That "Windows Update" Screen Telling You to Paste a Command Is a Scam

There's a scam going around in 2026 that's clever enough to catch careful people, and it works in a way that feels backwards: instead of sneaking a virus onto your computer, it talks you into installing it yourself. You land on a web page — sometimes a convincing full-screen "Windows Update," sometimes a "verify you're human" check — and it gives you a few simple keyboard steps to "finish updating" or "complete the verification." Follow them and you've just run a command that hands your passwords and accounts to a stranger. Security researchers call this trick "ClickFix," and Microsoft has said it's been one of the most active attacks all year.

The good news is that once you know the single move that gives it away, it's easy to spot every time. We help people across Southern California clean up after exactly this, and we'd rather you never need us for it — so here's the plain-English version.

What it looks like

It usually starts with a web page, not a program on your computer. You might hit it from a mistyped address, a bad search result, a link in an email, or an ad on an otherwise normal-looking site. The page is built to look official and a little alarming. Common disguises in 2026:

A full-screen "Windows Update" page — fake progress bar, the right shade of blue, a message that a "critical security update" must be completed now. A "Verify you are human" or CAPTCHA box that looks just like the real Cloudflare or Google ones you click every day. A fake browser-update notice, a "your computer is missing a font," or an "SSL certificate error." They all share the same goal: get you to do a couple of keyboard steps without thinking too hard about them.

The tell is that, unlike a real check-the-box CAPTCHA, this one gives you instructions. It tells you to press some keys on your keyboard to "prove you're human" or "apply the update." That's the part no legitimate page has ever asked you to do.

The one move that always gives it away

Strip away the fancy graphics and every version of this scam asks you to do the same thing: open a hidden corner of Windows and paste in a line of text. The classic script is "Press the Windows key + R, then press Ctrl + V, then press Enter." Newer versions say to press Windows + X and then a letter, or to open PowerShell or the Terminal. The wording changes; the shape never does — open a system tool, paste, hit Enter.

Here's the sneaky part: the moment you clicked the fake button, the page silently copied a command onto your clipboard. So when it tells you to "paste," you're not pasting anything you typed — you're pasting their command. Windows + R opens the Run box, a small launcher most people have never used. Press Enter and that command quietly downloads and runs the actual malware in the background. There's no scary download warning, no "are you sure," because you gave the order yourself.

So the rule to carry around is simple: no real website, update, or security check will ever ask you to press Windows + R, open PowerShell or the Terminal, or paste in a command. Not Microsoft, not Apple, not Google, not Cloudflare, not your bank. If a page is walking you through keyboard shortcuts to "fix," "verify," or "update" something, that is the scam, full stop. Close the tab.

Why it gets past your antivirus

People are often shocked that their antivirus didn't stop it, and there's a logical reason: from the computer's point of view, nothing was forced in. You opened a built-in Windows tool and ran a command, which is a thing real users and IT staff do all the time. The malware arrives by a route your security software is built to trust — your own keyboard — and the early versions run in memory without ever dropping an obvious file to scan. That's exactly why this trick has spread so fast.

This is the same blind spot we wrote about in our free-vs-paid-antivirus guide: the threats most likely to actually cost you in 2026 aren't classic viruses your software can catch, they're scams that get you to do the damage. No antivirus, free or paid, can reliably stop you from running a command you chose to run. The defense isn't a product — it's recognizing the move and refusing it.

What the command actually does

The payload is almost always an "infostealer" — malware whose whole job is to grab and ship out anything valuable on your machine. In real campaigns this year that has meant saved browser passwords, autofill data, the login "cookies" that keep you signed in (which let an attacker into your accounts without even needing the password), cryptocurrency wallets, email and gaming logins, and screenshots of your desktop. It can do all of that in seconds and then sit quietly so you never notice.

In other words, the cost isn't just "my computer is infected" — it's "the passwords and sessions for my email, bank, and social accounts may now be in someone else's hands." That's why what you do in the first hour, if you ran the command, really matters.

How to tell a real Windows update from a fake one

This is worth burning into memory because it cuts through all the disguises. Real Windows updates only ever come from one place: Settings > Windows Update, inside Windows itself. They never arrive as a web page, a browser pop-up, an email link, or a flashing "update now" banner on a site. If an "update" is showing up in Chrome, Edge, or any browser, it's fake by definition — Windows doesn't update through your browser.

A few other red flags that mark a fake: it creates urgency or fear ("your system is critically out of date," a countdown timer); it asks you to press keyboard shortcuts or paste anything; it appeared because you visited a website rather than because Windows told you so on its own. When in doubt, ignore the page entirely, open Settings yourself, and go to Windows Update — if there's a genuine update, it'll be sitting right there, no paste required.

If you already pasted and ran it — do this now

Don't panic, but do move quickly, because an infostealer works fast. First, disconnect that computer from the internet — turn off the Wi-Fi or unplug the network cable — to cut the malware off from sending more of your data out.

Next, change your important passwords, but do it from a different, clean device (your phone on cellular data, or another computer), not the one you just ran the command on. Start with your email, then your bank, then anything that shares that password. Because the scam can steal the login "cookies" that keep you signed in, also sign out of all sessions / "log out everywhere" where the account offers it, and turn on two-factor authentication if it isn't already — our guide on securing your Microsoft and Google logins walks through both.

Then deal with the infected machine itself: run a full antivirus scan (Microsoft Defender, built into Windows, is fine for this) while it's offline or right after. Honestly, though, because these stealers are designed to hide and the real risk is your accounts rather than the PC, the safest path after a known infection is to have it properly checked — or wiped and reinstalled — by someone who can confirm it's actually clean. If you bank or work on that computer, that peace of mind is worth it. Keep an eye on your bank and card statements for a while afterward, too.

The short version to remember (and to share)

If a website ever tells you to press Windows + R, open PowerShell or the Terminal, or paste in a command — to update, to "verify you're human," to fix an error, anything — stop and close it. That instruction is the scam every single time. Real updates live in Settings, real CAPTCHAs are just a box you click, and no legitimate company asks you to type secret commands into your own PC.

This one is especially worth passing on to family who might follow on-screen steps because they look official — it's the same crowd targeted by the text-message toll scams and the AI voice-clone calls we've written about. If you're anywhere in Southern California or the Coachella Valley and you think you ran one of these, or you just want your computer and accounts checked over so you can stop worrying, we're glad to help — no judgment, and no upsell.