Incident Response Guide

A Website Told Me to Click or Run Something to Fix a Problem

A website showed an error, a CAPTCHA, or an alert and asked you to run a command, download a fix, or call a number. Here's what just happened and what to do.

Updated 7 May 2026

What Is This?

Websites cannot fix your computer, scan your files, or detect viruses. When a website claims otherwise and asks you to do something — run a command, call a number, download a “fix” — it is a scam.

These attacks rely entirely on convincing you to take an action yourself. Nothing bad has happened yet just because you saw the page. The danger is only in what you do next.

Find your situation in the sections below.

"Verify you are human" — and then instructions to press Windows+R and paste something

This is called ClickFix — one of the fastest-growing attack techniques of 2025, used in nearly half of all tracked intrusions that year.

What happened:

A website displayed what looked like a CAPTCHA or verification step (“Verify you are human”, “I’m not a robot”, or a Cloudflare-style check). When you clicked the button, the site silently copied a malicious command to your clipboard without you seeing it. The site then showed instructions to:

  • Press Windows + R to open the Run dialog
  • Press Ctrl + V to paste
  • Press Enter to run

If you followed these steps and pressed Enter, a PowerShell or other command ran on your computer. It likely downloaded and installed malware — typically a password-stealing program (infostealer) or remote access tool that gives attackers ongoing control of your computer.

What to do:

  • If you saw the page but did not follow the instructions: Close the tab. Nothing happened. Clear your clipboard: open Notepad, press Ctrl+V to paste harmlessly into it, then close it.
  • If you pressed Enter: Go immediately to the “I already did it” section below.

How to recognise this in future:

No legitimate website — not Google, Cloudflare, or any other service — will ever ask you to open the Run dialog or paste a command to verify your identity. If a verification step asks for anything beyond clicking a checkbox, leave the site.

"Your computer is infected — call this number immediately"

This is a tech support scam. The browser has not actually detected any infection — browsers have no ability to scan your files or detect viruses. The popup is a webpage designed to look like a Windows or antivirus warning.

These pages often:

  • Play a loud alarm sound or a voice saying your computer is locked
  • Display a fullscreen warning that is hard to dismiss
  • Show a phone number labelled as Microsoft, Apple, or your antivirus provider
  • Claim your data or banking information is being stolen right now

What to do right now:

  1. Do not call the number. The people who answer are scammers, not Microsoft or Apple support. They will attempt to gain remote access to your computer or charge you for fake services.
  2. Close the browser. If the page is blocking you from closing it normally:
    • Press Alt + F4
    • If that fails, press Ctrl + Shift + Esc → find your browser in the list → right-click → End task
    • On Mac: press Command + Option + Escape → force-quit the browser
  3. If the page is fullscreen: Press F11 or Escape first to exit fullscreen, then close the browser.

After closing, run a malware scan using Windows Security (Start → search “Windows Security” → Virus & threat protection → Full scan) to confirm nothing was installed while you were on the page.

If you already called the number: Go to the “I already did it” section below.

"Your browser / software has an error — download this update to fix it"

Fake update and fake error pages impersonate browsers (Chrome, Firefox, Edge), Windows itself, or popular software. They show a convincing-looking error message and offer a download button labelled something like “Download Fix”, “Update Now”, or “Install Security Patch”.

The downloaded file is malware — usually an installer that looks legitimate but installs a password stealer, adware, or remote access tool.

Common versions:

  • “Your Chrome browser is out of date” — with a fake Chrome logo and download button
  • “A critical Windows error has occurred” — asking you to download a repair tool
  • “This video requires an updated codec to play” — prompting a file download
  • Fake Word or PDF document that shows an error and asks you to “Enable Content” or “Enable Macros”

What to do:

  • If you only saw the page: Close it. Do not download anything.
  • If you downloaded a file but did not run it: Delete the file from your Downloads folder. Do not open it.
  • If you ran or installed the file: Go to the “I already did it” section below.

Legitimate browser and Windows updates never come from websites. Browsers update themselves automatically through their own settings. Windows updates come only through Windows Update (Start → Settings → Windows Update).

I downloaded a "crack", keygen, or free version of paid software — it asked me to run a script or disable antivirus

Files downloaded from unofficial sources — torrent sites, “free download” aggregator sites, or sites offering cracked versions of paid software — very frequently contain malware. A common delivery method is asking you to:

  • Disable your antivirus “because it gives a false positive”
  • Run an included .bat, .ps1, or .exe file to “activate” the software
  • Follow a video tutorial that walks you through turning off Windows security features

If you disabled antivirus and ran the file, treat it as a confirmed infection. Go to the “I already did it” section.

Even if your antivirus did not flag anything, it does not mean the file is clean — modern infostealers are specifically designed to evade detection for a period after installation.

If You Already Did It

This section applies if you:

  • Pressed Enter after pasting a command into the Run dialog
  • Called the tech support number and let them access your computer
  • Installed a file from a fake update or cracked software site
  • Disabled your antivirus and ran something

Act now — the sooner you do this, the less damage occurs.

Step 1: Disconnect from the internet

Pull out your network cable or turn off Wi-Fi immediately. This cuts the attacker’s connection to your computer and stops malware from sending your data outward.

Step 2: Do not use your computer for anything sensitive

Do not log in to banking, email, or any other accounts on this machine until it has been cleaned and confirmed safe.

Step 3: Change your passwords — from a different device

Use your phone or another computer to change passwords for:

  • Your email accounts
  • Banking and any financial services
  • Any account where you have saved payment details
  • Any account where you reuse the same password as the above

Change these before cleaning your computer — if an infostealer is running, anything you type on the infected machine may be captured. Use our password generator for each new password.

Step 4: Contact your bank

If you have done any banking on this computer recently, call your bank and explain that your computer was compromised. Ask them to monitor your account and reverse any suspicious transactions. Do this the same day — the sooner you report it, the better your options.

Step 5: Run malware scans

Reconnect to the internet briefly to download scanners, then disconnect again.

Windows Security full scan: Start → search “Windows Security” → Virus & threat protection → Scan options → Full scan

Microsoft Safety Scanner (no installation needed): Download msert.exe from microsoft.com/en-us/safety/scanner, run it, and select Full Scan.

Run both. Quarantine or remove everything they find. Restart and scan again to confirm.

Step 6: If a tech support scammer had remote access

If you called the number and let someone remotely connect to your computer (via AnyDesk, TeamViewer, or a similar tool):

  • Uninstall the remote access software immediately (Control Panel → Programs → Uninstall)
  • Change all passwords as described in Step 3
  • Check your bank account for any transactions you did not make
  • Consider a full Windows reset if you cannot be certain what they installed: Start → Settings → System → Recovery → Reset this PC → Remove everything

How to Tell a Real Alert From a Fake One

Real alertFake (scam)
Where it appearsSystem tray, Windows notification, your antivirus appInside a browser tab or popup
Phone numberNever shownAlmost always shown
What it asks you to doNothing urgent — update or scan at your paceCall now, run this, download this, act immediately
Closes normallyYesOften designed to be hard to close

Prevention

  • Never open the Run dialog (Win+R) based on a website’s instruction — no legitimate service requires this
  • Never call a phone number shown in a browser popup — Microsoft, Apple, and antivirus companies do not contact you this way
  • Download software only from the developer’s official website or your operating system’s app store
  • Do not disable antivirus warnings to install something — a “false positive” excuse is a near-certain sign of malware
  • Keep your browser up to date — your browser updates itself; you do not need to download updates from websites