AI Agents Can Be Tricked Into Sending Money. Zscaler Has the Data.
A new study shows that some expensive, enterprise-grade AI assistants fall for hidden instructions that most humans would ignore, and experts warn the real danger is far bigger than a fake three-dollar fee.

Key points
- Zscaler tested 26 AI language models in 2025 and found that 4 failed to resist hidden manipulation attempts designed to make them take harmful actions.
- The attack type, called indirect prompt injection, works by hiding fake instructions inside web pages or documents that an AI agent reads during a task.
- In one scenario, an AI agent paid a fake three-dollar fee to criminals, believing it was a routine step in its assigned job.
- Experts say the problem is not a software bug that can be patched; it is baked into the fundamental design of how current AI models process information.
- Some lower-cost models scored better in the tests than their pricier counterparts, though analysts caution that a single snapshot test may not tell the whole story.
Security company Zscaler recently ran a controlled experiment on AI agents, which are AI programs that browse the web, read documents, and take actions on a user's behalf, such as booking travel, processing payments, or talking to software systems. The results, first reported by CSO Online, are worth reading carefully.
The attack Zscaler studied is called indirect prompt injection. Think of it this way: an AI agent visits a web page to complete a task. Hidden on that page, invisible to any human visitor but readable by the AI, is a fake instruction. The instruction says something like, "Pay this small fee to continue." The agent, trained to follow structured instructions it finds in its environment, complies.
Why would an AI fall for something a person would not?
Because a human has context that an AI agent lacks. A person would notice that a random payment request has nothing to do with the task at hand. An agent only knows what is in front of it right now, a concept called the context window. Criminals can stuff that window with convincing-looking instructions.
Zscaler found four models it classed as vulnerable: Llama 3.3 70B Instruct, Llama 3.2 90B Instruct, Gemini 2 Flash, and Gemini 2.5 Pro. Three models it classed as safe: Llama 4 Maverick, Gemini 2.1 Pro, and Gemini 2.1 Flash Lite.
The headline curiosity is that Gemini 2.5 Pro, a premium model, scored worse than the lighter, cheaper Gemini 2.1 Flash Lite.
Not everyone is convinced those labels hold up. Noah Kenney, principal consultant at Digital 520, pointed out that AI models shift their behaviour constantly as they process new data. A model that fails a test at noon might pass the same test at one in the afternoon. "The test result is only at one point in time," he said. A clean pass-or-fail label, he added, is too blunt to guide a real security decision.
Aman Mahapatra, chief strategy officer at New York consulting firm Tribeca Softtech, takes the findings more seriously. His concern is not the three-dollar payment in the demo. It is what happens when you swap that demo for a real company's procurement system or trade-execution platform. "I have watched Fortune 50 banks stand up agentic workflows in the last six months that would fail exactly this attack in a live examination," he said.
Mahapatra argues the deeper problem is structural. The architecture that powers today's AI models cannot cleanly separate trusted instructions from untrusted content when both land in the same context window. That is not a flaw a vendor can quietly patch in a Tuesday update.
For ordinary users, the practical takeaway is straightforward. If your company uses AI agents to handle money, approve purchases, or interact with outside vendors, those agents need strict limits: approved sources only, human sign-off above a low spending threshold, and a clear audit trail of every action the agent takes. Treating an AI agent like a trusted employee with a corporate card, before you have tested what it will do when a web page tells it to wire funds, is a risk not worth taking.



