According to the FTC, scammers impersonate CAPTCHA checks and prompt victims to run commands. The result can be malware installation that enables account takeover and credential theft.

The FTC’s consumer alert details a CAPTCHA scam designed to look like an ordinary website verification attempt while actually functioning as a lure for malware. Victims reportedly encounter a message that resembles CAPTCHA-related activity, but the scammers’ goal is to persuade the victim to take specific actions—particularly executing commands on their device. The FTC notes that this “verification” approach is weaponized to bypass skepticism and push users into a compromise. After the command is run, the FTC warns, malware can be installed. With malware on the device, attackers may be able to steal credentials and facilitate unauthorized access to victims’ accounts. The FTC specifically highlights threats involving email logins and banking credentials, which are high-value targets that can lead to fraud even after the initial compromise. The alert underscores why this pattern is especially dangerous: CAPTCHA prompts are widely recognized as a standard barrier, so users may assume an urgent or unusual step is still part of normal security. However, the FTC’s reporting indicates the prompt is a deception meant to trigger direct user action. This case illustrates a shift in phishing tradecraft, where attackers embed malicious steps within familiar interfaces. The FTC’s guidance focuses on avoiding command execution in response to unexpected CAPTCHA-like requests and treating such prompts as potential threats rather than confirmations of legitimacy. Source: FTC consumer advice dated June 8, 2026.