CAPTCHA Scam

You've seen it countless times — a small box on a website asking you to prove you're not a robot. It feels so routine that most of us click without a second thought. Scammers have taken note of exactly that, creating fake CAPTCHA pages that look just like the real thing while quietly setting you up for harm. What happens next can vary — your phone could be used to rack up charges, or your personal data could be stolen without you ever knowing. 

How it Works

1. You land on a fake page

A convincing "prove you're human" check appears — often after clicking an ad or visiting a mistyped web address. You click the box, but instead of moving on, the page demands one more step.

2. The silent SMS hijack

Tapping the "verify" button silently opens your phone's SMS app with messages already written and international numbers already filled in — and sends them without you realising. With high international SMS fees involved, the costs land on your mobile bill before you even know what happened.

3. The hidden device takeover

The page instructs you to press Win + R, paste a copied command to “fix a verification error". Some even include a tutorial video to make it feel completely normal. Once executed, malware silently installs on your device, stealing your saved passwords, banking details, and cryptocurrency wallet access, all sent directly to the scammer.

4. The fake download or QR trap

Some fake CAPTCHA pages ask users to scan a QR code or download a file as part of the “verification” process. Victims who follow the instructions may unknowingly install malware or expose sensitive personal and financial information directly to scammers.

Things to Keep in Mind

• A real CAPTCHA is simple: A legitimate CAPTCHA only asks you to tick a box or solve a quick visual puzzle — never to download a file, paste a command, press keyboard shortcuts, or send a text message. If it asks for more, close the page immediately.

• Stop and question anything that feels off: Stay alert if a CAPTCHA appears where you wouldn't expect one, if the web address looks strange, or if the steps feel overly complicated. When in doubt, close the page and walk away.
• Act fast if you've already clicked: Close the browser tab, disconnect from the internet, and run a full antivirus scan. Delete any downloaded files without opening them, clear your browser cache and cookies, and remove any extensions you don't recognise. Change your important passwords from a separate, safe device.
• Keep a different password for each important account: Banking, email, and work accounts should each have their own unique password. If one account is ever compromised, the others stay protected.
• Keep your security tools current: Make sure your antivirus software and browser are always up to date. Updated tools are much better at catching and blocking malicious pages before any harm is done.
• Spread the word to people around you: This scam catches people of all ages and all levels of tech experience. Share what you know with family and friends — awareness is one of the strongest defences.

To report this issue, please get in touch with us.  

Rest assured that CelcomDigi is actively taking measures to ensure our customers do not fall prey to such scams.