The most obvious tricks can be seen in phishing emails, which tend to have poor grammar and spelling. Other flimsy attempts include fake websites, landing pages and text messages. Tap or click here to see how far these scammers will go. Scammers seem to switch up their tactics just as it looks like people are starting to catch on. And now, a campaign targeting Microsoft Office users is trying out a new trick to look more legitimate: CAPTCHAS. These security checks are used by real login pages all over the web — and scammers are hoping you’ll fall for it, too.

Scammers are using real security checks for fake login pages

Microsoft Office 365 users should keep a sharp eye out for phishing campaigns as the year goes on. Malicious Office documents are one of the most common ways hackers are stealing passwords and infecting computers — and they’re hijacking accounts to spread even more malware. But it’s not just fake office documents that are bothering security researchers. A new trend discovered by Menlo Security shows a major phishing campaign using CAPTCHAS on their landing pages to make the phony logins look more realistic. In case you don’t know, CAPTCHAS are those weird boxes some websites have you check to prove you’re not a robot. This can include anything from ticking a box to clicking on pictures with taxi cabs in them. CAPTCHAS are designed to stop bots and hackers from using a website, so the fact that phishing campaigns are using them is a bit ironic. But the intent isn’t to protect their pages, but to make victims feel safer using them. What’s more, the campaign discovered by Menlo Security doesn’t just use one CAPTCHA but three of them. It starts with a fake email that asks victims to reset their Microsoft Office password. After clicking the link, victims must pass three separate CAPTCHAS before being asked to enter their Microsoft Office account info. And once a victim does, the data is stolen. It might seem funny from a distance, but the addition of CAPTCHAS isn’t just to lull victims into a false sense of security. Automated security software that checks for phishing sites may have a harder time detecting them thanks to new CAPTCHAS hackers added.

How can I protect myself from this campaign?

If you ever get a password reset link in an email that you didn’t request for yourself, tread cautiously. Hover over the link with your mouse (without clicking) and check that the link goes to an official website. If it goes anywhere else, ignore the message and delete it. It’s also worth remembering that login information should never be shared anywhere online except on official websites and login pages. This means only logging into your Microsoft Office account through Microsoft.com, Office.com or the app itself. The same goes for social media sites and other sensitive apps. To protect your logins, one of the best things you can do is set up two-factor authentication. Even if a phishing campaign somehow steals your password, they would need physical access to your smartphone to actually log in. As a bonus, you’ll also get an alert when someone tries to log into your account. That’s a good sign it’s time to change your password. Tap or click here to see how to enable 2FA for your favorite websites. Phishing campaigns can be highly effective if you don’t know what you’re up against. Now that you know the tricks these scammers are pulling, you can keep yourself safe online without too much effort. Just remember to stay skeptical.