Fake FedEx CAPTCHA Malware Delivery Scam
A phishing email styled as a FedEx shipment notification redirects victims to a CAPTCHA page that secretly pastes a PowerShell command into the clipboard and instructs the user to run it, installing malware under the guise of verifying a delivery.
Part of: Fake CAPTCHA Malware Scams
Last reviewed: 8 June 2026
A wave of malware delivery attacks exploits the near-universal familiarity with CAPTCHA checks. Victims receive an email claiming their FedEx package requires delivery confirmation or customs verification. The link leads to a page styled like FedEx's website, where a CAPTCHA box appears with instructions to press Windows key and R, then Ctrl and V, and click OK to verify you are human.
Unknown to the victim, the CAPTCHA page has already used JavaScript to copy a malicious PowerShell command into their clipboard. Following the instructions opens the Windows Run dialog, pastes the command, and executes it — downloading and installing malware with no further user interaction. The attacker gains persistent access to the device.
FedEx does not gate delivery confirmations behind CAPTCHA checks that require users to type commands in Windows. Legitimate FedEx shipment notifications link directly to fedex.com tracking pages accessible without any command-line interaction.
How this scam works on the FedEx brand
The initial phishing email uses FedEx's purple-and-orange colour scheme and includes a realistic shipment number. A Confirm Delivery button leads to a page that displays a rotating CAPTCHA spinner before presenting a box with the instruction: Please complete human verification — press Win+R, then Ctrl+V, then Enter.
The page has already placed a PowerShell command in the clipboard via JavaScript. Executing it contacts a remote server to download a second-stage payload — often an infostealer that harvests saved browser passwords, cryptocurrency wallets, and banking credentials, or a remote-access trojan that gives the attacker ongoing control.
This technique is effective because it bypasses antivirus tools that scan email attachments: no malicious file is attached to the email. The entire chain depends on the user following what appears to be a routine browser verification step.
Common red flags
- Any webpage asking you to press Win+R and paste from clipboard as part of human verification
- FedEx tracking page that requires a command-line step rather than just displaying tracking information
- Email link leads to a domain other than fedex.com
- The CAPTCHA step instructs you to open any system tool such as Run, Terminal, or PowerShell
- Urgent delivery claim with a tight deadline to prompt quick action
- The shipment number in the email cannot be found in fedex.com tracking
- Page source or clipboard content includes powershell or cmd text if inspected
How to protect yourself
- Never follow keyboard shortcut instructions on a website to prove you are human — legitimate CAPTCHAs do not work this way
- Close the page immediately if any site asks you to open Run, Terminal, or PowerShell
- Check your clipboard contents by opening Notepad and pasting if you accidentally followed the instructions but did not press Enter
- Track FedEx shipments only by going to fedex.com directly
- If you executed any command, disconnect from the internet and run a full security scan immediately
- Change passwords for banking, email, and any service stored in your browser after a suspected execution
- Report the email to FedEx before deleting it
How to report it
- Forward the phishing email to [email protected]
- Report to the FTC at reportfraud.ftc.gov
- In the UK, report to Action Fraud at actionfraud.police.uk
- Report to CISA (US) at cisa.gov/report if a command was executed and a breach is suspected
- File a report at ic3.gov (FBI) if financial loss occurred
Frequently asked questions
How does a webpage copy text to my clipboard without my permission?
Browsers allow websites to write to the clipboard using the Clipboard API, often triggered by a mouse click or page-load event. Malicious pages time this to coincide with a user action, making it appear routine.
I pressed Win+R and Ctrl+V but did not press Enter. Am I infected?
If you closed the Run dialog without pressing Enter, you likely did not execute the command. Clear your clipboard, close the page, and run a security scan as a precaution.
Does FedEx ever use CAPTCHA to confirm deliveries?
FedEx tracking pages display package status without requiring CAPTCHA or any keyboard shortcut steps. Delivery confirmation is handled through your FedEx account or a direct link to fedex.com, never through a clipboard-paste instruction.