- CypherLoc tricks users into believing their browser is completely blocked
- Fake support numbers lead victims directly into identity theft traps
- Phishing emails remain the main entry point for the scam
A massive wave of digital hoax has swept the internet since early 2026, catching millions of people off guard with a clever browser trick.
Security researchers at Barracuda have warned how a strain called CypherLoc has targeted approximately 2.8 million people through phishing and psychological manipulation.
Unlike traditional malware that actually damages files or systems, this attack relies solely on making users believe that they have lost control of their own machines.
The mechanics of digital deception
The process typically begins with a phishing email containing a malicious link or infected attachment.
Clicking on this link takes the user to what at first appears to be a completely harmless web page, although this calmness is simply a disguise.
Megharaj Balaraddi, associate threat analyst at Barracuda, notes that scareware activates only under certain conditions, such as when a system lacks adequate security scanning tools.
This activation allows the attack to bypass standard detection methods while keeping the malicious page hidden from automated security controls.
Once activated, the browser transforms into what appears to be a digital prison with no obvious escape route.
The attack forces full screen mode, disables standard context menus, hides the cursor, and covers everything with alarming security messages.
A fraudulent support phone number appears highlighted on the screen as the supposed only solution to this manufactured crisis.
When users click anywhere or try to regain control, the browser emits warning sounds that further increase their panic and confusion.
The attackers added several layers of emotional manipulation to make their plan more convincing than older scareware variants, with CypherLoc retrieving and displaying the victim’s public IP address directly on the screen, a move designed to personalize the threat and intensify fear.
“Displaying this IP address is a psychological tactic, designed to make the warning seem personal and increase the sense of urgency,” explains Balaraddi in his analysis of the campaign.
A fake login pop-up also appears, and its inevitable failure to work only deepens the user’s growing sense of desperation.
When frightened victims finally call the displayed number, human operators posing as Microsoft support staff take over the conversation.
From this point, scammers can extract banking details, passwords, payment information or any other sensitive data they wish to obtain.
How to stay safe
To stay safe, users should Be very careful when checking your inboxes, social media feeds, or any text messages that arrive from unknown senders.
The CypherLoc campaign is successful primarily because it feeds on human fear rather than any sophisticated technical violation of your actual system, so messages that invoke a strong sense of urgency should raise immediate suspicion, as scammers deliberately pressure you to click or call without thinking clearly.
Avoid clicking on links or downloading attachments from people you don’t know personally and completely trust.
Installing reliable antivirus software provides a critical layer of defense against many threats, including scareware that attempts to exploit browser vulnerabilities.
Some identity theft protection services also include antivirus tools, offering multiple layers of security within a single subscription for those looking for additional protection.
Legitimate security alerts never crash your browser, don’t display phone numbers you can call, and never demand immediate action via pop-ups.
Through cyber news
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.
