That 'I'm Not a Robot' Click Is Sending Texts to 17 Countries Without You Knowing

Fake CAPTCHA Pages Are Quietly Dialing Premium-Rate Numbers the Moment You Click

Picture clicking a standard-looking CAPTCHA box on a website — the familiar "I'm not a robot" step most people do without thinking — and then going about your day. Weeks later, your phone bill arrives with charges you don't recognize. According to Kraven Security, that's exactly what a wave of fake CAPTCHA pages is doing: the moment a visitor clicks the fake verification button, a hidden tel: URI silently auto-dials premium-rate international numbers, generating instant fraud revenue before the person realizes anything has happened.

The pages are designed to exploit the muscle memory of clicking "Verify." Kraven Security describes the scheme as a "ClickFix"-style attack — the same social-engineering pattern being used across multiple threat campaigns this week. The numbers being dialed are controlled by the fraudsters, who profit through what the telecom industry calls International Revenue Share Fraud: carriers pay termination fees for routing international calls, and the attackers collect a cut of those fees on each connection made.

Victims typically don't discover the charges until their next billing cycle, by which time the money has already moved. If any charge on your phone bill shows international call traffic you didn't initiate, contact your carrier directly and report it to the FTC at reportfraud.ftc.gov.

Gobble's Take: A legitimate CAPTCHA never needs to open your dialer — if one does, close the tab immediately.

Source: Kraven Security

Tech Giants Built Empires on Bad Customer Service — And It Worked

A Hacker News thread dissecting Anthropic's support failures landed on a broader observation: companies like Google proved that terrible customer service doesn't hurt the bottom line. One commenter put it plainly — Anthropic doesn't even use its own tools for customer support, relying on fin.ai instead. The implicit lesson copied from Google: if users have nowhere else to go, support doesn't matter.

The thread zeroed in on Google's model specifically. Commenters noted that Google provides no human support to advertisers unless spend reaches enormous scale. One user described spending $20–30k per month with Google on ads and never receiving a single reply to any inquiry. Another noted that $100–200k per month gets you an "Account Strategist" who rotates every 3–6 months and whose advice boils down to "spend more." The consensus: Google isn't really a software or cloud company — it's an ad company, and everything else exists to serve that core.

The same dynamic was noted across Meta, TikTok, and others. Several commenters argued that the real business models of major tech companies are widely misunderstood — Netflix licenses content, Facebook sells access to a people database, and so on. The deeper frustration: when your product is the user, there's no incentive to actually serve them.

Gobble's Take: When a company has a monopoly on your attention, "customer service" is just a cost center they've already decided to eliminate.

Source: Hacker News

Four Things in a Legitimate-Looking Email That Actually Signal a Scam

Security researchers and consumer advocates have documented a shift in phishing emails: the obvious spelling errors and awkward phrasing that once marked a scam are largely gone. According to a review published by Women in Experimentation, today's fraudulent emails are often visually polished and structurally convincing — which makes the remaining tells worth knowing specifically.

The first pattern researchers flag is a domain that contains a familiar brand name but isn't the brand's actual root domain. An address like "yourbrand-support.com" is not the same as "yourbrand.com," even though it looks close at a glance. The second is vague personalization — language like "Dear valued customer" or references that could apply to any account holder, with no specific detail about your actual account or recent activity. Legitimate companies typically include at least one piece of identifying information (a partial account number, a recent transaction date) in account-related emails.

The third signal is the absence of any real name or verifiable contact behind the message — generic sender addresses or a "contact us" link that leads nowhere specific. The fourth is a single prominent link or button with no alternative way to reach the company — scammers want one click path and prefer you don't go looking for a phone number or an official website independently. If any combination of these appears in an email asking you to act quickly, researchers advise navigating directly to the company's official website by typing the address yourself rather than clicking any link in the message.

Gobble's Take: When in doubt, type the company's web address yourself — that single habit sidesteps most of what's described here.

Source: Women in Experimentation

In Case You Missed It

Yesterday's top stories:

• The Digital Trap: How Social Media Became a $2.1 Billion Goldmine for Scammers