
New Scam Tricks You Into Giving Away Passwords With Fake Fix-It Messages
Criminals are using fake error messages that ask you to click buttons to fix problems. The clicks actually steal your passwords and files.
Source
Microsoft Security Blog
Original headline: ACR Stealer: Two observed intrusion chains amid increased threat activity
Plain-English summary by GetCyberRight. Read the full report at the source above.
A sophisticated scam called ACR Stealer has been targeting people at work by showing fake error messages or security alerts. When you click on what looks like a helpful button to fix the problem, you are actually giving criminals access to steal your saved passwords, login information, and personal documents. Microsoft observed increased activity of these attacks from late April 2026 to mid-June 2026, successfully compromising multiple business environments. This threat primarily affects people using work computers, but the same tactics can appear on personal devices. The scam uses something called ClickFix lures, which means the fake messages are designed to look like legitimate system alerts asking you to click a button to resolve an issue. Once clicked, the malware steals browser credentials (saved passwords in Chrome, Firefox, Edge), authentication tokens that keep you logged into websites, and sensitive documents from your computer.
If you use a work computer, report any suspicious pop-up messages or alerts to your IT department immediately before clicking anything. Do not click on unexpected buttons or prompts that claim to fix errors, even if they look official. At home, follow these steps:
- Never click on pop-up messages asking you to fix problems unless you initiated the action yourself.
- If you think you may have clicked on something suspicious, immediately change passwords for important accounts like email, banking, and social media.
- Check your browser settings and remove any saved passwords, then re-enter them only on legitimate websites.
- Enable two-factor authentication on all accounts that offer it. Develop a habit of questioning unexpected messages. Legitimate error messages from your computer or software rarely ask you to click a single button to fix everything. When in doubt, close the message and manually open the program or website yourself rather than clicking links in pop-ups. Keep your computer and browser updated, as security updates help protect against these types of attacks.
Curated from trusted cybersecurity sources by GetCyberRight
Source: Microsoft Security BlogStay ahead of cyber threats
Get our free weekly digest. Real threats, plain language, what to do about them. No spam, ever.
More articles

New Scam Tricks Users Into Installing Password Stealing Software. Here's How to Avoid It
ACR Stealer uses fake error messages to trick people into running commands that steal passwords and sensitive files from their computers.
2 min read
AI Chatbots Are Getting More Powerful: What Parents Should Know About Safety
AI assistants are becoming more autonomous and gaining access to more of your data. Microsoft is working on better security controls for these tools.
2 min read
AI Tools Are Getting Smarter: What Parents Should Know About Security
As AI assistants become more capable, tech companies are working to ensure they can't access too much of your information. Here's what's changing.
2 min readWhy Your Privacy Needs More Than Just Your Permission: Understanding New Protection Ideas
Privacy expert argues that letting people control their own data is not enough. Companies should be held responsible like we do with food and drug safety.
2 min read