Blog

You've probably seen CAPTCHA tests hundreds of times online. They're those familiar prompts that ask you to identify traffic lights, crosswalks, or simply check a box that says, "I'm not a robot."

Unfortunately, scammers are now taking advantage of that familiarity.

According to a recent Federal Trade Commission (FTC) alert, cybercriminals are creating fake CAPTCHA screens designed to trick people into installing malware on their own devices. Once installed, that malware can steal passwords, banking credentials, personal information, and other sensitive data.

How the Scam Works

The scam often begins when you click a link in an email, text message, social media post, online ad, or search result. Instead of taking you to the page you expected, you're shown what appears to be a routine CAPTCHA verification screen.

But unlike a legitimate CAPTCHA, the fake version asks you to perform unusual actions, such as:

• Pressing keyboard shortcuts
• Opening a command window on your computer
• Copying and pasting code
• Running commands on your device

These steps are not part of any legitimate CAPTCHA process. Their purpose is to install malicious software that gives scammers access to your device and personal information.

Red Flags to Watch For

A real CAPTCHA may ask you to:

• Select images
• Enter letters or numbers
• Check a verification box

A real CAPTCHA will never ask you to:

• Open the Run command on your computer
• Press Windows + R or other keyboard combinations
• Copy and paste code
• Download software to verify you're human

If a CAPTCHA asks you to do any of these things, close the webpage immediately.

How to Protect Yourself

To help keep your accounts and personal information secure:

Be cautious with links

Avoid clicking links in unexpected emails, text messages, or social media posts. When possible, navigate directly to a company's website instead.

Pause before taking action

If a website asks you to perform unusual steps to continue, stop and evaluate the request before proceeding.

Keep your devices updated

Install security updates and use reputable antivirus software to help detect and block malware.

Use strong, unique passwords

If one account is compromised, unique passwords help prevent scammers from accessing your other accounts.

Enable multi-factor authentication

Adding an extra layer of security can help protect your accounts even if a password is stolen.

What to Do If You Think You Fell for the Scam

If you followed the instructions on a suspicious CAPTCHA screen:

1. Disconnect your device from the internet.
2. Run a full antivirus or anti-malware scan.
3. Change passwords for important accounts using a different, trusted device.
4. Monitor your financial accounts for unauthorized activity.
5. Report the scam to the FTC at ReportFraud.ftc.gov.

First Federal's Security Reminder

Fraudsters continually look for new ways to gain access to personal and financial information. Staying informed is one of the best ways to protect yourself.

If you ever notice suspicious activity on your First Federal accounts or believe your personal information may have been compromised, contact us immediately so we can help protect your accounts.

A healthy dose of caution online can go a long way toward keeping your information—and your money—safe.