Cybersecurity Phishing Social Engineering ClickFix Employee Security Small Business

That 'Verify You're Human' Box Might Be Handing Over Your Computer

A scam called ClickFix hides inside a fake CAPTCHA. It doesn't ask you to download anything or type a password — it just asks you to press a few keys. Here's how it works and how to stop it.

centrexIT Team
5 min read

You know the box. “Verify you are human.” A checkbox, or one of those puzzles where you pick the traffic lights. You’ve clicked through a thousand of them without a second thought, because that’s what they’re for — a quick, harmless speed bump between you and the thing you were trying to do.

That reflex is exactly what a scam called ClickFix is built to exploit.

Here’s the setup. You search for something on Google, click a result, and land on a page that looks like it’s checking whether you’re a real person. But instead of a checkbox, this one gives you instructions: to verify yourself, press the Windows key and R together, then press Ctrl and V, then hit Enter. Three keystrokes. Feels like a slightly annoying version of something you do all the time.

Except those keystrokes don’t verify anything. They open a hidden command line on your computer, paste in a command the attacker already copied to your clipboard, and run it — installing malware on your machine. You didn’t download a file. You didn’t type a password. You didn’t open an email attachment. You just followed the instructions on what looked like a normal web page, and in a few seconds your computer was working for someone else.

Why This One Slips Through

Most security advice is built around things that no longer describe this attack. Don’t open strange attachments. Don’t click links in suspicious emails. Don’t enter your password on a site you don’t trust. ClickFix sidesteps all of it.

There’s no attachment, because the lure is a web page. There’s no password to steal, because it never asks for one. And it usually doesn’t even arrive by email — victims often reach it straight from Google search results, landing on legitimate but compromised websites, which means email security filters never get a look at it. The attack lives in a place most training never warned anyone about: the ordinary act of clicking through a verification screen.

It works because it borrows a habit everyone has built. We are all trained to breeze through CAPTCHAs, cookie banners, and “prove you’re not a robot” prompts as fast as possible. ClickFix dresses itself up as one more of those, then asks for one small extra step — and a lot of people take it before they think.

The Newer, Quieter Cousin

There’s a version that doesn’t install anything at all. It’s called ConsentFix, and it happens entirely inside the browser. Same fake-verification wrapper, but instead of running a command, it walks you through what looks like a normal Microsoft sign-in and tricks you into handing over an access token — the digital key that proves you’re logged in.

Because the sign-in itself is real, it doesn’t need your password, and it slips past multi-factor authentication: if you were already signed in to Microsoft 365, there’s no new prompt at all. The attacker ends up with read-and-send access to your email, files, and chats, and the stolen key can stay valid for weeks. It’s the same lesson we’ve been seeing everywhere this year — the token is the thing worth stealing, and MFA doesn’t stop someone who never had to log in.

What This Means for a Business

The uncomfortable part is that this doesn’t take a careless employee. It takes a normal one — someone moving fast, doing their job, clicking through what looks like a routine check. One person following the instructions is enough to put malware on a company device, and from there the attacker can steal saved passwords, stage ransomware, or read the email of anyone whose account gets compromised.

The good news is that the defense is mostly about recognition, and recognition is teachable.

What to Do This Month

  1. Teach the one rule that stops it cold. No legitimate CAPTCHA, verification screen, or website will ever ask you to press Windows+R, open PowerShell, or paste and run a command. Ever. If a page gives you keyboard instructions to “prove you’re human,” close the tab. That single rule defeats the entire ClickFix technique.

  2. Show people what the real thing looks like. Attackers lean heavily on fake Cloudflare and Google verification screens because they’re familiar. A short reminder of what genuine verification looks like — a checkbox or a puzzle, never a command — gives employees something concrete to compare against.

  3. Have a “say something immediately” habit. If someone realizes they followed the steps, the response window matters in minutes, not hours. Make it easy and blame-free to call IT right away. Fast disconnection and password or token resets can shrink a full incident down to a scare.

  4. Back it with the basics. Endpoint protection that catches malicious commands, monitoring that flags unusual activity, and tightened controls on how apps get access to Microsoft 365 all turn a successful lure into a contained event instead of a company-wide one.

The attackers behind ClickFix are betting on speed and habit — that people will act before they think, because the fake screen looks like a hundred real ones. The businesses that shrug this one off will be the ones whose people never learned to pause at the exact moment it counts.

Sources

Since 2002, San Diego-based centrexIT has helped businesses across the western U.S. protect their people from exactly this kind of everyday attack. The scams that work aren’t the obvious ones — they’re the ones that look routine. Take the 2-Minute Cybersecurity Assessment: https://centrexit.com/cyber-security-readiness-assessment/

Found this helpful? Share it with your network.
Written by
centrexIT Team

The centrexIT team brings decades of combined IT expertise, helping San Diego businesses thrive with secure, reliable technology solutions.

Meet Our Team