Fake security-check CAPTCHAs trick you into pressing keyboard shortcuts that install malware
A fake CAPTCHA or "security verification" page tells you to press Windows+R, Ctrl+V, then Enter — secretly running malware already copied to your clipboard. It steals passwords, banking logins, and crypto wallet credentials.
Also known as: ClickFix scam, fake Cloudflare CAPTCHA, keyboard command malware, PowerShell clipboard attack
Already happened to you? Do this in the next few minutes
- 1 Call your bank or card's fraud line right now. Use the number on the back of your card — not any number from the message or caller. Ask them to stop or reverse the payment and freeze the account.
- 2 If you paid by gift card, wire, or an app (Zelle, Venmo, Cash App): contact that company immediately and report it as fraud. Acting fast sometimes recovers the money.
- 3 Report to the FBI at ic3.gov and the FTC at reportfraud.ftc.gov. The sooner, the better.
- ! If you installed any "support", "server", "refund", or remote-access app at their request (AnyDesk, TeamViewer, Quick Support, etc.): disconnect the internet now, then run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
What to do right now
- 1 If you have not yet pressed the keys: close the browser tab immediately — do not complete the CAPTCHA instructions
- 2 If you already pressed Enter: disconnect from the internet immediately, then run a full antivirus or anti-malware scan before reconnecting
- 3 Change your passwords for email, banking, and crypto accounts from a separate, clean device
- 4 If you installed any 'support' or 'server' or 'refund app' or remote-access app at the scammer's request (AnyDesk, TeamViewer, Quick Support, etc.), run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
- 5 Report to the FTC at https://reportfraud.ftc.gov and the FBI's IC3 at https://www.ic3.gov.
Was remote-access software installed?
If a scammer asked you to install AnyDesk, TeamViewer, Quick Support, or any remote-access app, your device may still be compromised.
Run SeraphSecure to detect and remove it →Red flags
- ⚠ A CAPTCHA or security check that asks you to press keyboard shortcuts like Windows+R, Ctrl+V, and Enter — real CAPTCHAs never ask you to run commands
- ⚠ The page may display a Cloudflare, Microsoft, or 'government security' logo to appear legitimate
- ⚠ A brief black command window flashes and closes after you follow the steps — that is the malware installing itself
- ⚠ You did not download anything explicitly, yet something may have run in the background after following the 'verification' steps
Sources
- FTC Consumer Alert — How to spot a CAPTCHA scam (Jun 2026)
- Microsoft Security Blog — ClickFix campaign uses fake macOS utilities lures to deliver infostealers (May 2026)
- Malwarebytes — 700+ education and tech websites hijacked in huge ClickFix malware campaign (May 2026)
- SeraphSecure — Meet ClickFix: The CAPTCHA Scam That Tricks You Into Installing Malware (Mar 2026)
- The Hacker News — ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services (Jan 2026)
- WISH-TV — FTC alerts public about malicious CAPTCHA scam targeting personal data (Jun 2026)
- Fox News — Fake CAPTCHA scam installs malware when you follow keyboard commands (Jun 2026)
- Google — June 2026 Fraud and Scams Advisory (ClickFix one of 3 top threats)
- WebProNews — Google's June 2026 Fraud Alert Exposes AI's Growing Role in Sophisticated Online Scams