- CypherLoc tricks users into thinking their browser is completely locked
- Fake support numbers lead victims directly into identity theft traps
- Phishing emails remain the main entry point for the scam
A massive wave of digital fraud has swept the internet since early 2026, catching millions off guard with a clever browser trick.
Security researchers at Barracuda have warned how a strain called CypherLoc has targeted around 2.8 million people through phishing and psychological manipulation.
Unlike traditional malware that actually damages files or systems, this attack relies entirely on tricking users into thinking they’ve lost control of their own machines.
The mechanics behind digital deception
The process typically starts with a phishing email, which either contains a malicious link or an infected attachment.
Clicking on this link directs the user to what at first appears to be a completely harmless web page, although this calmness is just a disguise.
Barracuda associate threat analyst Megharaj Balaraddi notes that scareware is only activated under certain conditions, such as when a system lacks proper security scanning tools.
This enablement allows the attack to avoid standard detection methods while keeping the malicious side hidden from automatic security checks.
Once activated, the browser turns into what feels like a digital prison with no obvious escape route.
The attack forces full-screen mode, disables standard context menus, hides the cursor, and covers everything with alarming security messages.
A fraudulent support phone number is prominently displayed on the screen as the supposed only solution to this manufactured crisis.
When users click anywhere or try to regain control, the browser emits warning sounds that further escalate their panic and confusion.
The attackers added several layers of emotional manipulation to make their plan more convincing than older scareware variants, where CypherLoc retrieved and displayed the victim’s public IP address directly on the screen, a move designed to personalize the threat and intensify fear.
“Displaying this IP address is a psychological tactic, designed to make the warning feel personal and increase the sense of urgency,” explains Balaraddi in his analysis of the campaign.
A bogus login pop-up also appears, and its inevitable failure only adds to the user’s growing sense of desperation.
When frightened victims finally call the displayed number, human operators pretending to be Microsoft support staff take over the conversation.
From this point, the fraudsters can extract bank details, passwords, payment details or any other sensitive data they want to obtain.
How to stay safe
To remain secure, users must use extreme caution when checking their inboxes, social media feeds, or text messages that come from unknown senders.
The CypherLoc campaign succeeds primarily because it preys on human fear rather than a sophisticated technical breach of your actual system – so messages that evoke a strong sense of urgency should raise immediate suspicion as scammers are deliberately pushing you to click or call without thinking clearly.
Avoid clicking on links or downloading attachments from people you do not know personally and trust completely.
Installing reliable antivirus software provides a critical layer of defense against many threats, including scareware that tries to exploit browser vulnerabilities.
Some identity theft protection services also include antivirus tools that offer multiple layers of security within a single subscription for those looking for extra protection.
Legitimate security alerts never lock your browser, don’t display phone numbers you can call, and never require immediate action through pop-ups.
Via Cyber news
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
