All modern password managers offer basic phishing protection by design. If you visit a fake website, the password manager will not offer to fill in your credentials, because the domain doesn't match the one associated with the saved username and password.

But that's not enough protection. If the user doesn't understand why autofill isn't working, and the fake website is convincing enough, they're likely to open the password manager app and manually copy and paste their username and password into the fraudulent site, at which point it's game over.

How 1Password phishing protection works

The new phishing protection feature adds a crucial extra confirmation step. When a user attempts to copy and paste their credentials into a website instead of using autofill, the 1Password browser extension displays a pop-up warning, like the one shown here:

That prompt should be specific enough to cause the user to pause and double-check details, such as the domain name, before proceeding. In corporate settings, IT personnel can train users to stop when they see that warning, which resembles the banners that some businesses place at the top of external emails.

Also: Microsoft issues emergency patch for latest Windows bugs - grab it ASAP

For individual and family plan users, this feature will be enabled by default. 1Password admins can enable this capability for employees in Authentication Policies in the 1Password admin console.

It's possible, of course, that some users will succumb to "dialog fatigue" and click right past the warning. However, this pop-up is specific enough, and hopefully also rare enough, that it will serve its intended purpose, stopping some attacks from succeeding.

Other anti-phishing steps worth taking

Relying on end users to judge for themselves whether a site is legitimate or not is unrealistic, especially when AI tools are capable of creating nearly perfect counterfeit sites with domain names that resemble the real thing. These days, even sophisticated users can be fooled, especially if they're distracted or in a hurry.

The single most important step to prevent phishing attacks from causing damage is to enable multi-factor authentication for every high-value site. With MFA on, an attacker won't be able to use those stolen credentials without additional work.

Also: How a simple link allowed hackers to bypass Copilot's security guardrails - and what Microsoft did about it

In addition, it's crucial to ensure that users have unique passwords for every site. If a phishing gang can score a set of credentials for one site and use those credentials on other sites, that's a recipe for disaster.

Finally, whether you're managing a family or a Fortune 500 enterprise, it's essential to create an environment where users can report a possible phishing attempt without fear of scolding or punishment. The faster you can respond to an incident, the more likely you'll contain any damage.

Security

Is spyware hiding on your phone? The telltale signs to find out (and how to remove it fast)

How passkeys work: Your passwordless journey begins here

How to get free Windows 10 security patches on your PC - from now to October 2026

Use an AI browser? 5 ways to protect yourself from prompt injections - before it's too late

• Is spyware hiding on your phone? The telltale signs to find out (and how to remove it fast)
• How passkeys work: Your passwordless journey begins here
• How to get free Windows 10 security patches on your PC - from now to October 2026
• Use an AI browser? 5 ways to protect yourself from prompt injections - before it's too late