realstupidshit.com

America's dumbest corner of the internet

Search | Submit a tip
Verification Theater

The FTC is getting new reports daily of fake CAPTCHA screens asking people to type malware commands, because protecting yourself from bots apparently now requires becoming one

Scammers created phishing pages that look like legitimate security checkpoints but ask you to run Windows commands that install malware. Real CAPTCHAs never ask for keyboard shortcuts. This one asks for your entire digital life.

June 12, 2026 • Real Stupid Shit Desk

What's Happening

The FTC is receiving multiple reports of scammers deploying fake CAPTCHA pages on phishing sites and emails. The page looks legitimate — similar design, professional appearance — but instead of asking you to identify pictures of fire hydrants or buses, it tells you to type keyboard commands.

The fake screen says something like: "For security verification, please press Windows+R, then Ctrl+V, then Enter." When you do, you're not verifying anything. You're pasting and executing hidden malware that the scammers have already copied to your clipboard.

Once installed, the malware gives scammers access to your email account, mobile banking login, cryptocurrency wallets, and any other password-protected data on your device.

Why It Works

CAPTCHAs are familiar enough that most people recognize them. We've all seen them. We know the drill: click the boxes, verify you're human, move on. So when a screen that looks like a CAPTCHA tells you to do something, your brain's alarm system doesn't trigger as loudly.

The malware isn't delivered as a suspicious attachment or a sketchy link. It's delivered as a keyboard command. It's "just" verification. Everyone verifies. What could go wrong?

Everything. Everything goes wrong.

What the FTC Says to Do

The FTC's warning is clear: Real CAPTCHAs will never ask you to type keyboard commands. If a CAPTCHA screen asks you to press Windows+R, Ctrl+V, or any keyboard shortcut, it is not a CAPTCHA. It is a scam.

If you realize you've been hit by this scam:

  1. Disconnect from the internet immediately to block scammers from accessing your accounts
  2. Run a security scan (Windows Defender, Malwarebytes, or similar) to find and remove the malware
  3. Keep your operating system and apps fully updated to patch any vulnerabilities
  4. Change all your passwords using a different device (so the malware doesn't capture the new ones)
  5. Enable two-factor authentication on every account that matters
  6. Report it to the FTC at ReportFraud.ftc.gov

The Bigger Picture

This is part of a larger trend: scammers are becoming more sophisticated about layering legitimacy on top of fraud. A fake CAPTCHA uses the design language of security to deliver insecurity. A fake email uses official branding and legal language. A fake website mirrors the real thing pixel for pixel.

The con has always been about trust. But now trust is harder to earn and easier to fake. And the tools to deliver malware are becoming more elegant.

Sources

FTC Consumer Alert: How to Spot a CAPTCHA Scam

WISH-TV: FTC Alerts Public About Malicious CAPTCHA Scam

← Back to Scam Watch