Fake CAPTCHA scam uses SMS pumping to drive up victims’ phone bills
Cybercriminals are using fake CAPTCHA pages to trick mobile users into sending dozens of international text messages, in a scam that can quietly add unexpected charges to a victim’s phone bill.
The technique, known as SMS pumping or SMS toll fraud, does not require attackers to install malware, steal a password or take over an account. Instead, the scam relies on social engineering, using a familiar “prove you are human” prompt to make victims perform the costly action themselves.
Security researchers have warned that the campaign uses fake CAPTCHA pages which prompt users to tap a button that opens their phone’s SMS app. The message and recipient list are already filled in, making the process look like part of a normal verification step. In reality, the victim may be sending messages to multiple international numbers connected to revenue-sharing arrangements.
The scam is a variation on the wider “ClickFix” trend, where attackers abuse fake verification pages to convince users to take unsafe actions. In many ClickFix attacks, victims are told to copy and paste commands into their device, effectively helping compromise their own system. In this SMS version, the victim is instead pushed into sending international text messages.
According to reporting based on Malwarebytes and Infoblox research, attackers are using malicious advertising, redirects and lookalike domains to send victims to the fake CAPTCHA pages. Some domains are designed to resemble well-known telecommunications providers or legitimate services, increasing the chance that a user will trust the prompt.
Once the victim lands on the page, they are told they must complete a human verification step. The fake CAPTCHA then opens the user’s SMS app with a pre-filled message and a list of recipients. In some cases, researchers found the process can lead victims to send messages to more than a dozen international numbers, with repeated steps potentially generating dozens of charges.
Infoblox researchers identified 35 phone numbers spread across 17 countries and said victims may end up sending as many as 60 SMS messages to 15 numbers. The total cost can reach about US$30 for a typical consumer, while attackers may receive a share of termination fees connected to the international traffic.
The amounts may seem small compared with major financial fraud, but the model is designed to scale. If thousands of users are tricked into sending international SMS messages, the total value can become significant. Victims may also fail to connect the charge with the fake CAPTCHA, because international SMS costs may not appear until a later billing cycle.
That delay is part of what makes the scam effective. By the time an unexpected phone charge appears, the victim may have forgotten the page they visited or the verification step they completed. This gives attackers time to continue redirecting users through malicious traffic systems before the campaign is noticed or blocked.
Researchers say the scam also exploits user fatigue. CAPTCHAs have become so common that many people complete them automatically, without pausing to question whether the request makes sense. Attackers are taking advantage of that habit by making the interaction look routine.
The warning for users is simple: a legitimate CAPTCHA will not ask you to send a text message to prove you are human. Real CAPTCHA systems run inside the browser or app. If a website asks you to send an SMS, copy a command, install a file or leave the page to complete a verification step, it should be treated as suspicious.
Mobile users should also be cautious when arriving at pages through ads, shortened links, redirects or domains that appear slightly misspelled. If a page claiming to be a telecom provider, delivery company, streaming service or login portal asks for unusual action, close it and access the service directly through its official app or website.
For businesses, the scam is a reminder that phishing is no longer limited to fake login pages and email links. Attackers are increasingly using mobile devices, QR codes, CAPTCHAs, redirects and familiar verification rituals to bypass traditional security expectations.
The most effective defence is awareness. Users who understand how these scams work are far less likely to be rushed into tapping, scanning, texting or approving something that does not feel right.
As attackers continue to exploit everyday habits, stronger cyber defences start with better knowledge. The Hack Academy’s online courses help individuals and teams understand modern cyber threats, recognise suspicious behaviour and build safer digital habits.
Knowledge is power. Upskill your cybersecurity awareness with The Hack Academy’s online courses: https://training.thehackacademy.com/course/
Photo Credit: DepositPhotos.com
