Skip to Content
© Georgejmclittle |
Security & privacy

Before you fill out a CAPTCHA form on a website, know a scammer could be behind it

The chances are good that you have come across a human authentication system online. In Google’s version, you are usually asked to point out things like cars, traffic lights or fire hydrants. Other websites might use the popular CAPTCHA test.

A word or a phrase is usually displayed in a strange font or typeface. This is done so that computers can’t “read” the letters, as only a human can decipher the code. Interestingly, Google acquired the reCAPTCHA deployment system in 2019.

Cybercriminals are now using the same technology to target potential victims. While the use of CAPTCHA as a scam delivery system isn’t new, the frequency of online deployment has increased. Here’s what to look out for, and how to stay safe.

Here’s the backstory

Visual puzzles aren’t the preferred method for scammers. But a recent report by Proofpoint showed that attacks using CAPTCHA increased by 50 times compared to last year. The technology itself isn’t the scam, but it lends more credibility to the overall scam.

Scams can be delivered through phishing emails or targeted attacks, and CAPTCHA ensures that the criminal targets a real person. It can also be used to determine where the victim is from.

Once the potential victim opens the phishing email, they might be asked to log into a website or service. To make it look more authentic, cybercriminals will insert a CAPTCHA verification. Some people will then assume that the resulting webpage is real, which it most certainly isn’t.

But why are more people falling for the CAPTCHA scam? It might have something to do with working from home.

“Remote workers may have been more distracted and cognitively taxed under the stresses of 2020. Perhaps some were even primed by new remote-work controls to see the CAPTCHA question as a normal security challenge,” the report explained.

Research also indicated that these attacks could have been linked to the Emotet botnet that caused havoc last year. A cybercriminal campaign sent out massive amounts of spam email, many of which often used world events or global news as bait.

What you can do about it

Awareness of spam and phishing techniques is your first line of defense against cybercriminals. But naturally, there are certain things that you can do that will make it harder for the scammers to get their hands on your details.

  • Be cautious with links – If you get an email or notification that you find suspicious, don’t click on its links. It could be a phishing attack. It’s always better to type a website’s address directly into a browser than clicking on a link.
  • Watch for typos – Phishing scams are infamous for having typos and grammatical errors. These are things to watch for in phishing emails. Take our phishing IQ test to see if you can spot a fake email.
  • Use unique passwords – Many people use the same password for multiple websites. This is a terrible mistake. If your credentials are stolen on one site and you use the same username and/or password on others, it’s simple for the cybercriminal to get into each account. Tap or click here for ways to create stronger passwords.

Interestingly, there is a good reason why most of Google’s authentication puzzles use traffic elements like crosswalks, cars and stop signs. The technology is also used to teach Google’s autonomous vehicles what to look out for through machine learning.

Keep reading

Use a PC? This new Microsoft phishing scam is mighty convincing

Scam alert: PayPal account ‘limited,’ phishing text claims

Stop robocalls once and for all

Robocalls are not only annoying, but they scam Americans out of millions every year. Learn Kim's tricks for stopping them for good in this handy guide.

Get the eBook