Existing phishing detection models perform well under static evaluation but exhibit insufficient robustness against evasion attacks involving feature manipulation, and lack systematic analysis of the relationship between attack cost and feature controllability. This work proposes a cost-aware evasion attack framework that models discrete, monotonic feature modifications under an attacker’s budget constraint, formally proving—for the first time—that the upper bound of adversarial robustness is governed by feature-level economics rather than model complexity. To this end, we introduce three diagnostic metrics: Minimum Evasion Cost (MEC), Evasion Survival Rate S(B), and Robustness Concentration Index (RCI), and evaluate multiple state-of-the-art models on the UCI Phishing dataset. Experiments reveal that over 80% of low-cost successful attacks target just three surface-level features; significant robustness gains emerge only when these low-cost manipulable features are entirely removed; and under budget-constrained attacks, model robustness converges across different architectures.

Phishing detectors built on engineered website features attain near-perfect accuracy under i.i.d.\ evaluation, yet deployment security depends on robustness to post-deployment feature manipulation. We study this gap through a cost-aware evasion framework that models discrete, monotone feature edits under explicit attacker budgets. Three diagnostics are introduced: minimal evasion cost (MEC), the evasion survival rate $S(B)$, and the robustness concentration index (RCI). On the UCI Phishing Websites benchmark (11\,055 instances, 30 ternary features), Logistic Regression, Random Forests, Gradient Boosted Trees, and XGBoost all achieve $\mathrm{AUC}\ge 0.979$ under static evaluation. Under budgeted sanitization-style evasion, robustness converges across architectures: the median MEC equals 2 with full features, and over 80\% of successful minimal-cost evasions concentrate on three low-cost surface features. Feature restriction improves robustness only when it removes all dominant low-cost transitions. Under strict cost schedules, infrastructure-leaning feature sets exhibit 17-19\% infeasible mass for ensemble models, while the median MEC among evadable instances remains unchanged. We formalize this convergence: if a positive fraction of correctly detected phishing instances admit evasion through a single feature transition of minimal cost $c_{\min}$, no classifier can raise the corresponding MEC quantile above $c_{\min}$ without modifying the feature representation or cost model. Adversarial robustness in phishing detection is governed by feature economics rather than model complexity.