Arielle Waldman , Features Writer , Dark Reading February 3, 2026 7 Min Read Source: Rokas Tenys via Alamy Stock Photo Cookie banners with a "no reject" option. Free trial subscriptions that are absurdly difficult to cancel. Hidden refund options. Misleading email access requests. The list of dark patterns — deceptive user interface designs that toe the line between malicious and benign — grows longer by the year. Organizations plaster dark patterns across their websites as a marketing tactic or to enhance the user experience. But they can be designed in ways that lure consumers into blindly giving more money or personal data. While many practices appear innocuous, the use of dark patterns can jeopardize security awareness, compromise security within an organization, and pose significant privacy concerns. The Federal Trade Commission (FTC) warned in 2024 that dark-pattern techniques can "steer customers to take actions they would not have otherwise taken." The most recent data from an analysis by the FTC and the International Consumer Protection and Enforcement Network found that nearly 76% of sites and apps employed at least one possible dark pattern, and nearly 67% used more. Legislation at many levels looks to restrict dark patterns. The California Privacy Protection Agency issued an enforcement advisory in 2024, prohibiting the use of dark patterns, and urged businesses to use "clear, easy-to-understand language offering privacy choices." The European Union's Digital Services Act restricts online platforms from designing, organizing, or operating their interfaces "in a way that deceives or manipulates the user." Avoiding dark patterns is the right thing to do, says Danie Strachan, senior privacy council at VeraSafe, "but now you can point to laws." Dark Patterns Compromise Security Despite legislative actions launched years ago, dark patterns remain an ongoing threat. An entire Reddit thread highlights the pervasive issue; many people reported feeling duped by refund processes and product sign-ups that steer them to the most expensive option. If people knew what those technologies would do, what information would be accessed, or that someone else would be spying on them, they wouldn't blindly accept the terms, Strachan says. Cookies seem relatively innocent, but people don't realize that many of them share data with third parties that may not have been vetted. Dark patterns can undermine security awareness because they desensitize users by removing the opportunity to first pause and think, "Should I be checking this?" before clicking. Some websites and platforms have extensive terms of agreement for service or privacy policies that go unread. Users have become conditioned to clicking boxes and cookie banners; it has become "status quo," says Strachan. "Since you're so used to it, if a bad actor uses the pattern, you may not even realize something has gone wrong," he warns. Threat actors abuse one-time-password requests because fraudsters know humans are used to these patterns, Strachan says. They also take advantage of users being drawn to great deals or amazing specials. Black Friday is the best time to use dark patterns, he adds. And then before users know it, their credit card information has been stolen. Vendors Make Surprise Changes Nudge Security examined how dark pattern-influenced behavior can compromise an organization's security. Researchers discovered plenty of examples, starting with the Retool breach . The developer platform disclosed it was breached in 2023 following a vishing attack where a threat actor tricked an employee into giving up a one-time-password code. Retool eventually blamed Google Authenticator; it automatically synced multifactor authentication (MFA) codes to the cloud, which provided the attacker with additional access. Google had made it easier for users to mistakenly click a button that synced MFA codes to the cloud to "get as many users as they can in the cloud subscriptions," explains Jaime Blasco, co-founder and CTO of Nudge Security. That is concerning from a security perspective, he adds. "The problem with that is if an attacker gets access to a Google account, the MFA code can be accessed," Blasco says. "It's easy for an attacker to exploit that." Postman implemented a similar change when the API platform pushed a cloud subscription, Blasco says. API keys stored in local desktops were suddenly assigned to the cloud, and users had credentials in a third party without signing off on it. Postman did not even have a conversation with the users to ensure they understood security concerns, he adds. 'Sneaky' SaaS Companies More recently, Nudge Security observed another dark pattern-related risk of "shadow software-as-a-service (SaaS)." Common SaaS dark patterns include "sneaky pricing surprises, forced featured bundling, and difficult account cancellations," according to their blog post . Blasco offered Otter.AI as one SaaS company he has observed acting "sneaky." "We got all of these emails from customers asking for help, saying, 'We don't use Otter.AI,' but all the sudden they're seeing hundreds of people in their organization," Blasco says. Nudge's investigation found the transcription service will send emails at the end of a call, telling guests they have to create an Otter.AI account if they want to access the recording. Then it automatically emails all participants, forces them to log in, asks about other meetings they’ve had, and emails guests in those meetings as well, Blasco explains. "All of a sudden, you have all of these organizations with thousands of accounts being created," he says, noting that Otter.AI also requests email and calendar access. This behavior puts organizations at risk because if security teams don't know it's happening, and if for some reason Otter had a breach, attackers could have access to organizations that aren't even customers, Blasco warns . 'The Devil Is in the Defaults' Tiered payment plans where SaaS providers force enterprises to pay more to have basic security features like single sign-on is also "very annoying," Blasco says. The practice could affect small organizations , in particular, that can't pay the enterprise price; that only gives them basic security functionality. Blasco highlights the 2023 Microsoft email breach, which affected US government agencies, as one example. Microsoft limited logging information to show for larger companies only, but those capabilities were critical for visibility. Only customers paying for the most expensive account had that access. Vendors must be transparent about these practices, always ask organizations for permission first, and offer default opt-in versus default opt-out, Blasco says. "Sometimes it's hidden in MFA or privacy policies, but no one is reading all the fine print," he notes. The option should always be opt-in, Blasco says. Technologies delivered with default-opt-out are a major security concern because they put everything on the user. Organizations must find the settings and switch them to be more private or secure. "The devil is in the defaults," Jeremy Banon, CEO and founder of The Cyber Health Company, tells Dark Reading. "It's not so much that defaults undermine security awareness, but rather they stack the deck to get the ideal configuration of the product owner." When Banon thinks of long-standing dark patterns, two Venmo features come to mind: public payments and public friends lists. Again, both are on by default and not trivial to locate and disable. "These have been used to dox personal contacts and stalk online activity," he says. 'A Responsibility to Win' Dark patterns abound on the Internet, and it doesn't appear that vendor responsibility to limit these risks will increase anytime soon. Product managers only have a responsibility to win, Banon says. "To do so, they fine-tune and remove friction so that the product can achieve its goal — more transactions, more time on the app," he says. "Unfortunately, vendors sometimes see security and privacy as frictions. The incentive is therefore unclear." A dark pattern on its own isn't necessarily malicious. Good organizations use dark patterns, Verasafe's Strachan says. Marketers can use clever tactics, but must remember where the line is and not cross it. "The whole idea is that everything should be transparent," he says. "Users should know what they're getting into, but that's missing with a dark pattern. You don't have the information at your disposal to make an informed decision, or the platform is designed in such a way you're just being led down and don't even realize it until you see something on your credit card statement." About the Author Arielle Waldman Features Writer, Dark Reading Arielle spent the last decade working as a reporter, transitioning from human interest stories to covering all things cybersecurity related in 2020. Now, as a features writer for Dark Reading, she delves into the security problems enterprises face daily, hoping to provide context and actionable steps. She looks for stories that go past the initial news to understand where the industry is going. She previously lived in Florida where she wrote for the Tampa Bay Times before returning to Boston where her cybersecurity career took off at SearchSecurity. When she's not writing about cybersecurity, she pursues personal projects that include a mystery novel and poetry collection. See more from Arielle Waldman