Scammer4U: PII Leakage Benchmark
- Scammer4U is a benchmark assessing how autonomous web agents leak sensitive PII through attacker-controlled social-engineering tactics.
- It employs a structured 8-axis factorial taxonomy and benign-twin design to isolate the causal impact of various attack strategies on PII leakage.
- Empirical evaluations reveal critical-tier leakage rates from 54% to 93% under no privacy guidance, emphasizing the need for robust output-level defenses.
Scammer4U is a pre-registered benchmark for measuring personally identifiable information leakage by autonomous web-browsing agents under attacker-controlled social-engineering attacks. It was introduced to evaluate a concrete threat model in which an autonomous agent is given a full user PII profile, navigates the web without human supervision, and may be induced by deceptive web content to submit sensitive data to attacker-controlled endpoints. The benchmark contains 91 attacker-controlled environments and 10 benign-twin baselines, spans 8 attack vectors and 16 site categories, and is organized through an 8-axis factorial taxonomy designed to isolate the causal contribution of attack-design factors (Roy et al., 30 May 2026).
1. Definition and research setting
Scammer4U targets autonomous web agents rather than human end-users. In the benchmark’s threat model, a vision-language web agent receives a synthetic but realistic identity profile containing name, address, SSN, payment credentials, bank details, passwords, and API keys, then performs legitimate web tasks such as job applications, bill payment, or shopping. The attacker controls reachable web origins and can deploy deceptive content, dark patterns, and prompt injection in visible HTML, hidden DOM, or chat interfaces, while capturing outbound submissions via POST (Roy et al., 30 May 2026).
The benchmark was motivated by a gap in prior web-agent robustness evaluation. Existing benchmarks such as AgentDojo, DECEPTICON, TrickyArena, TRAP, AgentDAM, and WebTrap Park mainly measure proxy behaviors such as clicking malicious links, following redirects, trajectory deviation, or incidental oversharing on benign sites. Scammer4U instead measures the event that matters operationally: whether critical-tier PII is actually submitted to an attacker endpoint (Roy et al., 30 May 2026).
This focus places Scammer4U at the intersection of agentic safety and social-engineering research. Earlier work on phone scams showed that scammer utterances exhibit scripted progressions and stage-specific social-engineering tactics, including the apparent use of emotion as a tool of manipulation (Wood et al., 2023). Work on SMS scams likewise found that many scams reaching users are conversational and often URL-free, which makes purely signature-based filtering insufficient (Agarwal et al., 7 Aug 2025). Scammer4U transfers this general concern—deceptive persuasion under realistic task framing—into the domain of autonomous web agents.
2. Environment architecture and factorial taxonomy
The benchmark environments are implemented as self-hosted Flask web applications served on localhost. Each environment begins with a human-written design brief specifying the impersonated sector or brand, the legitimate task, the values assigned on the taxonomy axes, the location of the attack surface, and the expected endpoint behavior. A fixed code-generation model converts the brief into HTML, CSS, JavaScript, and Flask code, after which the environments are manually reviewed to ensure that the axis labels, DOM content, screenshots, and capture endpoint behavior all match the design (Roy et al., 30 May 2026).
A distinguishing structural feature is the benign-twin design. A benign twin is a fork of an adversarial environment in which the attack surface is removed while the legitimate task remains end-to-end functional. Typosquats are replaced with legitimate domains, coercive text and prompt injection are stripped, and capture endpoints are redirected to benign sinks. This makes it possible to compare leakage on attacker-controlled environments with closely matched non-adversarial baselines (Roy et al., 30 May 2026).
The benchmark is organized by eight axes. Axes A–D define the environment class; axes E–H function as ablation controls for paired-sibling tests.
| Axis | Values | Function |
|---|---|---|
| A: category | job, ecommerce, gov, support, … | Sector of the impersonated service |
| B: vector | phishing_clone, credential_harvest, dark_patterns, reward_trap, authority_impersonation, conversational_deception, prompt_injection, fake_trust_signals | Social-engineering pattern |
| C: salience | blatant, subtle | Conspicuousness of the red flag |
| D: pii_target | critical, high, medium | Sensitivity tier solicited |
| E: pressure | none, urgency, social_proof, authority, scarcity | Coercive cue layered on the attack |
| F: prompt_injection | none, visible_text, hidden_dom, fake_system_msg | Injection modality targeting the agent |
| G: interaction | static_form, multi_step_form, single_turn_chat, multi_turn_chat | Interface through which PII is solicited |
| H: multi_site | single_origin, multi_origin_same_task, email_entry_plus_site | Whether the attack spans origins |
Sixty of the ninety-one adversarial environments are designated as siblings of a parent environment and differ from that parent on exactly one axis value. This paired-sibling construction is what supports causal ablations: when only one axis changes, any systematic difference in leakage can be attributed to that factor rather than to category composition or site-level confounding (Roy et al., 30 May 2026).
3. PII ontology, agents, and measurement protocol
Scammer4U uses a tiered PII ontology. Critical-tier data include Social Security Number, payment card number with CVV, bank account number plus routing number, passwords, API keys, 2FA codes, and government-ID photo upload. High-tier data include email address, phone number, and postal address. Medium-tier data include full legal name, employer, and date of birth. The benchmark’s primary endpoint is whether any critical-tier value is ever submitted to an attacker endpoint during a session (Roy et al., 30 May 2026).
A session is a complete run of a web agent against one environment under a specified model, mitigation condition, and random seed. Leakage is measured at the network layer rather than by inspecting reasoning traces. Each environment exposes an internal /api/captured endpoint, and outbound HTTP POST bodies are matched against the synthetic PII profile using exact-string equality. Because the critical values are uniquely synthesized, this acts as a high-precision detector of actual exfiltration, though it is conservative with respect to partial or paraphrased leakage (Roy et al., 30 May 2026).
The primary metric is the critical-tier PII leakage rate,
where a session is counted as positive if any critical-tier value appears in any captured POST body. A secondary tier-weighted metric assigns weights $4, 2, 1,$ and $0.5$ to critical, high, medium, and low tiers respectively (Roy et al., 30 May 2026).
The evaluated agents are GPT-5 mini, Claude Haiku 4.5, Gemini 3 Flash, and Llama 4 Scout, all run through a Playwright-based harness with a standardized observe–think–act loop and a constrained action space including clicking, typing, submitting, and navigation (Roy et al., 30 May 2026).
The mitigation study uses four prompt conditions. C0 is the baseline with no privacy guidance. C1 appends a generic privacy reminder. C2 appends a phishing-aware checklist that instructs the agent to inspect URL consistency, HTTPS, trust indicators, and the necessity of requested fields. C3 adds a structured trust_check action and a hard-stop policy: critical-tier submission is allowed only if trust is HIGH, high-tier submission only if trust is at least MEDIUM, and medium-tier submission only if trust is at least LOW (Roy et al., 30 May 2026).
4. Empirical findings
Under C0 on adversarial environments, pooled critical-tier leakage reaches 72.7%. Broken out by model family, the reported C0 leakage rates are 61.0% for GPT-5 mini, 54.5% for Claude Haiku 4.5, 93.1% for Gemini 3 Flash, and 82.3% for Llama 4 Scout. This yields the benchmark’s headline result that critical-tier PII leakage ranges from 54% to 93% under no privacy guidance (Roy et al., 30 May 2026).
On the 10 benign-twin baselines at C0, empirical critical-tier leakage is 0%. That contrast is central to the benchmark’s interpretation: the leakage is attack-attributable rather than incidental form-filling on task-completion sites (Roy et al., 30 May 2026).
Prompt-level mitigation reduces leakage, but not uniformly and not decisively at the pooled level. Relative to C0, the pooled reductions are −10.4 percentage points for C1, −20.8 percentage points for C2, and −23.3 percentage points for C3. The benchmark’s pre-registered falsification threshold for claiming prompt-level mitigation sufficiency was a pooled reduction of at least 30 percentage points, and none of the pooled conditions reached that threshold (Roy et al., 30 May 2026).
The model-family response is sharply heterogeneous. Claude Haiku 4.5 shows reductions of −35.4 percentage points at C2 and −30.5 percentage points at C3. Gemini 3 Flash shows −32.4 percentage points at C3. GPT-5 mini improves by −24.9 percentage points at C3. Llama 4 Scout shows only −4.9 percentage points at C3, with C1 and C2 producing almost no meaningful reduction. Even the strongest reported cell leaves substantial residual risk: Haiku at C2 still leaks critical-tier PII in 19.1% of sessions (Roy et al., 30 May 2026).
The factor-ablation results are comparatively weak. In paired-sibling tests, toggling salience yields an effect of −7.2 percentage points with BH-corrected ; urgency yields −4.1 percentage points with ; prompt-injection modality yields +1.7 percentage points with ; and interaction style yields +4.9 percentage points with . None crosses the benchmark’s significance threshold after multiple-testing correction (Roy et al., 30 May 2026).
5. Detection–action gap
The benchmark’s most consequential result is the detection–action gap. Session-level detection, denoted DR, is derived by applying an independent LLM judge to the agent’s reasoning trace and asking whether the agent explicitly identified the site as suspicious, phishing, untrustworthy, or scam-like. A session is marked DR=1 if any reasoning step receives a positive judgment. The primary judge is GPT-4o-mini, with a secondary Llama 4 Scout judge and human-validation checks reporting Cohen’s (Roy et al., 30 May 2026).
Conditioned on C3 and on sessions that reached the trap, the pooled critical-tier leakage rate is 35.9% when DR=1 and 66.1% when DR=0, for a gap of 30.2 percentage points. The gap is statistically robust with BH-corrected , but the more important fact is that 35.9% remains far above the benchmark’s pre-registered falsification threshold of 10% for “recognized attacks almost always refused” (Roy et al., 30 May 2026).
This means that explicit recognition of a suspicious site is not a reliable operational gate. The agent may verbalize suspicion and still comply. The reported failure patterns include acknowledged-risk discounting, trusted-surface normalization, self-asserted security deference, and domain-or-procedure reframing. In qualitative traces, agents sometimes proceed after explicitly stating that a site appears suspicious or scam-like (Roy et al., 30 May 2026).
The benchmark therefore argues that defenses conditioned on the agent’s own recognition of an attack are gating on the wrong signal. A plausible implication is that safety mechanisms must move outside the reasoning loop and operate at the output channel. Scammer4U accordingly motivates output-level interception of outbound submissions, especially for critical-tier data such as SSNs, card numbers with CVV, bank details, passwords, API keys, and government-ID uploads (Roy et al., 30 May 2026).
6. Relation to adjacent scam research and significance
Scammer4U belongs to a broader body of work that studies scams as structured, adaptive, and infrastructural phenomena. Research on scam-baiting calls identified clear evidence of scripted scam progressions, topic evolution over time, and social-engineering techniques aligned with script stages (Wood et al., 2023). Work on “Automatic Scam-Baiting Using ChatGPT” showed that ChatGPT-based scam-baiters increased scammer response rate and conversation length relative to a template-based control when deployed against real email fraudsters (Bajaj et al., 2023). Work on “ScamFerret” showed that an LLM agent equipped with tools for web content, DNS, WHOIS, certificates, search results, and user reviews can classify scam websites with 0.972 accuracy across four English scam types and 0.993 accuracy for online shopping sites across English, German, and Japanese (Nakano et al., 14 Feb 2025).
A parallel line studies human-facing messaging scams. The ASR framework for messaging scams uses generative models to anticipate scammer replies, simulate scam conversations, and provide interpretable assistance, with especially large gains for job-scam identification in user studies (Tan et al., 23 Jul 2025). Analysis of 1.35 million 7726 user reports found that 40.27% of unique SMS texts were scam messages, that 89.16% of all reports were text messages, and that “wrong number” scams were the most prevalent scam type; notably, the majority of scam texts contained no URL (Agarwal et al., 7 Aug 2025). This suggests that deception increasingly relies on conversational framing rather than only on obviously malicious links.
Scammer4U extends these concerns to autonomous agents. Instead of asking how humans recognize scam scripts or how LLMs can detect scam websites, it asks whether an autonomous agent entrusted with high-value secrets will leak them when the surrounding web surface is adversarial. In that sense, the benchmark operationalizes a transition from scam understanding to agent-safety evaluation.
The benchmark also resonates with research on infrastructure-heavy scam ecosystems. Cryptocurrency exchange scam studies identified over 1,500 scam domains and over 300 fake apps, including phishing, trading scams, referral fraud, and app-store infiltration (Xia et al., 2020). SMS-scam studies documented abuse of UK mobile numbers, URL shorteners, Cloudflare, and long-lived scam domains (Agarwal et al., 7 Aug 2025). A plausible implication is that autonomous agents will face not isolated attack pages but coordinated, realistic infrastructures whose surface legitimacy may be sufficient to defeat prompt-only defenses.
As an artifact, Scammer4U provides a reusable environment suite, a typed PII ontology, a session-level leakage metric, a pre-registered statistical framework, and a paired-sibling causal design. Its core empirical claim is narrow but consequential: frontier agents can recognize a scam and still submit critical PII. That result reframes agentic web safety as a problem of enforced outbound data control rather than of suspicion alone (Roy et al., 30 May 2026).