CAPTCHA Turns To GOTCHA: How Online Criminals Are Upping Their Phishing Game To Incorporate Fake Security Credentials

Cybersecurity firm, Proofpoint, released a new report that focuses on the human factor in cybersecurity attacks.

The results show that users continue to be the key for most malicious attacks, those involving ransomware and business email compromise (BEC).

Researchers examined over two billion emails, 35 billion URLs, 200 million attachments, and 35 million cloud accounts from last year to better understand cyberattacks that specifically target the user.                                                

According to the report, about 66 percent of malicious emails employed consumer and corporate credential phishing techniques, which is a starting point for BEC and data theft activities.

Email is still a predominant device to deliver ransomware, with 48 million messages containing malware. One quarter of all malware campaigns concealed compressed executable files in emails, which require the user to open the attachment to launch the malware. In fact, attachments turned out to be the most successful form of phishing attack, with an average of 20 percent of users clicking on the attachment.

Researchers also found that cybercriminals are increasing their use of compromised CAPTCHA, a visual puzzle that differentiates humans from computers. Although still only representing a five percent response rate, attacks that incorporated CAPTCHA had 50 times the number of clicks as 2019. Because users typically identify CAPTCHA as a security measure, they can be easily fooled.

Cybersecurity experts express concern, as cybercriminals are both increasing the volume of cyber attacks as well as improving their sophistication. D. Howard Kass "Report: Cyberattacks Typically Exploit Personal Log-ins to Launch Malicious Code" (Aug. 15, 2021).


We’ve likely all seen the CAPTCHA puzzle: click on all the squares that contain motorcycles to prove you are not a robot. It is a simple task and one that is expected when logging into secure websites. However, as the above report illustrates, cybercriminals are finding success in using this step to fool users into thinking that a site is safe.

For example, a phishing email has a link to a document, asking a user to update their financial information. The user is suspicious of such emails based on his training, but because the fake registration page has CAPTCHA steps, the user assumes the request is legitimate and provides the information, having no idea that their organization’s information is now compromised.   

Staying alert to new trends in cyber attacks and educating employees on recognizing those malicious activities must continue to be a top priority for IT professionals.

Employers need to be intentional about educating employee on phishing techniques, malicious emails, and other strategies cybercriminals use to infiltrate a network. Encourage employees to question any unexpected email, regardless of who appears to be the sender, and to independently validate any attachment before opening it, even if it contains CAPTCHA or other security features.

Finally, your opinion is important to us. Please complete the opinion survey:


Why A Balanced Approach Of Response And Preparation Is Needed For Data Security

A recent study found that IT personnel recognize how proactive risk assessment steps can minimize damage from a systems breach. However, do they have the time? Learn more. Read More

Checking For Skimmers: A Day-To-Day Security Task

Performing visual and physical security checks can help you spot credit card skimmers. Learn more about this identity theft risk. Read More

Online Account Takeover Fraud Spiking: Are Unique And Strong Passwords The Answer?

Account takeover fraud is on the rise. Read ways to protect yourself from this form of identity theft. Read More