Skip to Content

Cybersecurity Knowledge Base

CyberPedia


Your essential guide to cybersecurity threats, attacks, and defenses. 
Understand the risks. Protect your business.

ClickFix Attack

Overview

The ClickFix attack is a type of online scam where criminals trick people into running harmful commands on their own computers by following “helpful” on‑screen instructions. Instead of silently hacking in the background, ClickFix convinces the victim to do the dangerous part themselves—usually in just a few clicks or keystrokes.

What It Looks Like

ClickFix almost always appears as something routine and harmless, such as:

  • A fake “I’m not a robot” check or CAPTCHA

  • A “Verify you are human” or “Security check” page

  • A fake “video call problem” or “your browser is out of date” message

  • A fake error or warning saying something like “Fix this issue by following these steps”

These messages show up after you click a link in a phishing email, an online ad, a search result, a YouTube/tutorial link, or on a legitimate site that has been compromised. The page then walks you through a short set of steps, often with pictures or big highlighted instructions.

Typical Attack Steps

While the wording and design can change, the basic pattern is very similar across ClickFix attacks:

  1. You land on a fake help/verification page

    • This may look like a Google reCAPTCHA, a video call join screen, a “document viewer,” or a system fix screen.

  2. The page silently loads a command into your clipboard

    • Behind the scenes, the page uses code in the browser to copy a hidden command (often a one‑line script) into your clipboard without you realizing it.

  3. The page gives you simple keyboard instructions

    • Common sequence on Windows:

      • “Press Windows key + R” (opens the Run box)

      • “Press Ctrl + V” (pastes the hidden command)

      • “Press Enter” (runs the command)

    • Variants may tell you to paste into the browser address bar, a terminal, or another system dialog, and similar tricks exist for macOS and mobile devices.

  4. Your computer runs the pasted command

    • The command typically launches PowerShell or another script tool, which then downloads and runs malware from the internet.

  5. Malware takes over quietly

    • After this, your computer may be infected with tools that can steal data, allow remote control, or pull in more malicious software.

What Attackers Want

The main goals of a ClickFix attack are to:

  • Steal passwords and sensitive data

    • Using “infostealer” malware to grab logins, saved browser passwords, crypto wallets, and other stored secrets.

  • Gain remote control of devices

    • Installing remote access tools (RATs) so attackers can watch your screen, move your mouse, and run programs as if they were sitting at your computer.

  • Break into company systems

    • Using your device as a stepping stone into business networks, file shares, email, and cloud accounts.

  • Sell access as a service

    • Some criminals package ClickFix kits and sell them to others, so even low‑skill attackers can run campaigns.

Why ClickFix Is Hard to Catch

ClickFix is effective because it turns the victim into the “installer.”

  • Security tools often look for programs that download and run files on their own; here, you typed or pasted the command, so it can look like a “normal” action.

  • The attack skips the usual download prompts and browser warnings by pulling code directly into tools like PowerShell.

  • The steps feel like typical online friction—“verify you’re human,” “fix a display issue,” “update your player”—so people don’t see them as dangerous.

How to Recognize a Possible ClickFix Attack

Treat it as suspicious if you see any combination of the following when browsing or opening links:

  • A webpage that suddenly:

    • Asks you to “fix” something by typing or pasting commands

    • Shows step‑by‑step keyboard shortcuts (for example, “Press Windows+R, then Ctrl+V, then Enter”)

    • Claims you must do this to watch a video, open a document, or prove you’re not a bot

  • Pages that look slightly “off”:

    • CAPTCHA or security pages that don’t match the usual style you see from Google, Microsoft, or other familiar brands

    • Poor spelling, strange wording, or odd domain names

  • Instructions that involve:

    • The Windows Run box, PowerShell, Command Prompt, Terminal, or any system‑level tool

    • Copying and pasting long lines of text you don’t understand

If you ever think, “I’m not sure why I’m doing this, but the website says I have to,” stop and assume it may be malicious.

Business Impact

For businesses, a single successful ClickFix attack can lead to:

  • Compromised email, cloud storage, and internal applications

  • Stolen customer or employee data

  • Ransomware or other follow‑on attacks delivered from the same infected machine

  • Regulatory, legal, and reputational damage if sensitive information is exposed

Key Prevention Tips (Plain‑Language)

For non‑technical staff, the most important rules around ClickFix are behavioral:

  1. Never follow website instructions that tell you to open PowerShell, Command Prompt, Terminal, or the Windows Run box and paste in a command.

  2. Treat any “verification” or “fix” that includes keyboard shortcuts as suspicious, especially if you got there via an email link or online ad.

  3. Close the browser tab immediately if something feels off. If needed, manually re‑type the company or service’s address into the browser instead of clicking links.

  4. Report it to IT or your security contact right away, especially if you already followed some steps. The sooner they know, the more they can limit damage.

  5. Keep systems updated and use reputable security software, which can still block many of the tools that ClickFix tries to install.