What Happened

The FTC issued a consumer alert about a new twist on phishing scams: fake CAPTCHA pages that don't ask you to solve puzzles or identify fire hydrants. Instead, they ask you to run a series of device commands.

The scam works like this: You're browsing a website (legitimate or compromised, doesn't matter). A page pops up that looks exactly like a normal CAPTCHA verification screen. Instead of asking you to click checkboxes or solve image puzzles, the message says something like: "Press Windows + R, then Ctrl + V, then Enter."

If you follow the instructions, you're actually pasting and running hidden malware that the scammers have already copied to your clipboard. Once it's installed, they can steal your email logins, banking credentials, and anything else they can access.

Why This Works (Unfortunately)

Most people are used to CAPTCHAs by now. They're ubiquitous, mildly annoying, and we click through them on muscle memory. A page that looks like a security feature telling you to verify yourself feels legitimate. The fact that it's asking you to run commands is buried in language that sounds technical and official.

The real stupid part: the malware silently sits on your device after installation. You might not notice anything wrong for days or weeks. By that time, the attackers already have your credentials and have moved on to the next victim.

What Real CAPTCHAs Do vs. Fake Ones

A real CAPTCHA will never ask you to run device commands. Period. Real ones ask you to:

• Type letters and numbers as they appear
• Click on images of traffic lights, fire hydrants, or crosswalks
• Confirm a checkbox saying "I'm not a robot"

If a CAPTCHA-looking screen tells you to press keyboard shortcuts or run commands, it's 100% a scam. Close the browser tab and move on.

What You Should Do If You Fell For It

If you already followed the commands:

• Disconnect from the internet immediately. This prevents the malware from calling home or accessing your accounts remotely.
• Run a full security scan. Use Windows Defender, Malwarebytes, or another reputable anti-malware tool to find and remove the infection.
• Change your passwords. Use a different device to reset passwords for email, banking, and other critical accounts. Assume the malware already logged what you typed.
• Enable two-factor authentication. Even if your password is compromised, two-factor adds another barrier.
• Keep your software updated. Security patches fix vulnerabilities that malware exploits.

The Broader Idiocy

This scam exists because we've normalized complex security friction. People are so used to being told to click things, verify their devices, and follow security procedures that a malicious version barely stands out. The scammers are just copying the legitimate security theater and swapping in malware.

If something online asks you to run commands or execute code, the default answer is "no." Period. Full stop. Do not do it.

Sources

FTC Consumer Alert: How to spot a CAPTCHA scam

WISH-TV: FTC alerts public about malicious CAPTCHA scam targeting personal data

FTC: How to remove malware from your device

← Back to Scam Watch