Morning Overview

A fake CAPTCHA popup installs malware the moment you click it, the FTC warns.

Anyone who has verified their identity online by clicking a checkbox or identifying traffic lights in a grid has encountered a CAPTCHA. The Federal Trade Commission is now warning that scammers have built convincing replicas of those prompts, and following the on-screen instructions does not prove you are human. Instead, it silently installs malware that can steal email and banking credentials. The agency says it is receiving reports of these fake CAPTCHA popups, which trick users into executing hidden code through a short sequence of keystrokes.

How fake CAPTCHA prompts hijack routine verification

The attack works by exploiting trust. Legitimate CAPTCHAs ask users to click a box or solve a visual puzzle. The fraudulent versions look similar but add an unusual step: they instruct the user to press Windows+R, then Ctrl+V, then Enter. That three-keystroke sequence opens the Windows Run dialog, pastes a command that was secretly copied to the clipboard by the malicious page, and executes it. The result is immediate malware installation, with no file download prompt or antivirus warning in between.

The FTC’s consumer alert spells out the downstream damage: attackers use the malware to harvest credentials, including logins for email accounts and banking platforms. Because the victim voluntarily typed the keystrokes, the operating system treats the command as a trusted user action, bypassing many of the safeguards that block conventional drive-by downloads.

A real CAPTCHA never asks anyone to open system-level tools or type keyboard shortcuts. That distinction is the fastest way to recognize the scam. If a verification prompt requests anything beyond clicking, selecting images, or typing a short alphanumeric code, the safest response is to close the browser tab immediately.

Where these scams gain traction and who is exposed

The FTC alert does not publish a count of confirmed victims or name specific websites hosting the fakes. That gap leaves an open question about scale. Still, the mechanics of the attack point toward a distribution pattern tied to sites that serve ads through lower-quality programmatic networks. Pages that cycle through rapidly rotating ad creatives, such as free streaming portals, file-conversion tools, and pirated-content indexes, are common vectors for malicious pop-ups because their ad supply chains involve less vetting than premium publisher networks.

The connection between cheap ad inventory and malware delivery is well established in security research, and the CAPTCHA variant fits the same model. A user lands on a page, an ad slot loads a script that generates the fake prompt, and the page itself may have no idea the overlay appeared. The site operator profits from impressions while the attacker profits from stolen credentials. The victim, caught between the two, sees only what looks like a standard identity check.

The FTC published the same warning in Spanish through its Spanish-language consumer portal, signaling that the agency views the threat as broad enough to warrant bilingual outreach. Spanish-speaking internet users who encounter the scam can also file complaints through the agency’s dedicated Spanish-language site.

What the FTC has not disclosed about CAPTCHA malware

Several pieces of the puzzle are still missing from the public record. The FTC alert does not name the malware families involved, does not list technical indicators of compromise that security teams could use to scan their networks, and does not specify which browsers or operating system versions are most vulnerable. No breakdown by geographic region, device type, or ad network appears in the agency’s published guidance.

The absence of hard numbers makes it difficult to measure how fast the tactic is spreading. Security firms that track info-stealer campaigns have documented similar clipboard-hijacking techniques in recent years, but the FTC’s decision to issue a standalone consumer alert suggests the volume of complaints crossed an internal threshold worth acting on. Whether the agency plans enforcement action against any of the ad networks or site operators that facilitate the scam is not addressed in the current posting.

Without named malware strains or hashes, individual users have limited ability to check whether they have already been compromised. The practical first step for anyone who may have followed a suspicious CAPTCHA’s instructions is to disconnect from the internet, run a full antivirus scan, and change passwords for email and financial accounts from a separate, clean device. Enabling two-factor authentication on banking and email accounts adds a second barrier even if credentials were already captured.

The FTC directs anyone who has encountered the scam to file a report at its fraud-reporting portal. That reporting channel is the agency’s primary tool for tracking complaint volume and building enforcement cases, so individual reports feed directly into the data the FTC uses to decide where to act next.

For now, the clearest takeaway is mechanical: no legitimate CAPTCHA will ever ask a user to press Windows+R or paste anything into a system dialog. Treating that request as an automatic red flag, and closing the tab the moment it appears, is the single most effective defense available while the FTC and security researchers work to map the full scope of the campaign.

More from Morning Overview

*This article was researched with the help of AI, with human editors creating the final content.