OK guys, I am really alarmed by this new scam going around, and I am someone who covers consumer news and scams for *** living. So I could really see *** lot of people falling for this one. So you know those capture boxes you have to click, I’m not *** robot on? Well, scammers have found *** way to create fake versions of this that look real, but instead of clicking *** button, what they actually want you to do. is press *** series of keys. So here’s *** real world example of what this looks like that someone shared on Reddit recently. And here’s the thing, when you are running the sequence, what you are actually doing is running *** command that will download malware onto your device. That malware can steal your passwords, logins, potentially even banking information. So here’s what you should know. *** real captcha message will never ask you to run *** sequence of keys. So if you see that immediate red flag, close out of the tab immediately. Now, if you did this by accident, you’re going to want to act fast. So disconnect from Wi Fi, run *** virus scam, change your passwords from *** different device, and be sure to follow me for more scam alerts and consumer news like this.
This new scam could trick you into downloading malware
A new scam involving fake Captcha boxes is tricking people into downloading malware that can steal sensitive information.
Updated: 5:38 PM EDT Mar 25, 2026
A new scam is exploiting a familiar internet security check — tricking people into compromising their own computers. The Identity Theft Resource Center (ITRC) is warning that criminals are using realistic-looking fake CAPTCHA pages to trick Windows users into running malicious commands that install information-stealing malware.CAPTCHAs are commonly used to verify that a user is human, often by asking them to click images or check a box. But in this scam, the page prompts users to follow a series of keyboard steps to continue.Those instructions may tell users to press the Windows key and “R,” then “Ctrl + V,” then hit Enter.According to the ITRC, following those steps opens a hidden command box, pastes a malicious script from the clipboard and runs it, downloading malware onto the computer.Security researchers have identified the malware as “StealC,” which is designed to quietly collect sensitive data. That can include saved passwords, login credentials and other information stored in your browser.A legitimate CAPTCHA will never ask users to run commands or use keyboard shortcuts. If you encounter a page that does, close it immediately.Those who believe they may have followed the instructions should act quickly. The ITRC recommends disconnecting from the internet, running a full antivirus scan and changing passwords using a separate, unaffected device. Users should also monitor financial accounts for suspicious activity.Stay Connected with the National Consumer UnitGet clear, actionable consumer reporting delivered across platforms.Follow National Consumer Correspondent Allie Jasinski for real-time updates, myth-busting videos and behind-the-scenes reporting on Instagram, TikTok and YouTube.Have a question you’d like us to investigate? Email us at askallie@hearst.com
A new scam is exploiting a familiar internet security check — tricking people into compromising their own computers.
The Identity Theft Resource Center (ITRC) is warning that criminals are using realistic-looking fake CAPTCHA pages to trick Windows users into running malicious commands that install information-stealing malware.
CAPTCHAs are commonly used to verify that a user is human, often by asking them to click images or check a box. But in this scam, the page prompts users to follow a series of keyboard steps to continue.
Those instructions may tell users to press the Windows key and “R,” then “Ctrl + V,” then hit Enter.
According to the ITRC, following those steps opens a hidden command box, pastes a malicious script from the clipboard and runs it, downloading malware onto the computer.
Security researchers have identified the malware as “StealC,” which is designed to quietly collect sensitive data. That can include saved passwords, login credentials and other information stored in your browser.
A legitimate CAPTCHA will never ask users to run commands or use keyboard shortcuts. If you encounter a page that does, close it immediately.
Those who believe they may have followed the instructions should act quickly. The ITRC recommends disconnecting from the internet, running a full antivirus scan and changing passwords using a separate, unaffected device. Users should also monitor financial accounts for suspicious activity.
Get clear, actionable consumer reporting delivered across platforms.
Follow National Consumer Correspondent Allie Jasinski for real-time updates, myth-busting videos and behind-the-scenes reporting on Instagram, TikTok and YouTube.
Have a question you’d like us to investigate? Email us at askallie@hearst.com
