New ClickFix scam tricks users into installing malware, cybersecurity expert warns
New ClickFix scam tricks users into installing malware, cybersecurity expert warns
Publish Date: 2026-07-07 18:38:00
Source Domain: katv.com
Using an unordered list, summarize the following article with between 4 and 8 key points. LITTLE ROCK, Ark. (KATV) — A resurfacing scam known as “ClickFix” is tricking people into installing malware on their own devices by posing as a “prove you’re human” verification step, according to cybersecurity expert Chris Wright of Sullivan Wright Technologies.Wright said the scam has been around for a while but has “reared its head again with a new theme,” using prompts that look like familiar human-verification tests. The key difference, he said, is that ClickFix instructs users to copy and paste code onto their own computer and run it, which can bypass typical security protections.“It’s asking you to actually copy code into your own computer, so it’s kind of bypassing all of your protective mechanisms and saying go ahead and paste this sight unseen code and run it for me,” Wright said.Wright said that once a victim runs the code, it can give an attacker a foothold on the device. That access can be used to steal sensitive information such as “passwords and credentials,” he said, or to install a remote access tool that allows the attacker to return repeatedly.He said cybercriminals are increasingly targeting everyday people rather than only large institutions.“There’s so many of these folks who, they’re, you know, they don’t need a whole lot, so they’re going to come after the little folks like us,” Wright said. “If they can get a little bit of money, if they can hit your small bank account, or you know, get something out of your email, then that’s good enough for them.”To protect against ClickFix-style attacks, Wright said people should be wary of any “prove you’re human” prompt that instructs them to open system tools and paste in commands.“It’s asking you to hit Windows key in R or on a Mac to hit command space and then type terminal and then paste some stuff in there,” Wright said. “Know that that is bad, because the tactic is going to be the same for all of these.”Wright said the scam can be confusing because people have become accustomed to standard “prove you’re not a robot” tests online. He said that familiarity can make a malicious prompt seem like a legitimate new verification method, even though it is actually asking the user to run code.For more information, Wright said Sullivan Wright Technologies shares educational posts on social media and publishes newsletters and other materials online.“You can come to Sullivanwright.com and you can see all of our newsletters, all of our social media posts, and educational material on it,” he said.Wright also noted that some social media users and platforms are increasingly labeling content as AI-generated, describing it as part of a broader backlash tied to concerns about AI’s impact on artists and content creators. He said those labels may help in some cases, but added that “the bad guys aren’t going to do that.”