ST. LOUIS, Mo. (First Alert 4) – You’ve probably seen CAPTCHA security prompts on some websites to verify that you’re human. But cybersecurity experts are warning you to watch out for CAPTCHA scams.
CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. Retail, banking, and other websites often ask users to click on CAPTCHA prompts to verify that they’re not a robot. CAPTCHA prompts are designed to prevent automated bots from rapidly buying up inventory of things like popular concert tickets or products, or opening online accounts.
But Dean Gefen, CEO and founder of cybersecurity firm NuKudo, says fake CAPTCHA scams are popping up on both real and fake websites. Some will ask users to press Windows Key +R, then Ctrl +V, then Enter, ask users for passwords to accounts, or to download something on their device.
“If the CAPTCHA is asking you to put something on your device, to do a shortcut, it shouldn’t be the case. Also, CAPTCHA doesn’t require you to insert your name or password. And it doesn’t require you to download software on your device,” explained Gefen. Those requests, he said, are red flags for CAPTCHA scams.
The Identity Theft Resource Center reports that when victims press the sequence of keys, it can open a hidden command box on the device, paste in and run a script to download a virus. The ITRC says it’s called the “STealC” virus, which can track what you do on the device, as well as collect passwords and cookies from Outlook and other accounts.
If you do fall for a CAPTCHA scam, ITRC says immediately take action:
- Disconnect your device from the internet, but turning off the WIFI or unplug the cable,
- Run a virus scan to see if malware has been downloaded,
- Change passwords on all of your accounts,
- And freeze your credit with all three credit bureaus, Equifax, Experian, and TransUnion, so that scammers cannot open lines of credit in your name.
Copyright 2026 KMOV. All rights reserved.
