New Delhi | A new and highly dangerous cyber fraud technique is rapidly emerging, where seemingly harmless CAPTCHA verifications—such as “I am not a robot”—are being weaponised to execute international SMS fraud. According to cybersecurity experts, the scam operates so silently that victims often remain unaware for days or even weeks, while expensive international SMS messages are continuously sent from their phones.
Reports indicate that attackers create fake websites and lookalike domains that appear legitimate at first glance. On these platforms, users are prompted to complete CAPTCHA verification. However, instead of a genuine security check, it is a trap—each “verification” step triggers multiple SMS messages from the victim’s device to international numbers.
FCRF Academy Launches Premier Anti-Money Laundering Certification Program
How the fraud network operates
This scam is executed through a well-structured technical network. Victims are first lured via malicious links, redirecting them to fake web pages. Once there, they are repeatedly asked to “confirm” or “verify” that they are human.
Each time the user proceeds, the phone’s SMS application opens automatically, pre-filled with a message and a list of international numbers. As soon as the user taps ‘Send,’ the device transmits SMS messages to high-cost foreign destinations.
In some observed cases, a single CAPTCHA flow has resulted in 50–60 outbound SMS messages, leading to significant financial losses for users.
IRSF model driving large-scale profits
The scam operates on the principle of International Revenue Share Fraud (IRSF). In this model, cybercriminals utilise phone numbers in countries where SMS termination charges are high.
When a victim sends SMS messages to these numbers, telecom operators exchange fees, and a portion of that revenue is shared with the fraudsters controlling those numbers.
Experts estimate that an individual user may lose around ₹2,000 to ₹3,000 per incident. However, when scaled across thousands of victims, the operation generates massive profits worth crores.
Why detection is delayed
One of the most alarming aspects of this fraud is its silent nature. Charges for international SMS messages are often reflected later in billing cycles, meaning victims do not immediately realise what has happened.
In many cases, users forget the CAPTCHA interaction entirely, only discovering the fraud when they receive unexpectedly high mobile bills.
A dangerous mix of technology and social engineering
Cybercriminals enhance the effectiveness of this scam using advanced techniques such as traffic distribution systems (TDS), cookie tracking, and malicious JavaScript. These tools repeatedly redirect users across multiple fake pages, increasing the chances of engagement.
Additionally, “back button hijacking” is used to trap users within the fraudulent flow, preventing them from easily exiting the page. Once caught in the loop, escaping becomes difficult without closing the browser entirely.
Expert warning
Cybersecurity professionals emphasise that this is not a traditional hacking attack but a sophisticated blend of social engineering and technical manipulation.
Renowned cybercrime expert and former IPS officer Prof. Triveni Singh explains, “Today’s cybercriminals are exploiting human behaviour more than technology. Even simple tools like CAPTCHA are being weaponised. The user believes they are completing a routine verification, but in reality, they are unknowingly executing the fraud themselves.”
How to protect yourself
Experts advise users to remain extremely cautious while interacting with unknown websites. If a CAPTCHA or verification process repeatedly prompts SMS sending, it should be treated as a red flag and stopped immediately.
Users should regularly monitor their SMS activity and mobile billing for any unusual international charges. Avoid clicking on suspicious links or engaging with unfamiliar websites.
