Is a 'verify you are human' page that asks me to paste a command safe?
No. Any CAPTCHA or 'human verification' step that asks you to paste something into a Run dialog or terminal is a malware delivery technique, not a real CAPTCHA.
Last reviewed: 1 June 2026
Explanation
A scam technique known as 'ClickFix' or 'paste-to-run' shows a fake CAPTCHA page telling you to press Windows + R (or open Terminal) and paste a command to 'prove you are human'. Real CAPTCHAs — such as clicking images or typing distorted text — take place entirely within the browser and never ask you to run anything on your computer.
The command being pasted is malicious code. Once run, it can download malware, steal saved passwords, install a keylogger, or give an attacker remote access to your machine. These fake pages are often placed inside malicious ads, phishing emails, or compromised websites. The instruction to paste into a command prompt is the clearest possible signal that something harmful is happening — stop immediately.
If you have already pasted and run the command, treat your device as compromised: disconnect from the internet, change passwords from a clean device, and run a full malware scan.
Common red flags
- CAPTCHA step asks you to open a Run dialog, PowerShell, or Terminal
- You are told to press Windows + R and paste something
- The command is long and not human-readable
- Page insists this is a 'one-time security check'
- Urgency — page says access will be blocked unless you complete the step
- The instruction appears on a site you don't normally visit
What to do now
- Close the tab immediately — do not paste or run anything
- If you already ran the command, disconnect from the internet at once
- From a clean device, change your most important passwords
- Run a full malware scan on the affected device
- Report the URL to your browser's phishing-report tool
Frequently asked questions
Can a real website ever ask me to run a command?
Legitimate websites — including Google's reCAPTCHA and hCaptcha — never ask you to run commands outside the browser. Developer documentation may show commands you choose to run, but a prompt that pastes one automatically into your clipboard is malicious.
My antivirus didn't alert me. Does that mean it was safe?
Antivirus tools can miss novel or obfuscated scripts. The absence of an alert does not confirm safety — treat the device as potentially compromised and scan thoroughly.
Is this the same as a normal phishing email?
It shares the same goal — compromising your device or accounts — but uses a social-engineering step that bypasses browser security by tricking you into running the code yourself.