The latest phishing scam, targeting Microsoft 365 users, has used CAPTCHAs in order to convince users that they’re on a legitimate page. We took a look at the scam to find out more, and how you can avoid falling victim to the latest phishing tactic.
What is phishing?
Phishing is a tactic used by individuals to gain personal information from users. Phishers usually pose as legitimate organisations, or companies that individuals have heard of, and use an email, telephone call or text message to contact a target. The recipient will then be encouraged to visit a fake website, or click a link in the text message or email which can lead them to a fake website.
This website will often look legitimate, and the user will be encouraged to input their login details. From there the phisher has access to their account, and can sell the information, use it to access more accounts, or install malware on the person’s device. This malware can then collect more information. On occasions where the phisher pertains to be representing a bank, they can then steal money from individuals.
On some occasions phishing will lead to ransomware, which is where malware is installed on your device and you are unable to access your files and documents without paying the phisher.
What about this scam?
This phishing scam is targeting Microsoft 365 users, and as such is one for businesses in particular to look out for. Individuals who click the link in the email are taken to a webpage where they are prompted to click through three separate CAPTCHA screens, before finally prompting them for their Microsoft 365 login details.
The ramifications of this scam are huge for enterprises; allowing a phisher access to a Microsoft 365 account may not only compromise the security of that individual, but all other employees within the business, as well as any customer data stored within these accounts.
Let’s talk about CAPTCHA
The unique aspect of this scam is the CAPTCHA screens. CAPTCHA screens are the pop ups often displayed when you login to a secure site; they ask you to confirm that you aren’t a robot by selecting all the photographs featuring a certain thing such as trees or streetlights. The CAPTCHAs in this scam have reportedly asked victims to click the ‘I’m not a robot’ box, then click photos featuring bicycles, and then click photos of zebra crossings. However, other images have also been used.
For the phishers, there are a couple of benefits to using CAPTCHA screens. CAPTCHA screens are something that many users are used to clicking to confirm that they are accessing a legitimate site; it is something that we associate with safety, rather than a phishing scam. To an extent, the CAPTCHA screen helps to set victims at ease.
Additionally, the three CAPTCHA screens are interrupting potential helpful bots that are programmed to identify illegitimate and potentially dangerous websites. By using CAPTCHA screens the phishers are only allowing real people to access their scam - which makes it all the more dangerous.
How can I avoid falling victim to this scam?
Be aware that phishers are using all sorts of tricks to convince you that you’re on a legitimate website, and CAPTCHAs are one of them. If you are on a login page that you’ve accessed through a link in an email, take your time and look critically before inputting any details.
Ultimately, the best way to protect yourself is by not clicking links in suspicious looking emails, and instead accessing the website directly yourself. It may take a little more time, but it’s going to be a lot safer for you and your business. If in doubt, contact your IT support team for assistance. They’ll be able to discern whether you’re looking at a legitimate email, or a fake.
Tweet us @TranscenditUK
