The FTC warns scammers misuse CAPTCHA prompts to trick people into interacting with fraudulent sites. Victims may be routed from “verification” steps into scams or malware rather than legitimate logins.

Scammers increasingly use CAPTCHA screens as a social-engineering lure. Instead of serving as a simple “prove you’re human” checkpoint, the CAPTCHA is paired with spoofed instructions that pressure a user to click, submit extra information, or continue through a lookalike flow. The FTC highlights that this tactic often appears during attempts to access common accounts or services, where victims are already primed to follow urgent prompts. In these schemes, the fraudsters rely on confusion—people expect a CAPTCHA to be harmless—then redirect the interaction to harmful outcomes. That may include being pushed toward fraudulent offers, impersonation pages, or steps that install malware through deceptive buttons and redirects. The FTC’s guidance emphasizes recognizing scam patterns: unexpected CAPTCHA prompts that appear out of context, instructions that encourage additional actions beyond standard verification, and websites that don’t match the claimed service. Consumers are urged to pause, verify the destination URL, and avoid acting on CAPTCHA-related directions that appear to be part of an unsolicited or suspicious site flow.