ClickFix: The Sneaky Scam Hijacking Ontario Business Computers One Paste at a Time

ClickFix is a social engineering attack that tricks office workers into unknowingly running malicious code on their own computers. Unlike traditional hacking, the attacker does not need to find a software vulnerability or crack a password. Instead, they trick a real person — your employee — into being the one who runs the attack code themselves.

Microsoft’s 2025 Digital Defence Report, which tracks threats across millions of business endpoints worldwide, confirmed that ClickFix is now the number one initial access method used by cyber criminals — responsible for 47% of all observed attacks. That is more than traditional phishing (35%) and more than exploiting software vulnerabilities combined. As of April 2026, Barracuda Networks’ security operations centres are reporting a fresh wave of ClickFix campaigns targeting businesses exactly like yours.

ClickFix works because it exploits helpfulness, not stupidity. Attackers design the prompts to look exactly like legitimate browser error messages, Windows security alerts, or Google Chrome update notices — things your employees see regularly. The fake message creates a sense of urgency ("your session will expire," "your computer has been flagged") and then provides a clear, simple fix. Most people follow it.

Ontario’s small and mid-sized businesses are especially vulnerable for three reasons. First, they typically do not run the kind of endpoint detection and response (EDR) tools that large enterprises use to flag unusual command-line activity. Second, they rarely train staff on how to recognize social engineering beyond basic phishing emails. Third, they often use shared admin accounts or devices where one compromised machine can cascade across the entire office network.

Because the malicious command is typed by the employee — not delivered through a suspicious link or attachment — standard email filters, antivirus scanners, and web proxies do not catch it. The attack bypasses virtually every conventional layer of small business security.

Here is the ClickFix attack explained step by step in plain language:

Step 1 — The setup. Your employee is doing something ordinary: visiting a supplier’s website, logging into an industry portal, or opening a link from an email. The attacker has either compromised a legitimate website or set up a convincing fake one. The site looks completely normal.

Step 2 — The fake error appears. Suddenly, a professional-looking pop-up or overlay appears on screen. It might look like a Chrome browser warning, a Windows Defender alert, or a CAPTCHA verification prompt. The message says something like: “Security verification required” or “Your browser needs to be updated to display this page.” It feels completely routine.

Step 3 — The ‘fix’ instructions. The pop-up provides step-by-step instructions: press Windows + R to open the Run box, then press CTRL + V to paste the fix, then press Enter. What the employee does not see is that the malicious website has already quietly copied attack code into their clipboard in the background. When they paste and press Enter, they run that code themselves.

Step 4 — The payload executes. The pasted command silently contacts an attacker-controlled server and downloads malware — often an infostealer that harvests every password saved in the browser, a remote access tool (RAT) that gives the attacker live control of the machine, or a loader that later deploys ransomware across your entire network.

Step 5 — The damage spreads. From that single compromised machine, attackers can move laterally through your network, steal client data, lock your files for ransom, and persist undetected for weeks or months. For Ontario SMBs relying on a single Windows file server or a shared QuickBooks installation, one infected machine can freeze the entire business.