The risk of fake CAPTCHAs
We鈥檝e all seen CAPTCHA prompts before, the ones asking you to click on images with traffic lights or type some squiggly letters to prove 测辞耻鈥檙别 human. But a sneaky scam is making the rounds again, these are fake CAPTCHA pages that trick you into running malicious code on your device. 滨迟鈥檚 part of a social engineering tactic known as ClickFix. 听
听
How does it work?听
You might visit a website (often from a phishing email or pop-up) and see what looks like a normal CAPTCHA, but after clicking the checkbox, it requests a few extra steps, for example:听
-
Pressing Windows + R.听
-
Pasting in some text using Ctrl + V.听
-
Pressing Enter.听听
The trick is that these steps 诲辞苍鈥檛 prove 测辞耻鈥檙别 human. Instead, they run malicious code that can infect your device, steal passwords, and give attackers access to your data. This tactic is surprisingly effective, as it mimics real requests 测辞耻鈥檙别 used to seeing.听听
What you can do:听
-
Never run or paste commands from unfamiliar sources.听听听
-
If you see a suspicious alert, close the window or browser tab immediately.听
-
Be cautious of CAPTCHA prompts on unfamiliar or unexpected websites.听
-
If something seems suspicious, 诲辞苍鈥檛 continue and report it to the IT Service Desk immediately.听听
ClickFix relies on tricking users into taking action. By staying cautious and reporting anything unusual, you help protect both yourself and the wider University community.