This work addresses the limited effectiveness and robustness of vision-based phishing website detection models in real-world deployment. We construct the first large-scale benchmark comprising 451,000 real-world phishing websites, revealing a significant performance gap between controlled experiments and operational data. From an attacker’s perspective, we systematically categorize three evasion strategies—model pipeline attacks, benign logo imitation, and logo removal—and propose a dual-dimensional adversarial evaluation framework balancing perceptibility and perturbation intensity. Through black-box testing, logo-level adversarial example generation, and statistical robustness quantification, we find that state-of-the-art models are highly vulnerable to lightweight attacks such as logo removal. Based on these findings, we propose actionable robustness enhancement pathways. Our work provides both theoretical foundations and practical guidelines for deploying vision-based phishing detection systems in production environments.

Phishing attacks pose a significant threat to Internet users, with cybercriminals elaborately replicating the visual appearance of legitimate websites to deceive victims. Visual similarity-based detection systems have emerged as an effective countermeasure, but their effectiveness and robustness in real-world scenarios have been underexplored. In this paper, we comprehensively scrutinize and evaluate the effectiveness and robustness of popular visual similarity-based anti-phishing models using a large-scale dataset of 451k real-world phishing websites. Our analyses of the effectiveness reveal that while certain visual similarity-based models achieve high accuracy on curated datasets in the experimental settings, they exhibit notably low performance on real-world datasets, highlighting the importance of real-world evaluation. Furthermore, we find that the attackers evade the detectors mainly in three ways: (1) directly attacking the model pipelines, (2) mimicking benign logos, and (3) employing relatively simple strategies such as eliminating logos from screenshots. To statistically assess the resilience and robustness of existing models against adversarial attacks, we categorize the strategies attackers employ into visible and perturbation-based manipulations and apply them to website logos. We then evaluate the models' robustness using these adversarial samples. Our findings reveal potential vulnerabilities in several models, emphasizing the need for more robust visual similarity techniques capable of withstanding sophisticated evasion attempts. We provide actionable insights for enhancing the security of phishing defense systems, encouraging proactive actions.