Phishing detectors built on engineered website features attain near-perfect accuracy under i.i.d.\ evaluation, yet deployment security depends on robustness to post-deployment feature manipulation. We study this gap through a cost-aware evasion framework that models discrete, monotone feature edits under explicit attacker budgets. Three diagnostics are introduced: minimal evasion cost (MEC), the evasion survival rate $S(B)$, and the robustness concentration index (RCI). On the UCI Phishing Websites benchmark (11\,055 instances, 30 ternary features), Logistic Regression, Random Forests, Gradient Boosted Trees, and XGBoost all achieve $\mathrm{AUC}\ge 0.979$ under static evaluation. Under budgeted sanitization-style evasion, robustness converges across architectures: the median MEC equals 2 with full features, and over 80\% of successful minimal-cost evasions concentrate on three low-cost surface features. Feature restriction improves robustness only when it removes all dominant low-cost transitions. Under strict cost schedules, infrastructure-leaning feature sets exhibit 17-19\% infeasible mass for ensemble models, while the median MEC among evadable instances remains unchanged. We formalize this convergence: if a positive fraction of correctly detected phishing instances admit evasion through a single feature transition of minimal cost $c_{\min}$, no classifier can raise the corresponding MEC quantile above $c_{\min}$ without modifying the feature representation or cost model. Adversarial robustness in phishing detection is governed by feature economics rather than model complexity.

翻译：基于工程化网站特征的钓鱼检测器在独立同分布评估下可达近乎完美的准确率，但部署安全性取决于对部署后特征操控的鲁棒性。我们通过一个成本感知的逃避框架研究这一差距，该框架在显式攻击者预算约束下对离散单调特征编辑进行建模。引入三项诊断指标：最小逃避成本（MEC）、逃避存活率 $S(B)$ 及鲁棒性集中指数（RCI）。在UCI钓鱼网站基准数据集（11\,055个实例，30个三元特征）上，逻辑回归、随机森林、梯度提升树及XGBoost在静态评估中均达到$\mathrm{AUC}\ge 0.979$。在预算约束的净化式逃避场景下，各架构的鲁棒性趋于收敛：全特征集的中位数MEC为2，且超过80%的最小成本成功逃避集中在三个低成本表面特征上。特征约束仅在移除所有主导性低成本转移时才能提升鲁棒性。在严格成本计划下，基础设施倾向特征集对集成模型存在17-19%的不可行质量，而可逃避实例的中位数MEC保持不变。我们形式化该收敛性：若正确检测的钓鱼实例中正比例部分可通过单一最小成本$c_{\min}$的特征转移实现逃避，则任何分类器在不修改特征表示或成本模型的情况下，均无法将相应MEC分位数提升至$c_{\min}$以上。钓鱼检测中的对抗鲁棒性由特征经济学主导，而非模型复杂度。