In The Know: “Are you human?” New Attack Uses a CAPTCHA as Camouflage

Have you ever found yourself staring at a wobbly letter trying to decide if it is an X or a Y, just to prove to a website that you’re not a robot? This funny little test is called a CAPTCHA and it is used to help prevent automated malicious software, known as “bots”, from accessing sensitive information. Unfortunately, cybercriminals are now using CAPTCHAs as a way to make their phishing scams seem more legitimate.

In a recent Netflix-themed attack, scammers are sending a phishing email that claims “your payment did not go through and your account will be suspended in the next 24 hours”. To resolve the issue, you’re instructed to click on a link in the email to update your information. If you click the link, you’re taken to a CAPTCHA page. Once you pass the CAPTCHA, you’re redirected to an unrelated webpage that looks like a Netflix login page. Here you’re asked to enter your username and password, your billing address, and your credit card information. Don’t be fooled! Anything entered here is sent directly to the cybercriminals.

Remember these tips:

  • Phishing emails are often designed to create a sense of urgency. In this case, “your account will be suspended in the next 24 hours”! Think before you click, the bad guys rely on impulsive clicks.
  • When an email asks you to log in to an account or online service, log in to your account through your browser and not by clicking the link in the email. That way, you can ensure you’re logging into the real website and not a phony look-alike.
  • Remember, anyone can create a CAPTCHA webpage, so don’t fall for this false sense of security.

Stop, Look, and Think. Don’t be fooled.
The KnowBe4 Security Team
KnowBe4.com