There is an increasing number of phishing websites that are using CAPTCHA product in order to appear legitimate. For those of us who are unaware, a CAPTCHA is a security feature that helps identify the user as human (compared to a bot). This helps websites avoid getting hundreds to thousands of automated user requests. It seems that because so many major brands use them on their websites they are becoming synonymous with legitimacy.

There are two reasons why the phishing sites may be doing this. Not only can adding a CAPTCHA help evade systems that are designed to detect phishing websites, but it also makes the website seem like a legitimate website, as most websites that have a CAPTCHA are secure websites. This can lead to users creating accounts on fraudulent websites and risks them losing their personal information.

Seems difficult to do, right? Google makes it easy to get a reCAPTCHA (Google’s version of CAPTCHA), requiring only that the user sign up with Google. They then get an API key, which they can then add onto their websites. Until Google analyzes requests more closely, it’s easy for scammers to use these to create a false sense of security.

Having the right awareness training program can help employees identify phishing sites and emails. Many data breaches are a direct result of a simple phishing attack.