Fake “Verification” or CAPTCHA Scams

Body

Overview

A scam known as ClearFake has been targeting university users through malicious websites that display fake “security checks” or CAPTCHA-style verification prompts.

These prompts are designed to trick users into running commands on their own computer. If followed, the attacker can quickly steal passwords, browser data, and account credentials.

How This Scam Works

In a ClearFake scam, a user visits a website and sees what appears to be a normal verification step, such as:

  • “Verify you’re human”

  • “Additional verification required”

  • “Security check in progress”

Instead of asking you to click a checkbox or select images, the page instructs you to:

  • Press Windows + R and paste a command

  • Open a command line or terminal to paste and run text provided by the website

This step is always malicious.

No legitimate website will ever ask you to run commands on your computer to complete a verification or CAPTCHA. These fake verification screens often look professional and include familiar branding or security language, as shown in the example below.

Example of a fake “verification” screen used in ClearFake scams
This screen may look legitimate, but any website that asks you to open system tools or paste commands is attempting to compromise your device.

Screenshot of a fake website verification screen instructing users to press Windows+R and paste a command

 

Why This Is Dangerous

If a user follows these instructions:

  • Malicious software can run immediately

  • Saved browser passwords and session data can be stolen

  • UM and personal accounts can be compromised within seconds

The attack does not require installing software or clicking “Allow” — simply pasting and running the command is enough.

Common Warning Signs

  • A CAPTCHA or verification screen that asks you to copy and paste text

  • Instructions to open Run, Command Prompt, or PowerShell

  • Messages claiming this step is required to “continue” or “verify”

  • Pages that look legitimate but behave unusually

How to Protect Yourself

  • Be suspicious of any site that asks you to open system tools

  • Remember: verification steps should never involve running commands

What You Should Do at UM

  • If this occurs on a UM device or involves UM accounts, contact the UM IT Helpdesk and the UM Information Security Office as soon as possible

  • Prompt reporting helps reduce the risk of further compromise

Additional Questions

  • For UM-related devices or accounts, contact the UM IT Helpdesk and the UM Information Security Office.

  • For personal devices or accounts, contact your device manufacturer or service provider for next steps.

Details

Details

Article ID: 170495
Created
Mon 2/9/26 4:20 PM
Modified
Mon 2/9/26 5:17 PM