What is a fake CAPTCHA scam?

A fake CAPTCHA scam involves cyber criminals creating fraudulent CAPTCHA pages to trick users into installing malware.

How can I identify a fake CAPTCHA?

A fake CAPTCHA may ask you to run commands on your computer, which legitimate CAPTCHAs do not require.

What should I do if I suspect malware from a fake CAPTCHA?

Disconnect your device from the internet, run a security scan, update your software, change passwords, and enable two-factor authentication.

How can I report a fake CAPTCHA scam?

You can report a fake CAPTCHA scam through the FTC's fraud reporting portal.

New CAPTCHA Scam Can Steal Banking Passwords — Here's the FTC Warning You Shouldn't Ignore

Cyber criminals are using fake CAPTCHA pages to trick users into running malware on their own devices. IBT Creative/ Canva

A routine online security check is being weaponised by cyber criminals, according to a new warning from the US Federal Trade Commission (FTC). The agency says scammers are creating fake CAPTCHA pages that look like legitimate verification tests but are designed to trick users into installing malware on their own devices.

Once installed, the malicious software can steal banking credentials, email login details, and other sensitive information. The warning highlights a growing phishing tactic that exploits a security tool millions of people encounter every day while browsing the internet.

How the Scam Works

According to the FTC, victims may encounter the scam while visiting a website. A page appears that resembles a standard CAPTCHA verification screen used to confirm that a visitor is human. Legitimate CAPTCHA tests typically ask users to identify objects in images, select matching pictures or type a sequence of characters.

The fraudulent versions work differently. The FTC says the fake pages instruct users to perform a series of keyboard commands. These may include pressing Windows + R, followed by Ctrl + V and then Enter. While the instructions appear to be part of a security verification process, they actually cause hidden malicious code to be pasted and executed on the user's device. That action can install malware within seconds.

What Information Is at Risk

The FTC warns that malware delivered through these fake CAPTCHA pages can give criminals access to valuable personal information. According to the agency, attackers may steal email account credentials, mobile banking login details, and other sensitive data stored on the infected device.

Email accounts are often a primary target because they can be used to reset passwords for other online services. Once access is obtained, criminals may attempt to take control of financial accounts, shopping profiles or other digital services linked to the victim.

The FTC says legitimate CAPTCHA systems do not ask users to run commands on their computers. A real CAPTCHA may require users to complete visual puzzles or type characters displayed on screen. It will not instruct them to open system tools, paste commands or execute software.

Users who encounter a CAPTCHA requesting keyboard shortcuts such as Windows + R should treat the request as suspicious. The FTC advises consumers not to follow those instructions.

What to Do if Malware Has Been Installed

The FTC recommends acting quickly if a suspicious CAPTCHA prompt has already been completed. The agency advises users to disconnect the affected device from the internet immediately. This can help prevent further communication between the malware and the attacker.

Apple Silicon M1 Malware — FTC's warning suggests the scam relies on the widespread familiarity of CAPTCHA systems Photo: AFP / NICOLAS ASFOURI

Users should then run a security scan using trusted antivirus or anti-malware software and ensure that their operating system and applications are fully updated. The FTC also recommends changing passwords for important accounts and enabling two-factor authentication where available. The agency advises using a separate device when updating account security settings.

Why Criminals Are Using Fake CAPTCHAs

The FTC's warning suggests the scam relies on the widespread familiarity of CAPTCHA systems. Because internet users regularly encounter verification requests while browsing websites, fraudulent pages may appear legitimate at first glance.

By imitating a common online security feature, scammers attempt to persuade users to complete actions that would otherwise appear unusual. The technique allows attackers to bypass traditional phishing approaches and persuade victims to install malware themselves.

How to Report a Suspicious CAPTCHA

The FTC encourages consumers to report suspected phishing attempts and malware-related scams. Anyone who encounters a suspicious CAPTCHA page or pop-up can submit a report through the agency's fraud reporting portal.

The commission says public reports help authorities identify emerging threats and warn other consumers. As phishing tactics continue to evolve, the FTC's guidance remains straightforward: a CAPTCHA should verify that a user is human. It should never ask someone to run commands on their computer. If it does, the safest response is to close the page immediately and avoid interacting with it further.