What is a ClickFix attack?

A social engineering attack that presents fake security alerts or error messages, then instructs users to paste and run malicious commands in system dialogs like PowerShell. Because the user runs the command voluntarily, antivirus often doesn't flag it.

Would a real website ever ask me to run a command?

No. No legitimate security check, CAPTCHA, or error fix requires you to open PowerShell, Terminal, or Command Prompt. If any website asks this, close the tab immediately.

Scam #4 · High Threat

You Were the Vulnerability.

No virus. No hack. They just convinced you to open a system dialog and paste a command. That's all it takes when the attacker is patient enough.

What You Just Experienced

That Chrome security page with the scary error code? It told you to press Win+R, paste a PowerShell command, and hit Enter. If you'd done that on a real computer, you would have just downloaded and executed whatever the attacker wanted — a keylogger, ransomware, remote access tool, anything.

And here's the part that should bother you: your antivirus probably wouldn't have caught it. Because YOU ran the command voluntarily. The malware didn't break in — you opened the door and invited it in.

Why This Is Different

Most malware needs to exploit a software vulnerability or trick you into downloading a file. ClickFix skips all of that. Instead of attacking your computer, it attacks your behavior. It presents a problem — fake error, broken CAPTCHA, security warning — and gives you "instructions" to fix it. Those instructions are the attack.

This category is growing fast because it turns the user into the delivery mechanism. Security software is built to stop unauthorized programs from running. When the user themselves pastes and executes the command, it looks authorized.

What to Look For

Any website telling you to open PowerShell, Terminal, Command Prompt, or Run. That's the line. No legitimate website, security check, CAPTCHA, or error fix will ever ask this. Period. Close the tab.
"Copy and paste this command." If you're pasting something into a system dialog from a website you didn't seek out, you're executing someone else's code on your machine.
Browser-based security alerts. Real Chrome warnings don't look like web pages. They look like native browser dialogs. If the "alert" has a URL bar above it showing a website, it's a website pretending to be an alert.
Error codes designed to look real. "SEC_CERT_AUTHORITY_INVALID" — sounds technical enough to be scary, vague enough to be unverifiable. That's intentional.

The Rule

No website should ever ask you to open a system dialog and paste a command. Not to fix a security issue. Not to verify your identity. Not for any reason. If one does, close the tab. That's the entire rule.

How to Explain This

For less technical family members: "If a website ever tells you to press certain keys and type or paste something into a box that pops up — don't. Just close the browser. If you're worried something is actually wrong with your computer, call me or take it to a professional."

For more technical family members: "ClickFix attacks make you the malware delivery system. They present a fake error and give you a PowerShell one-liner to 'fix' it. The command downloads and executes whatever they want, and your AV sees it as user-authorized. The defense is simple: never run commands from a website you didn't explicitly navigate to for support."

← Replay This Simulation All Scams