realstupidshit.com

America's dumbest corner of the internet

Search | Submit a tip
CAPTCHA Command Trap

The FTC says fake CAPTCHAs are telling people to run malware commands, because apparently proving you are human now includes self-owning your laptop

The FTC warned that scam CAPTCHA screens are asking people to press Windows+R, paste hidden commands and hit Enter, which can install malware instead of verifying anything.

June 8, 2026 • Real Stupid Shit Desk

What Happened

The Federal Trade Commission issued a consumer alert Monday about fake CAPTCHA prompts that look like ordinary "prove you are human" checks but actually walk people into running malware on their own devices.

According to the FTC, the scam can show up as an unexpected CAPTCHA while browsing. Instead of asking someone to identify traffic lights or type letters from an image, the fake prompt tells them to use commands like Windows+R, Ctrl+V and Enter. The agency says that can paste and run hidden malware.

The FTC says once the malware is installed, scammers can quickly steal email-account logins, mobile-banking credentials or other accessible information. The clean rule is simple: real CAPTCHAs will not ask you to run commands on your device.

Why This Matters

CAPTCHAs trained everyone to obey weird little internet chores. Click every motorcycle. Select the squares with a bus. Prove you are not a robot by arguing with blurry street furniture. Scammers are now exploiting that muscle memory.

The danger is not that the fake screen looks brilliant. The danger is that people have been conditioned to treat verification boxes as annoying but harmless. This scam turns the box into a remote-control panel for your computer.

The Dumb Part With The Keyboard Shortcut

The dumb part is the confidence of a website saying, "To prove you are human, please open the Windows Run dialog and execute whatever mystery paste we prepared for you."

That is not a CAPTCHA. That is a burglar asking you to unlock the front door as part of a quick security survey.

The Bottom Line

The FTC says anyone who sees a suspicious CAPTCHA or pop-up trying to spread malware should report it at ReportFraud.ftc.gov. If something downloads after a CAPTCHA, disconnect from the internet, run a security scan, change passwords from a different device and enable two-factor authentication. The real stupid shit is that "I am not a robot" has somehow evolved into "please install this robot's crime software."

Sources

FTC Consumer Advice: How to spot a CAPTCHA scam

FTC Consumer Advice: Malware - how to protect against, detect and remove it

← Back to Scam Watch