Security researchers have uncovered a new social engineering scam that uses deceptive pop-ups and fake warnings to trick users into believing their device has been compromised, prompting them to use fraudulent IT helpdesks.
This strain is a particularly sophisticated, browser-based version, security firm Barracuda warns, as the malicious code is hidden and can only be activated if the right (poor) security conditions are in place.
The so-called “scareware” con – dubbed “CypherLoc” – has been used in around 2.8 million attacks since the start of 2026, according to Barracuda associate threat analyst Megharaj Balaraddi.
Balaraddi explains the attack usually starts with a phishing email that directs the victim to a malicious web page through a link that’s either embedded in the email body or in an attachment.
A “harmless” web page is loaded and the scareware only triggered if the conditions are right- the lack of a security scanner for instance.
“This hides the attack from security tools,” Balaraddi points out.
What follows is a series of “alarming looking” security messages that take over the screen and are designed to scare the user into calling a fake IT helpdesk.
“CypherLock actively restricts user activity by taking over in full-screen mode, disabling context menus, hiding the cursor, and blanketing the screen with overlays,” Balaraddi said.
Psychological tactics
The researcher adds that the scareware also uses audio as a psychological tactic to pile on the pressure, emitting a warning sound whenever the user attempts to click or take control.
“This extra noise and activity can slow the browser down, make it glitchy or even cause it to crash, which makes analysis harder."
Barracuda threat analyst Megharaj Balaraddi
The malware also attempts to “shame” users by retrieving and displaying their IP address.
“Showing this IP address is a psychological tactic, designed to make the warning feel personalized and increase the sense of fear and urgency,” Balaraddi warns.
Additionally, a login popup is shown to the user which escalates the sense of panic when it doesn’t work.
Throughout the attack, a fraudulent support phone number is prominently displayed on the screen and is presented as the only way to fix the problem.
At this point, human operators posing as Microsoft support staff take over and continue the scam via a live conversation.
While it’s not clear what the motives of the attack are, the malware would be useful for a social engineer skilled at eliciting high-value credential information, such as bank details, passwords, and payment data.
“CypherLoc shows how modern scareware is shifting away from obvious malware and towards browser-based, user-driven scams that are difficult to detect and highly effective."
Barracuda Threat Analysis team manager, Saravanan Mohankumar
Barracuda warns users to be aware of phishing campaigns and behaviors that pressure them to call or click on links and emphasizes that legitimate security alerts do not display phone numbers, do not lock browsers, and do not demand immediate action via pop-ups.
Your email address will not be published. Required fields are markedmarked