← Blog

The fake CAPTCHA that talks you into infecting your own computer

Tenant Strike3 min read

A fake 'prove you're human' check tells you to paste a command — and you install the malware yourself. How ClickFix works, and the one rule that stops it.

It starts with something small: a video that won't play, or one of those "prove you're human" checkboxes you've clicked a thousand times. Then the instructions appear. Step 1: press Windows + R. Step 2: press Ctrl + V. Step 3: press Enter.

Do those three steps and you haven't proven you're human — you've installed malware on your own computer, by hand, in about four seconds.

The scam with a helpful face

Security researchers call this technique ClickFix, and it has quietly become one of the most common ways malware gets onto business computers. Huntress's 2026 Cyber Threat Report links ClickFix and fake-CAPTCHA scams to more than half of all "malware loader" activity it tracked in 2025 — loaders being the small programs whose only job is to pull in worse things: password stealers, remote-access tools, ransomware.

The trick works like this. A website — sometimes a malicious one reached through an ad or a search result, sometimes a legitimate one that's been hacked — shows you a plausible obstacle. A broken video. A document that won't load. A verification check that won't quite verify you. The page has already, silently, copied a command onto your clipboard. The "fix" it walks you through is just getting you to paste that command somewhere Windows will run it: the Run box (that's what Windows + R opens), PowerShell, or a terminal. Macs get their own version aimed at the Terminal app.

Why your antivirus doesn't save you

Nothing about this looks like an attack to your defenses. No attachment came in by email, so the mail filter had nothing to scan. No file was downloaded, so nothing tripped the antivirus on the way in. The command runs with your permissions, as you — because you ran it. Security tools are built to catch hostile things arriving from outside, not the user pasting something in.

That's why the fix is finally coming from browsers. On July 2, Opera became the first major browser to ship a built-in defense — a feature called Paste Protect that blocks suspicious commands at the clipboard and warns you. Apple recently added a similar warning to the macOS Terminal. Good news — but most offices run Chrome or Edge, which don't have an equivalent built in yet. For now, the defense is knowing the tell.

The one rule

No legitimate website will ever ask you to copy a command and paste it into your computer. Not to prove you're human, not to fix a video, not to open a document. A real CAPTCHA asks you to click a checkbox or pick out the traffic lights — it never involves the Run box, PowerShell, or Terminal. The moment a webpage's instructions leave the browser, it's an attack. Close the tab.

That rule is the entire defense, and it takes one minute to teach.

This week

  1. Tell the team the rule — at standup, in the group chat, wherever. One minute: "If a website tells you to press Windows+R or paste a command, it's a scam. Close it and tell someone."
  2. Ask whoever manages your computers whether staff need the Run box at all. For most non-technical roles it can be switched off centrally — ask your IT provider about "disabling the Run dialog by policy." It's a ten-minute change.
  3. If someone already pasted the command: disconnect that computer from the network, and change that person's passwords from a different device — starting with email. What these commands install is usually a password stealer, so treat every login saved on that machine as stolen.

That last point is worth sitting with, because the payload is rarely about one computer — it's about the passwords on it, and for most small businesses the most valuable one is the Microsoft 365 login that opens email, files, and everything else. How much damage one stolen password can do depends on settings you can check: Tenant Strike runs a read-only scan that grades your Microsoft 365 setup A–F, including whether a stolen password alone is enough to get in. Nothing to install, about five minutes to a report.

AI-researched from public sources, human-reviewed on July 10, 2026. We label AI-assisted writing — see our trust page.

See your own risk

Want this for your own Microsoft cloud?

Tenant Strike runs 100+ read-only checks across Microsoft 365 and Azure and hands you a plain-English fix for every gap. Start a 7-day Pro trial — no credit card.