Article summary: ClickFix attacks use fake CAPTCHAs and “helpful instructions” to trick users into running malicious commands on their own devices. Clear patterns,  like treating any prompt that asks you to open Run or paste a command as suspicious, stop these attacks before they start. This reduces the risk of malware and account compromise while giving teams a simple response plan if someone clicks.

CAPTCHAs are so common online that most people barely notice them anymore. You click the box, prove you’re human, and move on.

A ClickFix attack starts the same way, then it takes a sharp turn.

Instead of verifying anything, it displays “helpful instructions” that nudge you into running a command on your own device. No suspicious download. No obvious attachment. Just a few keystrokes that feel routine—until they aren’t.

If you’re responsible for keeping a small team’s IT secure, this is the kind of everyday tactic that’s worth staying ahead of. 

The good news is that ClickFix is simple to stop once you know the pattern.

What Is a ClickFix Attack?

A ClickFix attack is a social-engineering technique designed to trick a user into running a malicious command themselves. 

Microsoft  describes this tactic as one that “trick[s] users into executing a malicious command themselves,” often by presenting a believable prompt that looks like a routine troubleshooting or verification step.

Instead of relying on a traditional malware download, ClickFix uses written instructions to guide the user into launching built-in tools like the Windows Run dialog and pasting in a command. 

What It Looks Like 

A ClickFix attack usually shows up as a normal-looking interruption: a page that claims you need to “verify,” “fix,” or “continue.” It’s often wrapped in a convincing fake CAPTCHA or error message. The tone is helpful and instructional, not threatening. That’s deliberate.

Darktrace describes users being “guided through a three-step process” where the “CAPTCHA” or prompt ultimately leads them to execute a command on their own machine. 

The instructions often look like quick troubleshooting steps, and the page may even display a progress message to make it feel legitimate.

Security Now’s Episode 1066 explains why this is so effective: it hides behind something routine, like completing a CAPTCHA, while steering the user into a copy-and-paste action that isn’t normal web behavior.

The notes cite Huntress research that ClickFix “fueled 53% of all malware loader activity” in 2025 within that dataset, a reminder that this tactic is far from a one-off gimmick.

If you want one simple “spot it fast” rule for your team, it’s this: a real CAPTCHA never needs you to leave your browser to follow keyboard instructions that run something on your device. That pattern is a hallmark of a ClickFix attack.

Why ClickFix Attacks Work So Well

A ClickFix attack works because it doesn’t feel like an attack. It feels like a normal “get me back to work” step. You’re blocked by a prompt, you want the page to load, and the instructions seem simple. That moment of friction is exactly what the tactic exploits.

ClickFix “relies on human intervention,” which is part of why it can be so effective. 

Instead of delivering malware in a way that looks obviously suspicious, it gets the user to do the risky part themselves. That changes how it’s perceived. People are often trained to avoid downloads and attachments, but they’re less suspicious of steps they’re actively performing.

The HHS sector alert also highlights how these campaigns mimic familiar steps, such as “prove you are human” prompts, making the interaction look routine while steering users toward malicious instructions.

And once someone is following instructions, they tend to keep going. The brain treats it like a checklist, not a security decision.

What Happens After You Press Enter

After you press Enter, a ClickFix attack stops being a “weird prompt” and becomes an execution chain. 

The pasted command typically launches built-in Windows tooling (often PowerShell or similar) to pull down the next stage from the internet and run it. 

The user ends up running commands that kick off malicious activity using legitimate system components, which can make the behavior blend in at first. 

From there, attackers aren’t just trying to prove the trick worked. They’re trying to establish control. 

Darktrace’s write-up explains that once the initial command is executed, activity can progress into command-and-control communications and follow-on actions that support broader compromise, including efforts that enable access expansion inside the environment. 

This isn’t limited to a single pop-up event. 

ClickFix campaigns can be delivered through compromised sites and phishing-driven lures, where users are manipulated into executing code that can install malware and open the door to further steps like credential theft and deeper access. 

What To Do If Someone Already Clicked

If someone already followed the steps in a ClickFix attack, the priority is speed and containment. Don’t waste time trying random “cleanup” fixes from the internet, and don’t assume it’s harmless because nothing obvious happened right away.

If someone may have followed the instructions from a suspicious prompt or verification page, contact your IT support provider immediately.

That early alert matters because the first minutes after an incident often determine how far it spreads.

If possible, isolate the device from the network to stop any further connections while you get help. You should immediately disconnect your device so the system can be assessed without ongoing exposure. 

Then focus on the basics that reduce follow-on damage: 

• Document what happened like what site it was, what steps were followed, etc.

• Scan the device using trusted security tools.

• Reset passwords for any accounts that may have been used on that machine, starting with email and core access.

Most importantly, treat it as a real incident, not an embarrassment. ClickFix attacks work because they look routine, and the right response is a calm, fast process that limits impact.

ClickFix Attacks are Preventable With Better Patterns

A ClickFix attack succeeds when it blends into routine behavior. It doesn’t need advanced tricks. It just needs someone to follow “helpful” instructions without pausing to question them.

The fix is simpler than most people expect: teach one or two clear patterns your team can recognize fast. 

Two practical habits make a real difference: learning to recognize suspicious prompts or verification pages, and having a clear response plan if someone follows the instructions before realizing something is wrong.

That kind of readiness rarely happens by accident. It comes from consistent awareness training, clear reporting paths, and systems designed to catch problems early. BrainStomp helps businesses put those pieces in place so employees know what to watch for and what to do if something slips through.

If you want help turning these practices into a consistent habit across your business, contact BrainStomp today.

Article FAQs

What is a ClickFix attack?

A ClickFix attack is a social-engineering scam that looks like a fake CAPTCHA or “verification” step and tricks you into running a command on your own device. Instead of downloading something obvious, it uses instructions to get the user to execute the malware.

Why would a ClickFix attack bypass normal security?

Because the user runs the command themselves using built-in tools like Windows Run or PowerShell. That “human step” can make the activity look more legitimate than a typical malicious download or attachment.

What should I do if I opened Run and pasted something?

Stop what you’re doing and contact IT support immediately. Disconnect from the internet if possible, document what happened, and change passwords for key accounts (especially email) as soon as you can.

Are ClickFix attacks only delivered by email?

No. They can also appear through compromised websites, malicious ads, fake software prompts, and other links that land you on a fake verification page.