LEGALAUDIT

Scam Watch

How can you recognize ENISA ClickFix scam — fake CAPTCHA tricks user into running PowerShell?

TLDR

Compromised or fraudulent EU websites display a fake CAPTCHA ('Verify you are human') that instructs users to press Win+R, paste a clipboard string, and press Enter. The clipboard contains a PowerShell command that downloads infostealers...

How it works

Compromised or fraudulent EU websites display a fake CAPTCHA ('Verify you are human') that instructs users to press Win+R, paste a clipboard string, and press Enter. The clipboard contains a PowerShell command that downloads infostealers...

Red flags

  • Urgent pressure to click, pay, or share codes immediately.
  • A link or sender that does not match the official organization.
  • Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What to do

  1. 1Compromised or fraudulent EU websites display a fake CAPTCHA ('Verify you are human') that instructs users to press Win+R, paste a clipboard string, and press Enter.
  2. 2Indicators: 1) CAPTCHA asks to run keyboard shortcut + paste command; 2) any 'verification' that requires PowerShell or Terminal; 3) command starts with 'powershell nop w hidden ...'.
  3. 3WHAT TO DO: never execute commands from a website.

Source

ENISA

Source reviewed by Mythos Forensic Team

https://www.enisa.europa.eu/

FAQ

Is ENISA ClickFix scam — fake CAPTCHA tricks user into running PowerShell a real scam pattern?

Yes. Treat the message, call, or payment request as suspicious until you verify it through an official channel.

What are the first warning signs?

Urgent pressure to click, pay, or share codes immediately.; A link or sender that does not match the official organization.; Requests for card data, passwords, OTPs, wallet signatures, or bank transfers.

What should I do first?

Compromised or fraudulent EU websites display a fake CAPTCHA ('Verify you are human') that instructs users to press Win+R, paste a clipboard string, and press Enter.; Indicators: 1) CAPTCHA asks to run keyboard shortcut + paste command; 2) any 'verification' that requires PowerShell or Terminal; 3) command starts with 'powershell nop w hidden ...'.; WHAT TO DO: never execute commands from a website.

Can LegalAudit check my case?

Yes. Start a free chat and paste the message, link, sender, or payment details for triage.