Skip to main content
University of Florida
NaviGator AI home page NaviGator AI

ClickFix

ClickFix attacks, or copy-paste attacks, are a form of social engineering where a malicious website tries to trick you into pasting harmful code into a terminal, command prompt, or application, allowing it to run.

What is it?

ClickFix attacks are best described as a copy-paste phishing attack. ClickFix is quickly becoming popular among cybercriminals; the number of ClickFix attacks tied to phishing emails quadrupled from May 2024 to May 2025.

The goal of a ClickFix attack is to get a user to paste malicious code into a system-level tool, so that the computer will run the code. Once run, the malicious code can be used to install malware or ransomware that remains on the computer, even after rebooting.

It often disguises itself by impersonating trusted brands and websites. There's no telling what ClickFix attacks might impersonate in the future, but a few examples that have been observed include:

  • CloudFlare's CAPTCHA dialog: Claims you need to follow their instructions to prove you're not a robot.
  • Microsoft Word Online: Says you need to follow their instructions to install a browser extension to access Word Online.
  • Windows Update: They make the browser go into full screen mode, and after a brief simulated Windows Update, it says you have to follow their instructions to finish the "security update."
  • Google Chrome: Pretends to be a Google Chrome error, saying that you have to run a command to install a certificate before the website can load correctly.
  • Tech support: Malicious webpages present "run this command in your terminal to fix X issue". However, if you don't know what's in that command, you could be executing a ClickFix attack!

How Can You Spot ClickFix?

No matter what medium it's presented through, the end goal remains the same: Get a user to paste some harmful code into a system-level tool so that the computer will run it.

On Windows, a ClickFix attack starts by asks a user to press specific key combinations or on-screen buttons to open a system dialog, like the File Explorer or Windows Run. Once opened, the instructions say to press CTRL + V or right click, which is the paste shortcut. They often do not even explicitly say that you're pasting text; they just tell you the tangible actions needed to carry out their request.

On macOS, things look a little different, though the goal remains the same. On macOS, they provide instructions for accessing the Terminal app, and then ask you to paste something there. As with Windows, they might just say "press CMD + V", obscuring the fact that they want you to paste something.

No matter which OS you're using, a legitimate website should never require you to paste something outside of your web browser, especially if they're obscuring the fact.

A CATCHA dialog that prompts: Complete these Verification Steps. To better prove you are not a robot, please: 1. Press & hold the Windows Key + R. 2. In the verification window, press Ctrl + V. 3. Press Enter on your keyboard to finish. You will observe and agree 'I am not a robot - reCAPTCHA Verification ID: 1691'
An example of a ClickFix attack for Windows. It mimics the style of Google's reCAPTCHA, and provides instructions for pasting an automatically copied command into the Windows Run dialog.
A Cloudflare screen that says: Unusual Web Traffic Detected ... To proceed, please follow these steps for your operating system: 1. Press Command + Space to open Spotlight. 2. Type Terminal and press Return. 3. Click the copy button to copy the following command: 'I am not a robot: Cloudflare Verification ID: 715921'. 4. Paste (Command + V) the command into Terminal and press Return.
An example of a ClickFix attack for macOS, which impersonates Cloudflare's verification screen. It asks the user to copy a seemingly-harmless command and paste it to the Terminal. In reality, the command that gets copied when the 'Copy' button is clicked is different than the one shown.

If You Fall Victim

If you executed a ClickFix attack on a UF-managed device, report the incident by sending an email to ufirt@ufl.edu or calling 352-273-1344 immediately. Disconnect the machine from the network and stop using it, but do not shut it down or log off.

If the attack happened on a personal computer, immediately disconnect it from the network and refrain from using it further. On another device, change any passwords you've used or stored on the impacted machine. For further guidance, consult a trusted IT professional.