Skip to Content
Threats and Attacks

What is ClickFix (the fake verification that installs the attack)?

ClickFix is a social engineering technique in which a fake page shows an error or a verification (for example, a fake “I'm not a robot” check) and induces the victim to copy a piece of text and run it on their own computer, pressing Win+R, pasting and hitting Enter. In that single gesture, they unknowingly run the attacker's command, which installs the threat. The victim opens the door themselves, which is why traditional antivirus barely sees the attack.

Zamak TechnologiesUpdated on July 12, 2026

How the ClickFix scam happens

ClickFix flips the logic of an attack: instead of bypassing the machine's defenses, it convinces the person to run the command with their own hands. The steps are almost always the same.

1

The lure

The victim lands on a compromised or fake page, often through a phishing link or a search result, and sees a convincing prompt: an “I'm not a robot” check, a document error or a fake browser update.

2

The instruction

The screen asks for a “simple step to fix it”: press Win+R, paste and hit Enter, on Windows, or open Terminal, on Mac and Linux. It all looks like a routine technical fix.

3

The invisible copy

When the victim clicks the “verify” or “fix” button, the page silently copies a hidden command to the clipboard. The victim believes they copied nothing.

4

The victim runs it

When they paste and press Enter, it is the attacker's command that runs. It downloads and installs the real payload: an information stealer, ransomware or a remote access tool.

Source: 2025 threat reports that documented the technique and its growth (ESET Threat Report H1 2025) and Microsoft threat intelligence (2025).

How to recognize a ClickFix

  • Any page asking you to press Win+R, open Terminal or paste a command is an immediate red flag. No legitimate verification, update or CAPTCHA needs that.
  • An “I'm not a robot” check that ends by asking you to “paste” something, instead of just ticking a box or clicking images.
  • A fake document, online meeting or browser error that offers the “fix” in a few clicks, always in a hurry.
  • Technical instructions handed to someone non-technical, with a tone of urgency (“do it now or you'll lose access”).
  • A step that mentions “PowerShell”, “cmd” or a long, scrambled piece of text you do not understand.

Why ClickFix exploded

517%
the rise in ClickFix attacks in the first half of 2025 (ESET Threat Report, 2025)
No. 2
ClickFix is already the second most common attack vector, behind only phishing, accounting for nearly 8% of everything blocked (ESET, 2025)
$ 4.44M
the average global cost of a data breach (IBM, 2025)

ClickFix grew so fast because it solves the attacker's biggest obstacle: technical defenses. Antivirus and email filters watch attachments and downloaded files; here there is no attachment, it is the person who types the command, and the system reads it as a legitimate user action. In the first half of 2025, ClickFix attacks rose 517% and the technique became the second most common vector, behind only phishing (ESET, 2025). It works on Windows, Mac and Linux, and delivers everything: information stealers, ransomware and remote access tools. The scale is striking too: a single campaign compromised more than 250 legitimate sites across more than 12 countries to display the fake verification (Rapid7, 2025). With a breach costing an average of $ 4.44 million (IBM, 2025), one convincing click gets expensive.

How to protect the company from ClickFix

ClickFix attacks behavior, not the machine. The defense combines one clear rule for people with technical layers that catch whatever slips through.

  1. Teach a golden ruleNo legitimate site, verification or update asks you to press Win+R, open Terminal or paste a command. That single sentence, known by the whole team, stops most of these attacks.
  2. Train with simulationsRecurring awareness, with hands-on tests, teaches the team to recognize the lure before acting. It is the cheapest defense and the one that pays off most.
  3. Run behavior-based endpoint defenseAdvanced endpoint defense watches what was executed and interrupts the malicious command even when it was the user who ran it.
  4. Reduce execution powerLimiting who can run commands and programs (least privilege) and restricting tools like PowerShell in daily use shrinks the damage of a wrong click.
  5. Cut the source and the destinationEmail security and DNS filtering block the fake page that shows the lure and the domain the payload would be downloaded from, before the command ever runs.

In practice

In ClickFix, the victim types their own attack. That is why the strongest defense is not software, it is a sentence every employee should know by heart: no site asks you to paste a command.

How Zamak handles ClickFix

Zamak Technologies treats ClickFix as what it is, a scam that targets people, and responds on two fronts alongside your team: continuous awareness, so no one falls for the fake verification, and monitored advanced endpoint defense, which interrupts the command when someone clicks anyway. A good starting point is the phishing test, which measures in minutes how your team reacts to a real lure. It is part of Cybersecurity in the Zamak Method.

Frequently asked questions about ClickFix

What is ClickFix in simple words?
It is a scam in which a fake site shows an error or a verification and convinces you to “fix it” by pressing a few keys. In that gesture, you unknowingly run the attacker's command, which installs a virus. The name comes from “click to fix”: the victim thinks they are solving a problem and, in fact, lets the attack in.
How does ClickFix fool antivirus?
Because there is no malicious file for antivirus to find. The command is run by the person, with their own hands, and the system reads it as a legitimate user action. That is why behavior-based defense, which watches what was executed, works better than traditional antivirus against this scam.
Are ClickFix and phishing the same thing?
They are relatives, not identical. Phishing tricks you into clicking, downloading or handing over a password. ClickFix goes one step further: it convinces you to run the attacker's command yourself. ClickFix often arrives through a phishing message, so the two defenses go together.
What signs give a ClickFix away?
Any page asking you to press Win+R, open Terminal or paste a command. “I'm not a robot” checks that end by asking you to “paste” something. Fake document, meeting or browser errors that offer the fix in a few clicks, always with urgency.
Does ClickFix affect Mac and Linux?
Yes. Although most cases target Windows, with the Win+R shortcut, the technique works the same on Mac and Linux, asking you to open Terminal and paste the command. The target is the person, not the operating system.
Should a small company worry about ClickFix?
Yes. The scam does not pick by size: the fake pages are spread in bulk through links and searches, and a single person who falls for it already hands over a foothold. In smaller companies, where one machine often has access to a lot, the damage of a click can be even greater.