Every defense online is one step behind.
The toolkit hasn't changed in twenty years: a badge to display, a list to block, a takedown to file, a warning to teach. All reactive. All breakable. All trivially out-scaled by AI.
Anything visual can be copied.
Trust badges, verified ticks, security seals — they are pixels. A fake site renders them perfectly. The badge proves nothing unless the user can independently check it, and almost nobody does.
You can only block what's already burned.
Blocklists work after the damage. By the time a domain is flagged, the campaign has moved on to a hundred fresh ones. The half-life of a scam domain is measured in hours.
You shouldn't have to be a forensic analyst.
Telling people to "check the URL" or "look for the padlock" puts the burden on the wrong side. Even experts get fooled — and that was before AI cleaned up the tells.
The fix isn't smarter users. It's a layer where what's real can be verified, by anyone, in one move.