You're reading an article online and a box pops up. It looks like the usual "I'm not a robot" check you've clicked a thousand times. The page says it just needs a quick verification. The box tells you to press three keys: Windows + R, then Ctrl + V, then Enter. You shrug and follow along.

Three keystrokes later, you've just installed malware on your own computer.

The Federal Trade Commission put out a fresh alert yesterday about a new wave of fake CAPTCHA pop-ups doing exactly that. They look identical to the real ones from Google or Cloudflare. The trick is that the page silently copies a hidden command into your clipboard, then walks you through pasting and running it via the Windows Run dialog. Researchers call the technique ClickFix. The same trick has already been used to deliver Lumma Stealer, DarkGate, and other credential-harvesting malware.

Once the command runs, the malware can read your saved browser passwords, your banking session cookies, your email login, and anything else stored in your browser. By the time you notice something is off, your accounts are already being drained.

Here's the giveaway. A real CAPTCHA never asks you to press keys on your keyboard. It shows you a checkbox to click, or a grid of pictures to identify, or letters to type into the CAPTCHA's own text box. It never asks you to open the Run dialog. It never asks you to paste anything. Anything that does is a scam.

The rule: If a "verification" asks you to press Windows + R, Ctrl + V, or paste a command, close the tab. If you already did it, disconnect from Wi-Fi, run a security scan, then change every important password from a different device and turn on two-factor authentication.

Source: FTC: How to spot a CAPTCHA scam (June 8, 2026)

Your phone buzzes. It's a text that looks like it's from Amazon. It says the toaster oven you bought last month has been recalled for a fire safety issue and you're eligible for a full refund. You don't even have to send it back. Just tap the link, log in, and the money lands in your account.

Don't tap.

The AARP Fraud Watch Helpline has reported a spike in these "recall scams" over the last several weeks. The texts (and matching emails) impersonate Amazon, Costco, Walmart, Target, and other retailers people actually shop at. They borrow the urgency of a real recall, which feels official enough to push past your usual scam radar.

There are three signals inside every one of them.

First, the message arrives unsolicited and mentions a "recent purchase" without naming the actual product, order number, or date. Real retailers reach out about recalls by email from a known address with your full order details, not by an anonymous SMS link.

Second, the message includes a sign-in link. The link goes to a lookalike page that captures your username, password, and saved payment method. Real recall notices direct you to log in through the retailer's app or by typing the website yourself.

Third, the message offers a refund without a return. Genuine recalls usually require you to either return the product or provide proof of disposal. "Keep the item, here's your money" is a tell that the message is a phishing lure designed to harvest your account.

The rule: A recall, a refund, and a sign-in link in the same unsolicited text is a scam. Verify recalls at cpsc.gov/Recalls or by opening the retailer's app yourself. Never sign in through a link you didn't ask for.

Sources: AARP Fraud Watch Helpline: Product Recall Scams Are on the Rise and CPSC Recalls

If you run a home daycare, babysit, or post on a local sitter board, you've probably been targeted by this one already.

A message arrives from someone who needs urgent childcare. They sound friendly. They have a sad story: a sudden work trip, a hospital visit, a relocation across the country. They want to book you for a few weeks and they want to mail you a check upfront to lock in the dates. The check arrives. It's for a thousand dollars more than you agreed on, and that part is "an honest mistake" or "extra for supplies" or "to cover the cleaner." They ask you to deposit the check and wire the difference to the cleaner, or send it back via Zelle or Cash App.

The check is fake. It takes a few days to bounce. By the time your bank catches it, the wire is gone, and your bank pulls the entire deposited amount back out of your account. You owe the money you sent and the fees.

The FTC issued a fresh alert about this last week. They're calling it out specifically because childcare workers are getting hit hard during the summer hiring rush. The same trick has been used against tutors, dog sitters, music teachers, and basically anyone offering a service that involves taking on a new client by message.

The rule: Never accept a check for more than the agreed amount and wire the difference back. No legitimate customer ever overpays you on purpose. If a client insists on mailing a check, wait at least 10 business days after deposit (not "available balance") before treating any portion of it as yours.

Source: FTC: Fake check scam targets childcare providers (June 4, 2026)

A few months after someone in your family gets scammed, this message lands:

"Hi, this is Agent Davis with the Federal Trade Commission. I'm reaching out because our office has located funds connected to the scam you reported earlier this year. To verify my identity before we discuss next steps, here is my FTC photo ID. Please confirm receipt and I'll walk you through the recovery process."

Attached is a photo of a laminated card with the FTC seal, a face, a name, and a badge number. It looks like the real thing.

The FTC put out a direct warning about this on June 3. The agency has been seeing a fresh wave of imposter messages where the scammer specifically claims to be helping recover money the victim already lost, and uses a fabricated photo ID as the "proof" they're legitimate.

Three things give it away every time. One, no real FTC employee will ever text you. The agency does not initiate contact by text or WhatsApp, ever. Two, no real FTC employee will offer to recover money you lost in a scam. The FTC files cases and runs the public refund process at FTC.gov, but agents do not personally chase down stolen funds for individual victims. Three, no real FTC employee texts you a photo of their ID to "verify" who they are. Anyone who does is impersonating one.

This is the second wave of a scam. The first wave took the money. The second wave is hunting the same victim, because the scammer's network sold or traded the contact list of everyone they already hit. The "recovery" pitch is designed to extract what's left.

The rule: If someone says they're with the FTC and they're texting you, they're not. Hang up, block the number, and report the impersonator at ReportFraud.ftc.gov.

Source: FTC: A real FTC employee won't text you their photo ID to "verify" their identity (June 3, 2026)