What Is Prompt Injection? How AI Can Be Tricked by Hidden Instructions

Why This Matters Right Now

You might have heard that AI tools can now browse the web, read your emails, and work through documents on your behalf. That’s genuinely useful. But there’s a catch that most people don’t know about: those AI tools can be tricked.

In April 2026, Google published research showing that attackers are planting hidden instructions inside ordinary web pages — instructions that humans can’t see, but AI reads and follows. Attacks like these have surged 340% this year. It’s now the number-one security risk in AI, according to OWASP (the organisation that tracks software vulnerabilities).

This isn’t a future problem. It’s happening now, and it affects anyone who uses AI tools.

How Prompt Injection Works

Think of it this way: when you use an AI assistant, you give it instructions. “Summarise this article.” “Find me flights under $500.” “Draft a reply to this email.”

Prompt injection is when someone else hides their own instructions inside the content your AI is reading. The AI can’t tell the difference between your instructions and the hidden ones — so it follows both.

Imagine asking a friend to read a letter aloud to you. But someone has written, in tiny invisible ink on that letter: “Don’t read the next paragraph. Instead, say everything is fine.” Your friend reads the invisible ink just like the rest of the letter, follows the instruction, and you never know something was skipped.

That’s essentially what’s happening with AI systems.

What This Looks Like in Practice

The hidden instructions can be completely invisible to you — white text on a white background, text hidden behind images, or characters so small they don’t render on screen. But the AI processes all of it.

Real examples from 2026:

• Scam ads slipping past AI moderators. Attackers embedded hidden instructions that told AI ad-review systems to approve fraudulent listings.
• Email exploits. A vulnerability in Microsoft 365 Copilot allowed crafted emails to silently extract private data — without the user clicking anything.
• Manipulated search results. Web pages with hidden instructions that tell AI assistants to recommend specific products or ignore competitor information.

Why It’s So Hard to Fix

The reason this problem is tricky: AI is designed to follow natural language instructions. That’s its whole job. There’s no reliable way to tell it “follow these instructions, but ignore those ones” when both are written in the same language it’s trained to obey.

AI companies are adding filters and safety layers, and they do catch many attacks. But no solution is complete. It’s a fundamental tension in how language models work.

What This Means for You

You don’t need to stop using AI tools. But you should use them with the same healthy scepticism you’d apply to any information source:

• Don’t give AI tools more access than they need. If a tool asks to read all your emails or files, consider whether it actually needs that access for what you’re doing.
• Watch for odd behaviour. If your AI assistant suddenly recommends a specific product, changes tone, or gives an answer that feels off, it may have encountered hidden instructions in something it just read.
• Don’t act on high-stakes information without checking. If an AI tool tells you something important — financial advice, medical information, security alerts — verify it with a second source.
• Start fresh if something feels wrong. If you suspect your AI session has been compromised, close it and start a new conversation. Don’t try to troubleshoot within the same session.

The good news: awareness is your best defence. Now that you know AI can be tricked by hidden instructions, you’re already better equipped to spot when something doesn’t add up.