CLEVELAND — We’ve all done it.
Click the box. Prove you’re human. Move on.
But as a consumer reporter, I’ve learned that the next time you see a CAPTCHA, you may want to pause.
Scammers are now weaponizing one of the most trusted security features online.
For years, we’ve warned you about fake websites — those lookalike pages with URLs just slightly off, designed to trick you into clicking. Sometimes they even show up at the top of search results.
But now, there’s a new twist.
“They’ve set up these sketchy websites that mimic a well-known website, and you land on it by accident,” said Mark Huffman with Consumer Reports.
Once you’re there, everything can look normal — including the CAPTCHA.
That’s where the scam begins.
Instead of simply asking you to identify pictures or check a box, these fake CAPTCHAs may tell you to press a series of keys — like “Windows + R” — or ask you to enable notifications.
That is not normal and it’s a major red flag.
“If they don’t know that this is a scam, they are likely to follow those instructions because they think it’s normal — but it’s not normal,” Huffman said.
What’s really happening behind the scenes is far more dangerous.
Those steps can trigger malware downloads — giving scammers access to your device, your data, and potentially your financial information.
Here’s the bottom line: a real CAPTCHA will never ask you to type commands into your keyboard or change your computer settings.
If it does, get out immediately.
If you think you’ve already interacted with one of these fake CAPTCHAs, act fast.
Disconnect your device from the internet immediately to prevent any potential data transfer.
Then run a full virus scan. Finally, use a separate device to log into your accounts and change your passwords.
This scam is catching even seasoned experts off guard — and it’s designed to blend in with something we’ve all been trained to trust.
Which is exactly why it works.
