A common scam tactic uses fake CAPTCHA prompts to trick you into running malicious commands on your computer. Here's what you need to know to stay safe.
What a Real CAPTCHA Looks Like
Legitimate CAPTCHA systems (like reCAPTCHA) ask you to solve a puzzle: click boxes with traffic lights, identify street signs, or type distorted text. They never ask you to press keyboard shortcuts like Win+R, Ctrl+Alt+Delete, or any combination of keys. They never ask you to open a terminal, command prompt, or run code.
Red Flags of a Fake CAPTCHA
If a CAPTCHA prompt tells you to:
- Press specific key combinations
- Open a terminal or command window
- Run a command or script
- Download a file or software
- Enter your password or personal information
Then it is not a real CAPTCHA. It is a scam designed to compromise your computer or steal your credentials.
How the Scam Works
Scammers create fake CAPTCHA pages that look similar to the real thing. They may send you a link via email, text, or social media. When you click it, the fake CAPTCHA appears and instructs you to press keys or run commands. If you follow those instructions, malware can be installed, your files encrypted, or your login credentials stolen.
How to Protect Yourself
- Never follow keyboard or command instructions from a CAPTCHA prompt.
- If a website asks you to run code or press shortcuts to verify you are human, close the page immediately.
- Type website addresses directly into your browser instead of clicking links in messages.
- Keep your operating system and antivirus software up to date.
- When in doubt, contact the company directly using a phone number or website you know is legitimate.