'Unfortunately, it needs to be said: Do not send a text to confirm you are human': Experts reveal how fake CAPTCHAs are driving a global SMS scam campaign

CAPTCHAs asking you to send an SMS are actually a scam

News By Sead Fadilpašić published 27 April 2026

• Copy link
• Facebook
• X
• Whatsapp
• Reddit
• Pinterest
• Flipboard
• Threads
• Email

Share this article 0 Join the conversation Follow us Add us as a preferred source on Google Newsletter Subscribe to our newsletter

• Infoblox researchers expose long‑running CAPTCHA scam that tricks victims into sending costly international SMS messages
• Victims can unknowingly send dozens of texts, incurring charges while attackers profit through telecom revenue sharing
• The defense is simple: never send a text message to “prove you are human”

Fake CAPTCHAs are not just about copying and pasting links to malware - they can also be about sending an SMS to an international number and being charged a whole lot for the privilege.

Security researchers from Infoblox recently published an in-depth report about an “underreported” type of CAPTCHA scam.

This particular campaign has been active since at least June 2020 and has been tricking people into sending SMS messages through social engineering and browser back button hijacking. During their research, they found 35 phone numbers in 17 different countries.

Article continues below

Multiple SMS messages

"The fake CAPTCHA has multiple steps, and each message crafted by the site is preconfigured with over a dozen phone numbers, meaning the victim isn't charged for just a single message – they're charged for sending SMSs to over 50 international destinations," researchers David Brunsdon and Darby Wise wrote in their report.

One of the reasons why this sort of scam hasn’t been that widely reported is likely because of delayed billing, they added. International SMS charges are only a problem a few weeks later, when the bill arrives, and by then, “the experience with the fake CAPTCHA has been long forgotten.”

Another vital part of the effort are the malicious traffic distribution systems (TDS), which redirect the victim to these landing pages.

Here is how it works: a commercial TDS redirects a victim to a malicious website that requires the person to “confirm they are human” by sending an SMS. When the victim taps the button, the page uses built-in mobile features to open the SMS app with the number and message already filled in. The numbers are leased by the attackers.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsors