Skip Navigation
Get a Demo
 
 
 
 
 
 
 
 
 
Resources Blog Threat intelligence

Email bombs and fake CAPTCHAs: A social engineering survival guide

Email bombs and fake CAPTCHAs: A social engineering survival guide

Educate yourself and your organization’s users about two increasingly popular social engineering schemes: email bombing and paste and run

Red Canary Intelligence
Originally published . Last modified .

Social engineering is not about hacking computers; it’s about hacking people. It’s a manipulative tactic that exploits human psychology, trust, and digital conditioning to trick individuals into divulging confidential information, granting unauthorized access, or performing actions that compromise security.

This year, Red Canary has consistently observed two social engineering campaigns that adversaries use to gain access into a corporate environment:

Email bombing: a technique that involves flooding a victim’s inbox with spam email followed by a phone scam to trick the victim into providing remote access to their computer.

• Paste and run (aka ClickFix, fakeCAPTCHA): a technique used to fool users into running malicious code by taking advantage of user’s digital conditioning to get past CAPTCHA-style messages or “fix” requests.

We’ve created a free handout for educating your users about what to look for and how to stay ahead of these emerging social engineering trends.

 

Intelligence Insights: July 2025

 

Intelligence Insights: June 2025

 

Mocha Manakin delivers custom NodeJS backdoor via paste and run

 

Intelligence Insights: May 2025

Subscribe to our blog

Security gaps? We got you.

Sign up for our monthly email newsletter for expert insights on MDR, threat intel, and security ops—straight to your inbox.


 
 
Back to Top