The FTC says scammers use CAPTCHA-like screens to lure victims into running commands that install hidden malware. Once installed, criminals may steal email logins and mobile-banking credentials.

The FTC warns that fraudsters are increasingly using fake “CAPTCHA/security verification” pop-ups to trick people into compromising their devices. Instead of performing a legitimate bot check, the prompts instruct victims to take actions that look routine—such as approving device commands or following steps that seem necessary to “confirm” their identity. In reality, the FTC says the process can install malware that remains hidden while giving criminals access to sensitive accounts. According to the FTC, after malware installation, attackers may collect credentials used to log into email and then pivot to more valuable targets, including mobile banking. The approach is designed to reduce suspicion: CAPTCHA screens are familiar to many users, and the urgency implied by “verification” can push people to act quickly rather than stop and verify the legitimacy of the prompt. The FTC’s guidance emphasizes that CAPTCHA challenges should not require downloading software or running device commands. Users should be cautious of pop-ups that deviate from expected CAPTCHA behavior, and they should treat “security verification” claims—especially those tied to credential capture or device control—as a potential scam.