Fake CAPTCHA Scams
Americans lost $12.5 billion to fraud in 2024, according to the FTC.
Quick Answer
Fake CAPTCHA scams trick users into installing malware or revealing sensitive information by presenting them with a fraudulent “I’m not a robot” test that leads to malicious instructions.
Think you've seen this scam?
Paste any suspicious text, email, or voicemail into our free checker — get a verdict in 5 seconds. Or get our free Scam Defense Playbook.
Free. No credit card. No signup required for the checker.
How It Works
1
A user lands on a compromised or malicious website that displays a fake CAPTCHA verification prompt, which often looks identical to legitimate ones like Google's reCAPTCHA.
2
After the user clicks the checkbox, instead of a simple image puzzle, the site provides unusual instructions. It may claim extra verification is needed and instruct the user to download a file, enable browser notifications, or copy a line of text.
3
The user is directed to paste the copied text into a command line tool (like Windows Run or PowerShell) and press Enter. This action executes a hidden malicious script that installs malware, such as information stealers (like Lumma Stealer) or Remote Access Trojans (RATs), giving scammers access to passwords, financial data, and personal files.
Red Flags
- You are asked to download a file or install a browser extension to complete verification.
- The prompt instructs you to copy and paste text or commands into your computer's Run dialog, PowerShell, or command terminal.
- The CAPTCHA appears on an unfamiliar, suspicious, or strangely named website URL.
- The website creates a false sense of urgency, claiming your action is required immediately.
- The CAPTCHA appears as a pop-up window rather than being embedded directly within the webpage.
- The verification process asks for personal information like your email, password, or name.
- After completing the CAPTCHA, you are redirected to a suspicious website or trigger a series of odd pop-ups.
What to Do If Targeted
- Immediately close the browser tab and disconnect your device from the internet to prevent malware from communicating with the scammer.
- Do not follow any instructions to download files or paste commands. If you copied text, clear your clipboard by copying a new, harmless piece of text.
- Run a full scan with up-to-date antivirus and anti-malware software to detect and remove any malicious files.
- If you downloaded a file, delete it immediately and empty your computer's trash or recycling bin.
- Change the passwords for your important accounts, such as email, banking, and social media, using a different, secure device.
- Monitor your financial accounts and credit reports for any unauthorized activity.
How to Report It
- FTC — File a fraud report with the Federal Trade Commission to help with investigations and consumer protection.
- FBI IC3 — Report the incident to the FBI's Internet Crime Complaint Center (IC3), especially if it involves malware or financial loss.
- FCC — File a complaint about phone scams, robocalls, or unwanted calls with the Federal Communications Commission.
- AARP Fraud Helpline — Call 877-908-3360 for free support from trained fraud specialists. Available to anyone, not just AARP members.
Key Statistics
- In 2023, consumers reported losing over $10 billion to fraud, a 14% increase from the previous year. — FTC 2024
- Impersonation scams, which can use tactics like fake CAPTCHAs, were the top reported fraud category in 2023, with losses of $2.7 billion. — FTC 2024
- The FBI's Internet Crime Complaint Center (IC3) reported that tech support and government impersonation scams resulted in over $1.3 billion in losses in 2023. — FBI IC3 2023 Internet Crime Report
- Adults over 60 reported the highest losses to tech support scams, accounting for over $770 million, which is 58% of the total losses for that scam type. — FBI IC3 2023 Internet Crime Report
Get scam alerts before they hit your parents' inbox
One email per week. The scam that's spreading right now, the red flags, and what to tell Mom and Dad.
Free forever. Unsubscribe in one click.
Frequently Asked Questions
A fake CAPTCHA scam is a fraudulent security check that mimics a real “I'm not a robot” test. Instead of verifying a human user, it tricks the person into executing malicious code, downloading malware, or visiting a phishing site to steal their data.
A legitimate CAPTCHA will never ask you to download software, install extensions, or copy and paste commands into your computer. Real CAPTCHAs are typically embedded on trusted websites and involve simple tasks like clicking a checkbox, identifying images, or typing distorted text. Be suspicious of any CAPTCHA on a strange URL or one that requires unusual steps.
Scammers use fake CAPTCHAs because they exploit our trust in a familiar and routine online security step. Most people have clicked an “I'm not a robot” box many times and do not question it, making them more likely to follow malicious instructions that seem like part of the verification process. This familiarity helps scammers trick users into compromising their own devices.
Fake CAPTCHA scams commonly install information-stealing malware like Lumma Stealer or Rhadamanthys, which can harvest passwords, browser cookies, cryptocurrency wallet details, and other financial data. They can also deliver Remote Access Trojans (RATs), such as AsyncRAT, which give attackers control over the victim's computer.
Has this scam reached your family?
Ready to protect yourself?
We've vetted the tools that actually work — VPN, threat protection, and identity monitoring.
See our recommended tools →Get weekly scam alerts
One breakdown per week. Real threats. Zero fluff.
You're in! Check your inbox.