The “Prove You’re Human” Scam That’s Anything But
By Greg Collier
By now, just about everyone has encountered one.
You visit a website, and before you can continue, you’re asked to click a box that says, “I’m not a robot,” identify traffic lights in a series of pictures, or solve a simple puzzle.
These tests, known as CAPTCHAs, serve an important purpose.
They’re designed to tell the difference between a real person and an automated computer program, or “bot.” Websites use them to stop hackers from flooding login pages with stolen passwords, creating thousands of fake accounts, or overwhelming websites with automated traffic.
In other words, they’re meant to protect both you and the website you’re visiting.
Unfortunately, scammers know people have become so accustomed to these verification checks that they’re now using them as bait.
Meet the ClickFix Scam
Cybersecurity experts are warning about the return of a scam known as ClickFix.
Unlike a legitimate CAPTCHA, ClickFix doesn’t simply ask you to click a checkbox or identify pictures.
Instead, it claims you need to complete an additional verification step by copying and pasting computer commands into your own device.
That should immediately set off alarm bells.
No legitimate website needs you to open your computer’s command prompt, Run dialog, Terminal, or any other system tool just to prove you’re a human.
If a website asks you to do that, you’re not completing a security check.
You’re helping install malware.
How the Scam Works
The scam starts with what appears to be a familiar security prompt.
It might claim there’s been suspicious activity or that an additional verification step is required.
Then the instructions become unusual.
Victims are told to:
- Press Windows + R or open the Run dialog.
- Open Terminal on a Mac.
- Copy and paste a block of code.
- Press Enter.
Many people assume they’re simply completing a newer version of a CAPTCHA.
They’re not.
They’re executing malicious code on their own computer.
Why This Is So Dangerous
Normally, your computer’s security software tries to stop malicious downloads and suspicious programs.
ClickFix sidesteps many of those protections because you’re voluntarily telling your computer to run the code.
Once executed, the malware can:
- Steal saved passwords.
- Capture usernames and login credentials.
- Access email accounts.
- Install remote access software.
- Allow scammers to return to your computer whenever they want.
- Collect banking information and other sensitive data.
The victim unknowingly opens the front door for the attacker.
Why This Scam Works
ClickFix succeeds because it takes advantage of something we’re all familiar with.
People have spent years clicking CAPTCHAs without giving them much thought.
Scammers are betting that when users see another “prove you’re human” message, they’ll simply follow the instructions without questioning them.
It’s a clever twist on a trusted security feature.
The criminals aren’t hacking your computer.
They’re convincing you to do it for them.
Red Flags
Be suspicious if any “human verification” asks you to:
- Open the Windows Run dialog.
- Open Command Prompt or PowerShell.
- Launch Terminal on a Mac.
- Copy and paste computer code.
- Download software before continuing.
- Disable your antivirus.
- Install browser extensions you weren’t expecting.
Real CAPTCHAs don’t ask you to do any of those things.
They usually involve clicking a checkbox, selecting images, solving a simple puzzle, or completing a brief challenge that happens entirely within your browser.
How to Protect Yourself
If you encounter a suspicious verification page:
- Close the webpage immediately.
- Never copy and paste code you don’t fully understand.
- Never run commands provided by a website.
- Keep your browser and security software updated.
- Use strong, unique passwords and enable multi-factor authentication whenever possible.
- If something feels unusual, trust your instincts.
Remember, legitimate websites are trying to verify you.
They’re not asking you to reprogram your computer.
If You Already Ran the Code
If you think you’ve fallen for a ClickFix scam:
- Disconnect your computer from the internet.
- Run a full antivirus and anti-malware scan.
- Change passwords for important accounts using a different, clean device.
- Enable multi-factor authentication if it isn’t already turned on.
- Contact your bank if financial information may have been exposed.
- Monitor your accounts for suspicious activity.
The sooner you respond, the better your chances of limiting the damage.
Final Thoughts
Scammers are constantly looking for ways to turn familiar online experiences into opportunities for fraud.
The ClickFix scam is effective because it imitates something people see every day. It takes a trusted security feature and twists it into a way of getting victims to infect their own computers.
Fortunately, there’s one simple rule that can keep you safe.
If a website claiming to verify you’re human asks you to open system tools and run code, you’re not proving you’re a person.
You’re proving you’re the scammer’s next target.











Leave a Reply