Real World Risk Management Practical HR Resources
Are you a new user?


CAPTCHA Turns To GOTCHA: How Online Criminals Are Upping Their Phishing Game To Incorporate Fake Security Credentials

Cybersecurity firm, Proofpoint, released a new report that focuses on the human factor in cybersecurity attacks.

The results show that users continue to be the key for most malicious attacks, those involving ransomware and business email compromise (BEC).

Researchers examined over two billion emails, 35 billion URLs, 200 million attachments, and 35 million cloud accounts from last year to better understand cyberattacks that specifically target the user.                                                

According to the report, about 66 percent of malicious emails employed consumer and corporate credential phishing techniques, which is a starting point for BEC and data theft activities.

Email is still a predominant device to deliver ransomware, with 48 million messages containing malware. One quarter of all malware campaigns concealed compressed executable files in emails, which require the user to open the attachment to launch the malware. In fact, attachments turned out to be the most successful form of phishing attack, with an average of 20 percent of users clicking on the attachment.

Researchers also found that cybercriminals are increasing their use of compromised CAPTCHA, a visual puzzle that differentiates humans from computers. Although still only representing a five percent response rate, attacks that incorporated CAPTCHA had 50 times the number of clicks as 2019. Because users typically identify CAPTCHA as a security measure, they can be easily fooled.

Cybersecurity experts express concern, as cybercriminals are both increasing the volume of cyber attacks as well as improving their sophistication. D. Howard Kass "Report: Cyberattacks Typically Exploit Personal Log-ins to Launch Malicious Code" (Aug. 15, 2021).


We’ve likely all seen the CAPTCHA puzzle: click on all the squares that contain motorcycles to prove you are not a robot. It is a simple task and one that is expected when logging into secure websites. However, as the above report illustrates, cybercriminals are finding success in using this step to fool users into thinking that a site is safe.

For example, a phishing email has a link to a document, asking a user to update their financial information. The user is suspicious of such emails based on his training, but because the fake registration page has CAPTCHA steps, the user assumes the request is legitimate and provides the information, having no idea that their organization’s information is now compromised.   

Staying alert to new trends in cyber attacks and educating employees on recognizing those malicious activities must continue to be a top priority for IT professionals.

Employers need to be intentional about educating employee on phishing techniques, malicious emails, and other strategies cybercriminals use to infiltrate a network. Encourage employees to question any unexpected email, regardless of who appears to be the sender, and to independently validate any attachment before opening it, even if it contains CAPTCHA or other security features.

Finally, your opinion is important to us. Please complete the opinion survey:

Lax Password Practices Continue To Put Employers At Risk

Employees continue to ignore best practices for protecting and selecting passwords. What can be done to change the pattern?

read more

Employee Training Continues To Be The Best Medicine For Ransomware Exposure Prevention

A recent cybersecurity report shows how ransomware has become the most significant malware threat. Read how employee training is your best prevention tool.

read more

The Right And Wrong Way To Monitor Employee Internet Use

A recent announcement creates controversy over privacy rights. Employers often use technology to monitor employees. However, they must do so wisely. Read more.

read more

Why Implementing "Zero-Trust Principles" Can Help Prevent Credential Hijacking

With cybercriminals relying less on malware, organizations must protect their networks, devices, and data with zero-trust security. Learn more.

read more