CAPTCHA Turns To GOTCHA: How Online Criminals Are Upping Their Phishing Game To Incorporate Fake Security Credentials

Cybersecurity firm, Proofpoint, released a new report that focuses on the human factor in cybersecurity attacks.

The results show that users continue to be the key for most malicious attacks, those involving ransomware and business email compromise (BEC).

Researchers examined over two billion emails, 35 billion URLs, 200 million attachments, and 35 million cloud accounts from last year to better understand cyberattacks that specifically target the user.                                                

According to the report, about 66 percent of malicious emails employed consumer and corporate credential phishing techniques, which is a starting point for BEC and data theft activities.

Email is still a predominant device to deliver ransomware, with 48 million messages containing malware. One quarter of all malware campaigns concealed compressed executable files in emails, which require the user to open the attachment to launch the malware. In fact, attachments turned out to be the most successful form of phishing attack, with an average of 20 percent of users clicking on the attachment.

Researchers also found that cybercriminals are increasing their use of compromised CAPTCHA, a visual puzzle that differentiates humans from computers. Although still only representing a five percent response rate, attacks that incorporated CAPTCHA had 50 times the number of clicks as 2019. Because users typically identify CAPTCHA as a security measure, they can be easily fooled.

Cybersecurity experts express concern, as cybercriminals are both increasing the volume of cyber attacks as well as improving their sophistication. D. Howard Kass "Report: Cyberattacks Typically Exploit Personal Log-ins to Launch Malicious Code" (Aug. 15, 2021).


We’ve likely all seen the CAPTCHA puzzle: click on all the squares that contain motorcycles to prove you are not a robot. It is a simple task and one that is expected when logging into secure websites. However, as the above report illustrates, cybercriminals are finding success in using this step to fool users into thinking that a site is safe.

For example, a phishing email has a link to a document, asking a user to update their financial information. The user is suspicious of such emails based on his training, but because the fake registration page has CAPTCHA steps, the user assumes the request is legitimate and provides the information, having no idea that their organization’s information is now compromised.   

Staying alert to new trends in cyber attacks and educating employees on recognizing those malicious activities must continue to be a top priority for IT professionals.

Employers need to be intentional about educating employee on phishing techniques, malicious emails, and other strategies cybercriminals use to infiltrate a network. Encourage employees to question any unexpected email, regardless of who appears to be the sender, and to independently validate any attachment before opening it, even if it contains CAPTCHA or other security features.

Finally, your opinion is important to us. Please complete the opinion survey:

What's New

The Right And Wrong Way To Monitor Employee Internet Use

A recent announcement creates controversy over privacy rights. Employers often use technology to monitor employees. However, they must do so wisely. Read more.

Why Implementing "Zero-Trust Principles" Can Help Prevent Credential Hijacking

With cybercriminals relying less on malware, organizations must protect their networks, devices, and data with zero-trust security. Learn more.

Keep Devices And Wearables Close And Secure To Prevent Stalkerware

The FTC cracks down on one manufacturer of stalkerware. How can you keep stalkerware and other forms of spyware from tracking you? We provide tips.