History

10 snapshots

Tracking since Apr 17, 2026.

View as table

Date	Users	Rating	Reviews	Version
Apr 17, 2026	1	—	—	3.0
Apr 23, 2026	1	—	—	3.1
Apr 28, 2026	2	—	—	3.1
May 5, 2026	2	—	—	3.1
May 11, 2026	5	—	—	3.2
May 16, 2026	4	—	—	3.3.1
May 23, 2026	3	—	—	3.3.7
May 29, 2026	3	—	—	3.3.9
Jun 5, 2026	3	—	—	3.3.11
Jun 12, 2026	3	—	—	3.3.12
Now	2	—	—	3.3.14

Changelog

May 5, 2026

description

PhishWatch detects browser-native phishing attacks that bypass email filters — because these attacks don't activate until after delivery, inside your browser.

Modern phishing no longer needs a suspicious-looking domain. Attackers use legitimate cloud infrastructure, AI-written language, and browser mechanics to steal credentials. With 82% of detections now malware-free (CrowdStrike 2026) and ClickFix named the #1 initial access method (Microsoft 2025), the attack surface has moved from your inbox to your browser. PhishWatch operates at this layer — where the attack must execute to succeed.

─── WHAT PHISHWATCH DETECTS ───

▸ ClickFix
Attackers trick users into copying a malicious PowerShell or terminal command — disguised as a "verification step" or "system fix" — and executing it themselves. PhishWatch detects clipboard write events and copy→navigate coupling patterns and warns before execution. Clipboard text is inspected locally on your device only — it is never transmitted.

▸ ConsentFix (OAuth Token Hijacking)
Attackers route OAuth authorization codes into password fields on fake login pages, hijacking account access without ever knowing your password. PhishWatch detects when an OAuth code is pasted into a credential field and blocks the action before your authorization token is stolen.

▸ Browser-in-the-Browser (BitB)
Phishing sites embed fake browser window overlays that mimic real Google or Microsoft login popups. PhishWatch detects DOM overlay patterns consistent with BitB window spoofing — fake URL bars, fake window controls, and embedded credential forms.

▸ AiTM — Adversary-in-the-Middle
Reverse-proxy attacks that relay your credentials to the real login service in real time, allowing attackers to harvest session cookies and bypass multi-factor authentication entirely. PhishWatch detects credential-flow mismatches: when the origin receiving your credentials doesn't match the page you're on, combined with cross-origin network activity during login.

▸ Fake Update Detection (SocGholish)
Pages impersonating browser update dialogs to trick users into downloading malware. Real browser updates never come from websites. PhishWatch detects pages combining browser brand impersonation, update urgency language, and executable download links.

▸ AI Lure Detection
Pages impersonating AI services (ChatGPT, Claude, Gemini, Copilot) combined with ClickFix or ConsentFix social engineering. ChatGPT is mentioned 550% more than any other AI model in criminal forums (CrowdStrike 2026). PhishWatch detects the combination of AI brand spoofing with instruction-to-execute lures.

▸ Typosquatting Detection
Domains impersonating major brands through character substitution, homoglyph swaps, and edit-distance analysis — checked against a curated brand list in real time.

▸ Newly Registered Domain (NRD)
Domains registered within the last 30 days are flagged automatically via real-time domain age checking.

─── HOW IT WORKS ───

PhishWatch intercepts outbound navigation events and evaluates browser mechanics — not whether a page looks suspicious or whether a domain is on a blocklist. Detection is event-driven and activates only when risk indicators are present. Normal browsing on everyday sites proceeds without interruption.

When risk is detected, PhishWatch shows an explainable warning with the specific mechanical reason — not a generic "this site may be dangerous" message. You always have the option to continue anyway.

─── PRIVACY BY DESIGN ───

PhishWatch is built local-first. Most detection runs entirely on your device. Cloud risk scoring is only triggered when local signals indicate a potential threat.

When a cloud check is triggered, only the destination URL and sanitised signal metadata is transmitted — signal IDs, severity levels, timing deltas, and boolean flags.

NEVER transmitted: clipboard contents, page content, form fields, passwords, cookies, session tokens, browsing history, or user identifiers. Sanitisation is enforced by an allowlist function — unknown fields fail closed.

─── DESIGNED FOR TRANSPARENCY ───

• Manifest V3 with strict permissions model
• No use of eval() or dynamic script injection
• Deterministic, explainable detections — no black-box AI classification
• Fail-open design: uncertainty always resolves to allowing navigation
• All warnings are overridable — PhishWatch never locks you out

─── WHO USES PHISHWATCH ───

Security professionals needing browser-layer visibility. Cryptocurrency users targeted by sophisticated phishing. Small businesses without enterprise security tooling. Anyone who wants runtime protection against credential theft.

PhishWatch complements email filters, endpoint protection, and password managers. It operates at the one layer those tools cannot observe: inside your browser, at the moment you act.

Privacy policy: https://phishwatch.io/privacy
Website: https://phishwatch.io

PhishWatch detects browser-native phishing attacks that bypass email filters — because these attacks don't activate until after delivery, inside your browser.
Modern phishing no longer needs a suspicious-looking domain. Attackers use legitimate cloud infrastructure, AI-generated content, and browser mechanics to steal credentials. With 82% of detections now malware-free (CrowdStrike 2026) and ClickFix named the #1 initial access method (Microsoft 2025), the attack surface has moved from your inbox to your browser. PhishWatch operates at this layer, where the attack must execute to succeed.

─── WHAT PHISHWATCH DETECTS ───

▸ ClickFix (Windows + Mac)
Attackers trick users into copying a malicious PowerShell or terminal command — disguised as a verification step or system fix — and executing it themselves. PhishWatch detects clipboard write events and copy→navigate coupling patterns before execution. Clipboard text is inspected locally — never transmitted.

▸ ConsentFix — OAuth Token Hijacking
Attackers route OAuth authorization codes into credential fields on fake login pages, hijacking account access without ever knowing your password. PhishWatch detects when an authorization code is pasted into a credential field and blocks the submission.

▸ Browser-in-the-Browser (BitB)
Phishing sites embed fake browser windows that mimic real Google or Microsoft login popups — complete with a fake address bar. PhishWatch detects DOM overlay patterns consistent with BitB window spoofing.

▸ AiTM — Adversary-in-the-Middle
Reverse-proxy attacks relay your credentials to the real login service in real time, harvesting session cookies and bypassing MFA entirely. PhishWatch detects credential-flow mismatches — when the origin receiving your credentials doesn't match the page you're interacting with.

▸ Fake Update Detection (SocGholish)
Pages impersonating browser update dialogs to trick users into downloading malware. PhishWatch detects pages combining browser brand impersonation, update urgency language, and executable download links.

▸ AI Lure Detection
Pages impersonating AI services (ChatGPT, Claude, Gemini, Copilot) combined with ClickFix or ConsentFix social engineering. PhishWatch detects the combination of AI brand spoofing with instruction-to-execute lures.

▸ Typosquatting Detection
Domains impersonating major brands through character substitution, homoglyph swaps, and edit-distance analysis — checked against 500+ known brands in real time.

▸ Newly Registered Domain (NRD)
Domains registered within the last 30 days are flagged automatically via real-time domain age checking.

─── HOW IT WORKS ───
PhishWatch intercepts navigation events and evaluates browser mechanics — not whether a page looks suspicious or whether a domain is on a blocklist. Detection is event-driven and activates only when risk indicators are present. Normal browsing proceeds without interruption.
When risk is detected, PhishWatch shows an explainable warning with the specific mechanical reason — not a generic alert. You always have the option to continue anyway.

─── PRIVACY BY DESIGN ───
Most detection runs entirely on your device. Cloud risk scoring is only triggered when local signals indicate a potential threat.
When a cloud check is triggered, only the domain name and sanitised signal metadata is transmitted — signal IDs, severity levels, and boolean flags.
NEVER transmitted: clipboard contents, page content, form fields, passwords, cookies, session tokens, browsing history, or personal identifiers. Sanitisation is enforced by an allowlist — unknown fields fail closed.

─── DESIGNED FOR TRANSPARENCY ───

Chrome Manifest V3 with strict permissions
No use of eval() or dynamic script injection
Deterministic, explainable detections — no black-box scoring
Fail-open: uncertainty always resolves to allowing navigation
Every warning is overridable — PhishWatch never blocks permanently

─── WHO USES PHISHWATCH ───
Security professionals needing browser-layer visibility. Developers and crypto users targeted by sophisticated phishing. Small businesses and MSPs without enterprise browser security stacks. Anyone who wants runtime protection against credential theft at the moment it matters.

PhishWatch complements email filters, endpoint protection, and identity providers. It operates at the one layer those tools cannot observe: inside your browser, at the moment you act.

Privacy policy: https://phishwatch.io/privacy
Website: https://phishwatch.io

Permissions & access

Permissions: storage
Host access: https://api.phishwatch.io/*

Screenshots

About