Clicking an "I am not a robot" box has become such a routine part of life online that most of us barely think twice about it. But a growing CAPTCHA scam is now using fake tests to trick people into giving up passwords and financial information.
What's happening?
According to Moneywise, news outlets around the country are warning about a scam known as "ClickFix." It's a fake CAPTCHA scheme that can lead users to install malware on their own devices.
Security Boulevard reported that the scam looks like a routine security check. A website displays a "verify you are human" prompt or a similar test. Then, a message says the process failed and tells the user they need to take extra steps to "fix" it.
Victims may be told to click a "Fix It" or "How to Fix" button, which copies malicious code to their clipboard. The scam then instructs them to paste and run that code through the Windows Run box or Mac Terminal.
On Windows, that can mean pressing Win + R, then Ctrl + V, then Enter. On a Mac, scammers may tell users to open Spotlight, launch Terminal, paste the code, and press Return.
And because the victim is technically running the commands, as WGAL reported, antivirus tools may not always flag the activity as an intruder.
TCD Picks » EDF Spotlight
💡EDF's Vital Signs newsletter delivers stories about game-changing solutions close to home and around the world
Save $10,000 on solar panels without even sharing your phone number Want to go solar but not sure who to trust? EnergySage has your back with free and transparent quotes from fully vetted providers that can help you save as much as $10k on installation. To get started, just answer a few questions about your home — no phone number required. Within a day or two, EnergySage will email you the best local options for your needs, and their expert advisers can help you compare quotes and pick a winner. |
Why is this CAPTCHA scam concerning?
The scam preys on muscle memory. People are used to clicking through CAPTCHAs quickly, and hackers are turning that routine behavior into a way into personal devices.
Once someone installs malware on a device, the fallout can be serious.
Criminals may be able to access passwords for websites, financial information, and other cryptowallets. In some cases, they may sell stolen information to others.
What can I do?
Real CAPTCHAs will not ask you to repair them by entering keyboard commands. If a site tells you to click "Fix It" and paste code into your computer, leave immediately.
TCD Picks » EDF Spotlight
💡EDF's Vital Signs newsletter delivers stories about game-changing solutions close to home and around the world
If you think you already clicked the button or followed the steps, the Identity Theft Resource Center advises going offline immediately. Shut off your Wi-Fi, or disconnect your internet cable.
Then, use a separate, trusted device to update the passwords on your most important accounts.
If you already have trusted antivirus software installed, scan the affected device while it remains offline. If you don't, take the computer to a professional for help. It's also smart to watch your statements and card activity for anything you don't recognize.
Trusted antivirus protection and multi-factor authentication can help limit the damage if criminals do get hold of a password.
Get TCD's free newsletters for easy tips, smart advice, and a chance to earn $5,000 toward home upgrades. To see more stories like this one, change your Google preferences here.
Cool Picks
