Skip to main content
    New Scam Tricks You Into Giving Away Passwords With Fake Fix-It Messages
    AI
    2 min read

    New Scam Tricks You Into Giving Away Passwords With Fake Fix-It Messages

    Criminals are using fake error messages that ask you to click buttons to fix problems. The clicks actually steal your passwords and files.

    Source

    Microsoft Security Blog

    Original headline: ACR Stealer: Two observed intrusion chains amid increased threat activity

    Plain-English summary by GetCyberRight. Read the full report at the source above.

    Published Thursday, July 16, 2026Updated Friday, July 17, 20262 min read
    Share:

    A sophisticated scam called ACR Stealer has been targeting people at work by showing fake error messages or security alerts. When you click on what looks like a helpful button to fix the problem, you are actually giving criminals access to steal your saved passwords, login information, and personal documents. Microsoft observed increased activity of these attacks from late April 2026 to mid-June 2026, successfully compromising multiple business environments. This threat primarily affects people using work computers, but the same tactics can appear on personal devices. The scam uses something called ClickFix lures, which means the fake messages are designed to look like legitimate system alerts asking you to click a button to resolve an issue. Once clicked, the malware steals browser credentials (saved passwords in Chrome, Firefox, Edge), authentication tokens that keep you logged into websites, and sensitive documents from your computer.

    If you use a work computer, report any suspicious pop-up messages or alerts to your IT department immediately before clicking anything. Do not click on unexpected buttons or prompts that claim to fix errors, even if they look official. At home, follow these steps:

    1. Never click on pop-up messages asking you to fix problems unless you initiated the action yourself.
    2. If you think you may have clicked on something suspicious, immediately change passwords for important accounts like email, banking, and social media.
    3. Check your browser settings and remove any saved passwords, then re-enter them only on legitimate websites.
    4. Enable two-factor authentication on all accounts that offer it. Develop a habit of questioning unexpected messages. Legitimate error messages from your computer or software rarely ask you to click a single button to fix everything. When in doubt, close the message and manually open the program or website yourself rather than clicking links in pop-ups. Keep your computer and browser updated, as security updates help protect against these types of attacks.

    Protect Yourself

    Stay one step ahead with our free family cybersecurity tools. Check links, scan for breached accounts, and get personalized risk assessments.

    Found this useful?

    Share it with someone who could use a heads-up.

    Share:

    Curated from trusted cybersecurity sources by GetCyberRight

    Source: Microsoft Security Blog

    Discussion

    0

    Sign in to join the discussion.

    Stay ahead of cyber threats

    Get our free weekly digest. Real threats, plain language, what to do about them. No spam, ever.