The FTC warns of a CAPTCHA-based phishing scam that can install malware when victims follow instructions. The malware can enable account access and credential theft, including email logins and banking information.

The FTC issued an alert describing a phishing scam that imitates CAPTCHA verification prompts while delivering hidden malware. The agency says it received reports in which scammers present victims with an apparent “check” or “verification” step, instructing them to run commands on their device. Instead of being a harmless security test, the prompt is allegedly used as a delivery mechanism to compromise the victim’s system. Once the malicious instructions are followed, the FTC warns that malware may be installed. That malware can then facilitate theft of sensitive credentials, including email logins and banking credentials. The scam leverages the trust people typically place in common security and anti-bot workflows—CAPTCHAs—to make malicious behavior seem legitimate. The FTC’s guidance emphasizes the danger of responding to unexpected verification requests with command execution. Legitimate service providers generally do not ask users to run commands to “complete” a CAPTCHA. The agency’s warning reflects a broader trend: attackers are increasingly disguising initial compromise steps as routine security checks, then moving quickly to monetize through account takeovers and financial fraud. For consumers, the key risk is that a CAPTCHA-themed prompt is not proof of authenticity—victims can lose access to accounts and credentials after the malware stage is triggered. Source: FTC consumer advice dated June 8, 2026.