How to Protect Yourself From ClickFix Attacks

ClickFix has rapidly become the most dangerous social engineering technique of 2026. According to Microsoft's Digital Defense Report, it now accounts for 47% of all observed initial compromises, surpassing traditional phishing. Unlike conventional attacks that rely on malicious attachments or links, ClickFix tricks you into running malicious commands on your own computer. Here is how it works and how to protect yourself.

What Is a ClickFix Attack?

ClickFix is a social engineering technique that manipulates victims into copying and pasting malicious commands into their computer's command prompt, Run dialog, or terminal. The attack exploits the trust people place in familiar-looking error messages and system prompts.

The technique is especially effective because it bypasses many traditional security tools. Since the victim manually executes the command, security software often treats it as a legitimate user action rather than a malicious one.

How a ClickFix Attack Works

A typical ClickFix attack follows a predictable four-step pattern:

1. Initial contact — You visit a website, either a compromised legitimate site or a malicious one, or click a link in an email. The page displays what appears to be a system error or verification prompt.
2. Fake error message — The page shows a convincing message such as "Human verification required," "Your browser needs an update," "SSL certificate error," or "Font rendering issue detected."
3. The clipboard hijack — You are instructed to click a button labeled "Fix," "Verify," or "I'm not a robot." When you click, malicious code is silently copied to your clipboard without your knowledge.
4. Command execution — Instructions appear telling you to press Windows + R to open the Run dialog and paste the copied text. When you press Enter, the command launches PowerShell, downloads a script from an attacker-controlled server, and executes malware in memory.

The Seven Variants of ClickFix in 2026

Security researchers identified seven active ClickFix variants in Q1 2026, each disguised as a different type of prompt:

• Browser update prompts — Fake Chrome, Firefox, or Edge update notifications
• File rendering errors — Claims that a document or PDF cannot display properly
• Meeting join prompts — Fake Zoom, Teams, or Google Meet join pages
• OAuth consent flows — Imitation of Google or Microsoft login authorization screens
• AI tool onboarding — Fake setup pages for popular AI tools and assistants
• Printer issue prompts — Fake printer driver installation or configuration notices
• Compliance workflows — Imitation of corporate security compliance checks

In May 2026, researchers discovered that over 700 education and technology websites had been hijacked to serve ClickFix malware campaigns, making even trusted and familiar sites potential attack vectors.

Real-World Impact: The Booking.com Breach

ClickFix was the technique used to breach Booking.com in early 2026. Attackers targeted hotel employees with fake Cloudflare CAPTCHA pages. When hotel staff followed the "fix" instructions, they unknowingly installed malware that gave attackers access to hotel partner accounts and ultimately exposed the reservation data of over 4,000 Booking.com customers. The stolen data was then used in targeted WhatsApp and SMS phishing campaigns.

How to Protect Yourself

Recognize the Warning Signs

Train yourself and your family to spot these red flags:

• Any webpage that asks you to press Windows + R, open Terminal, or open Command Prompt
• Instructions to paste something from your clipboard into a system dialog box
• CAPTCHAs or verification prompts that involve more than clicking a checkbox or selecting images
• Error messages that appear on websites rather than from your operating system directly
• Pop-ups urging immediate action to "fix" a problem you did not know existed

Technical Safeguards

• Disable the Run dialog — In corporate environments, IT administrators can disable the Windows Run dialog through Group Policy to eliminate this attack vector entirely
• Use a password manager — Legitimate login pages are recognized by password managers. If your password manager does not offer to fill credentials, the page may be fake
• Keep software updated through official channels — Real updates come through your operating system's built-in update mechanism or the application itself, never through browser pop-ups
• Use a reputable ad blocker — Many ClickFix campaigns are delivered through malicious advertisements on otherwise legitimate websites
• Enable PowerShell script restrictions — Configure PowerShell execution policies to restrict unsigned scripts from running

Protect Your Personal Information

ClickFix attacks often lead to data theft, which can result in your personal information ending up on data broker sites and dark web marketplaces. PrivacyOn monitors over 100 data broker sites and provides dark web monitoring to alert you if your stolen data surfaces online. With 24/7 monitoring and family plans covering up to five people starting at $8.33 per month, PrivacyOn helps limit the damage even if an attack succeeds.

Stay Vigilant

ClickFix succeeds because it exploits a natural human instinct: when something appears broken, we want to fix it. The best defense is awareness. Remember that legitimate software never asks you to paste commands from a website into your system. When in doubt, close the browser tab, navigate directly to the official website of the service in question, and check for real updates or issues there. Share this knowledge with your family and coworkers, because a single informed person can stop an attack before it starts.