Fake "security check" tells you to press keyboard shortcuts that secretly install malware
A fake Cloudflare or government-security CAPTCHA instructs you to press Windows+R, Ctrl+V, then Enter — secretly running malicious code already placed on your clipboard, stealing bank passwords and UPI credentials.
Also known as: ClickFix scam, fake CAPTCHA malware, keyboard shortcut virus, fake Cloudflare verification, PowerShell clipboard attack
Already happened to you? Do this in the next few minutes
Call 1930 now- 1 Call 1930 — the national cyber-crime helpline — right now. The sooner you report, the better the chance of freezing the money before it moves.
- 2 Call your bank to freeze the account and block the card immediately. Use the number printed on your card, never a number from the message or caller.
- 3 File a report at cybercrime.gov.in and keep every message, screenshot, and transaction ID.
- ! If you installed any "support", "server", "refund", or remote-access app at their request (AnyDesk, TeamViewer, Quick Support, etc.): disconnect the internet now, then run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
What to do right now
- 1 If you have not yet pressed the keys: close the browser tab immediately — do not complete the instructions
- 2 If you already pressed Enter: disconnect from the internet immediately, then run a full antivirus scan before reconnecting
- 3 Change your passwords for bank accounts, UPI apps, email, and any saved logins — do this from a different, clean device
- 4 Contact your bank to freeze the account if you notice any unauthorised transactions
- 5 If you installed any 'support' or 'server' or 'refund app' or remote-access app at the scammer's request (AnyDesk, TeamViewer, Quick Support, etc.), run free SeraphSecure (https://www.seraphsecure.com) to detect and remove it.
- 6 Report at https://cybercrime.gov.in or call 1930 (national cyber helpline).
Was remote-access software installed?
If a scammer asked you to install AnyDesk, TeamViewer, Quick Support, or any remote-access app, your device may still be compromised.
Run SeraphSecure to detect and remove it →Red flags
- ⚠ A security verification or CAPTCHA page asks you to press keyboard shortcuts like Windows+R, Ctrl+V, and Enter — legitimate CAPTCHAs never instruct you to run commands
- ⚠ The page may show a Cloudflare logo, a government seal, or an official-looking 'verification pending' animation
- ⚠ A brief black command window flashes and closes after you follow the steps — that is the malware running silently
- ⚠ Some lures impersonate the India Ministry of Defence or other government websites to appear credible
- ⚠ You did not consciously download any file, yet something ran in the background
Sources
- Google Trust & Safety — June 2026 fraud advisory: ClickFix / fake CAPTCHA threat targets India and South Asia
- Malwarebytes — 700+ education and tech websites hijacked in ClickFix malware campaign (May 2026)
- The Hacker News — ClickFix Attacks Expand Using Fake CAPTCHAs, Microsoft Scripts, and Trusted Web Services (Jan 2026)
- SeraphSecure — Meet ClickFix: The CAPTCHA Scam That Tricks You Into Installing Malware (Mar 2026)