We’ve all seen those “CAPTCHA” boxes that ask us to click on pictures of traffic lights or crosswalks to prove we aren’t a robot. Scammers are using a convincing CAPTCHA scam to trick us into handing over the keys to our computers. Usually, a security check just asks us to click a button. However, in this new “bait-and-switch” scam, the webpage says there’s an error and provides a few “simple” steps to fix it. A legitimate website will never ask visitors to run a command or use a keyboard shortcut to prove they are human.
This impacts businesses as much as individuals. Even if someone is attacked via a personal email viewed on a business device, it’s the business that’s at risk.
Tips for employers to remind their employees:
- Close the Tab: If a site asks a visitor to open a “Run” box or paste code, it’s a CAPTCHA scam. Close the window immediately.
- Go Direct: Visitors worried about a site being blocked should, instead of following the links on the screen, type the address directly into their browser themselves.
- Create a Passkey: If users are prompted to create a passkey to log in to their accounts, they should do it! Passkeys are more secure than passwords because they don’t require the user to remember anything, and they aren’t subject to a data breach.
- Use MFA: Always turn on Multi-Factor Authentication (MFA). Even if a criminal steals a user’s password, MFA acts like a second deadbolt on the user’s door that the criminal can’t unlock.
