Fake USPS CAPTCHA Clipboard Malware Scam
A phishing email mimicking a USPS delivery alert routes victims to a fake verification page that secretly loads malware instructions into their clipboard and prompts them to paste and run the command, handing the attacker full access to the device.
Part of: Fake CAPTCHA Malware Scams
Last reviewed: 8 June 2026
The fake-CAPTCHA malware technique has expanded from generic phishing to brand-specific campaigns, and USPS is among the brands now being exploited. A victim receives an email warning that a package is on hold for identity verification, with a link to a page that presents a CAPTCHA challenge asking them to press certain keyboard shortcuts to confirm they are human.
The keyboard shortcuts open the Windows Run dialog and execute a hidden PowerShell command already placed in the clipboard by the page's JavaScript. The command downloads malware that steals saved passwords, financial credentials, and two-factor codes — all without the victim knowingly installing anything.
USPS identity verification for held packages is handled entirely within the USPS website or at a post-office counter. No legitimate USPS page will ever ask a visitor to open a command-line interface or press a keyboard combination to complete a security check.
How this scam works on the USPS brand
The phishing email contains USPS branding, a plausible tracking number, and a Verify Identity button. The linked page shows a loading animation followed by a CAPTCHA box stating: Security check required — press Windows+R, then Ctrl+V, then Enter to verify your browser. The clipboard already contains a PowerShell download command.
Executing the command connects to a remote server and retrieves an infostealer payload. Within minutes the malware scans the device for saved browser passwords, cryptocurrency wallet files, and session cookies for banking applications. These are exfiltrated to the attacker's server.
On macOS the same technique uses the Terminal application and Spotlight, adapting the keyboard instructions accordingly. The core deception — a CAPTCHA that requires running a system command — is identical regardless of operating system.
Common red flags
- USPS identity-verification page asks you to press keyboard shortcuts to prove you are human
- Any CAPTCHA that requires opening Run, Terminal, or a command-line tool is not a real CAPTCHA
- Email link leads to a URL that is not usps.com
- The page asks you to paste clipboard contents into any system dialog
- USPS tracking number in the email cannot be found at usps.com
- Urgency framing threatens return-to-sender if verification is not completed immediately
- Page source or clipboard content contains the word powershell if inspected
How to protect yourself
- Never follow keyboard shortcut instructions from a website claiming to be a security check — real CAPTCHA systems require only a click or image selection
- Close the browser tab immediately if prompted to open Run or Terminal
- Verify any USPS parcel status at usps.com by entering the tracking number directly
- If you executed a command, disconnect from the internet immediately and run a full antivirus scan
- Change passwords for all financial and email accounts that may have been accessed while the malware was active
- Report the email to the USPS Postal Inspection Service
How to report it
- Report to the USPS Postal Inspection Service at postalinspectors.uspis.gov
- Forward the phishing email to [email protected]
- Report to the FTC at reportfraud.ftc.gov
- Report to CISA at cisa.gov/report if malware was executed
- File at ic3.gov if financial loss occurred
Frequently asked questions
How do I know if my device was infected after following the CAPTCHA instructions?
Run a full scan with a reputable security tool such as Malwarebytes or Windows Defender immediately. Look for recently created files in your Downloads or AppData folders. If you are unsure, consider a factory reset after backing up documents — not application data or browser profiles.
Does USPS ever require keyboard shortcuts for identity verification?
No. USPS identity verification for parcels held at a facility is done at a post-office counter with government-issued ID, or through a verified login at usps.com. No USPS web page will ever ask a user to open a system dialog as part of a security step.
Why is this type of attack called a CAPTCHA malware scam?
Because it disguises the malware delivery step as a routine CAPTCHA — the familiar robot-verification boxes most internet users encounter regularly. Dressing the command-execution prompt as a CAPTCHA lowers suspicion and exploits conditioned behaviour.