Phishwatch

PhishWatch detects browser-native phishing attacks that bypass email filters — because these attacks don't activate until after delivery, inside your browser.

Modern phishing no longer needs a suspicious-looking domain. Attackers use legitimate cloud infrastructure, perfect AI-written language, and browser mechanics to steal credentials. Email filters and blocklists cannot observe what happens inside your browser after you click. PhishWatch operates at the browser runtime layer — where the attack must execute to succeed.

─── WHAT PHISHWATCH DETECTS ───

▸ ClickFix
Attackers trick users into copying a malicious PowerShell or terminal command — disguised as a "verification step" or "system fix" — and executing it themselves. PhishWatch detects copy→navigate coupling patterns and warns you before you execute anything harmful. Clipboard text is inspected locally on your device only — it is never transmitted.

▸ ConsentFix (OAuth Token Hijacking)
A variation of ClickFix where attackers route OAuth authorization codes into password fields on fake login pages, hijacking your account access without ever knowing your password. PhishWatch detects when an OAuth code is pasted into a credential field and blocks the action before your authorization token is stolen.

▸ Browser-in-the-Browser (BitB)
Phishing sites embed fake browser window overlays that mimic real Google or Microsoft login popups. Because they appear visually inside the browser, users cannot distinguish them from genuine popups. PhishWatch detects DOM overlay patterns consistent with BitB window spoofing.

▸ AiTM — Adversary-in-the-Middle
Reverse-proxy phishing attacks that relay your credentials to the real login service in real time — allowing attackers to harvest session cookies and bypass multi-factor authentication entirely. PhishWatch detects credential-flow mismatches: when the origin receiving your credentials doesn't match the page you're on.

─── HOW IT WORKS ───

PhishWatch intercepts outbound navigation events and evaluates browser mechanics — not whether a page looks suspicious or whether a domain is on a blocklist. The same domain can be safe in one session and weaponized in another.

Detection is event-driven and activates only when risk indicators are present: suspicious URL structure, credential field interactions, ClickFix/ConsentFix copy-paste patterns, or cross-origin authentication flows. Normal browsing on everyday sites proceeds without any interruption.

When risk is detected, PhishWatch shows an explainable warning with the specific mechanical reason — not a generic "this site may be dangerous" message. You always have the option to continue anyway.

─── PRIVACY BY DESIGN ───

PhishWatch is built local-first. Most detection runs entirely on your device. Cloud risk scoring is only triggered when local signals indicate a potential threat.

When a cloud check is triggered, only the following is transmitted:
• Destination URL (required for risk assessment)
• Signal IDs and severity levels (e.g., "instruction_to_execute_recent_copy")
• Timing metadata (millisecond deltas between events)
• Boolean flags (e.g., paste_blocked: true)

What is NEVER transmitted:
• Clipboard contents (inspected locally only, never sent)
• Page content or DOM structure
• Form fields, passwords, or credentials
• Cookies, session tokens, or browsing history
• User identifiers or persistent tracking data

Data transmission is enforced by an allowlist function (sanitizeClientSignals()) in the extension's background script. Any field not on the allowlist is stripped before transmission — unknown fields fail closed.

PhishWatch does not maintain user accounts, does not build behavioral profiles, and does not sell data.

─── DESIGNED FOR SECURITY-AWARE USERS ───

• Manifest V3 with strict permissions model
• No use of eval() or dynamic script injection
• CSP-compatible implementation
• Deterministic, explainable detections — no black-box AI classification
• Fail-open design: detection uncertainty always resolves to allowing navigation
• All warnings are overridable — PhishWatch never locks you out

─── WHO USES PHISHWATCH ───

PhishWatch is designed for individuals who want runtime protection against credential theft, security professionals who need browser-layer visibility into post-click behaviour, cryptocurrency users targeted by sophisticated phishing campaigns, and small businesses without enterprise security tooling.

PhishWatch complements — and does not replace — email filters, endpoint protection, and password managers. It operates at the one layer those tools cannot observe: inside your browser, at the moment you act.

─── SCOPE AND LIMITATIONS ───

PhishWatch focuses on runtime interruption of risky browser transitions. It does not scan email inboxes, detect endpoint malware, audit other installed extensions, or guarantee protection against all phishing attacks. No security tool can make that claim. What PhishWatch does is interrupt the chain at a specific, structural point — before credentials are submitted to the wrong origin.

Privacy policy: https://phishwatch.io/privacy
Website: https://phishwatch.io