Beware of CAPTCHA Look-Alikes

CAPTCHA checks—or pop-ups with a quick test to determine if the computer user is a robot—have become inescapable on the modern web. The FTC is warning that fraudsters are spreading fake CAPTCHA requests to take advantage of consumers. If you aren’t paying attention, criminals can quickly take control of your device.

The threat begins as a normal CAPTCHA test. While browsing the internet, a pop-up appears to verify you are a human. However, instead of clicking on certain images or typing in the six characters that are poorly displayed, the “test” asks the user to type a series of commands. Often, if you are on a Windows device, it might begin with “Windows + R,” followed by “Ctrl + V” (the command to paste something previously copied) and “Enter.”

Under the guise of a security check, this sequence actually downloads malware onto your device. Depending on the specific software the hackers are spreading, the criminals can gain full control of your device once your entered commands are complete. They can scan your emails, search for passwords, and otherwise use your device as if they were in your room.

When encountering CAPTCHA tests online, keep the following tips in mind:

  • Real CAPTCHA checks won’t ask you to run commands on your device. They usually involve the user clicking on certain images that match a criteria or typing in slightly obscured letters. CAPTCHA tests are always in your internet browser and don’t require opening another application, like your device’s Run command window.
  • Real CAPTCHA checks won’t result in a download. Immediately stop any unintended downloads and take steps to ensure your device’s safety.
  • Quickly disconnect from the internet if your computer is infected. Turning off Wi-Fi and unplugging from a wired internet connection will prevent remote hackers from accessing your information.
  • Use unique passwords for each of your accounts. Most web browsers now include built-in password managers that automatically generate new passwords each time you create a new login. This ensures that if one account is compromised, the rest of your logins will remain unaffected.
  • Turn on multi-factor authentication for your accounts. Two-factor or multi-factor authentication requires an additional method of security before you can log in to an account, often a code texted to your phone number or a link sent to your email. This keeps your account secure even if a bad actor obtains your password.

If you believe you have encountered a scam, please file a complaint on our website. Your report helps Fraud.org alert the public and share critical information with consumer protection agencies and law enforcement partners.