An IT manager at a city hall calls me on Monday morning. One of the finance department employees received a message about the need to verify their browser. It looked like a standard CAPTCHA window — “Confirm that you are not a robot.” The employee followed all the on-screen instructions: opened the Run dialog, pasted the command, pressed Enter. Within seconds, a remote access trojan began running on their workstation. No alert appeared. No notification. The security system didn’t react — because from its perspective, an authorized user had consciously executed a system command.
This story repeats itself more and more frequently. The ClickFix technique — as this mechanism is called — is not just another phishing variant that we can solve with a better email filter. It is a fundamental change in how attackers reach our organizations. ESET’s Threat Report H1 2025 recorded a 517% increase in ClickFix detections over six months. Proofpoint’s Human Factor Report from August 2025 confirmed a 400% year-over-year increase. This article explains why ClickFix should be on every board’s agenda, how much a successful attack can cost an organization, and what concrete steps to take — even with a limited budget.
What is ClickFix and why don’t traditional security controls detect it?
ClickFix is a social engineering technique in which attackers persuade the victim to independently run a malicious command on their own computer. The name comes from the bait scenario — the user sees a message suggesting they need to “fix” something with a “click.” In practice, the victim copies a command to the system clipboard and pastes it into the Windows Run dialog. From the perspective of the operating system and all security tools, this looks identical to a conscious action by an authorized user.
In conversations with clients, I often explain this with a simple analogy. Imagine your company has the best alarm system in the building. Motion sensors, cameras, biometric locks. Now imagine that someone convinced your employee to open the door themselves and invite the intruder inside. The alarm won’t trigger — because an authorized person opened the door in the normal way. This is exactly how ClickFix works in the digital world.
The technique appeared in early 2024, but the real explosion came in 2025. According to ESET data from the Threat Report H1 2025 published in June 2025, ClickFix now accounts for 8% of all blocked attacks — making it the second most popular attack vector in the world, right after classic phishing. In August 2025, security researchers identified 13,695 unique domains registered in a single coordinated ClickFix campaign — demonstrating the industrial scale at which criminal groups operate.
What is even more concerning — ClickFix has ceased to be an exclusively cybercriminal tool. Proofpoint documented that within 90 days (October 2024 — February 2025), the technique was adopted by groups linked to three nations: Russia’s APT28, North Korea’s Kimsuky, and Iran’s MuddyWater. When intelligence groups — possessing their own advanced tools — reach for ClickFix, it is an unambiguous signal of how effective this technique is.
📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać
Why aren’t traditional anti-phishing trainings enough for ClickFix?
The question I get most frequently from clients: “But we do phishing training — doesn’t that protect us?” The answer is difficult, but I must give it honestly — no, traditional anti-phishing trainings do not protect against ClickFix. Not because they are poorly conducted. Because they address a different problem.
Traditional trainings teach employees three things: don’t click suspicious links, don’t open unknown attachments, check the sender’s address. These rules are correct and still important. But in a ClickFix attack, there is no link to click. There is no attachment to open. The user sees a system message — looking like a CAPTCHA, browser update, or security verification — and themselves performs the action that launches the attack. The three basic rules they were taught simply do not apply.
Academic research from 2025 confirms this problem at a broader level. A team from the University of Chicago and UC San Diego published an analysis at the Oakland 2025 conference showing that annual cybersecurity training shows no statistically significant correlation with reducing employee susceptibility to phishing. A parallel research project on a sample of 12,511 employees at an American fintech company reached a similar conclusion — training interventions had “negligible effects” on click rates. Verizon’s DBIR 2025 noted that click rates in simulated phishing attacks have been stuck at approximately 1.5% for years — a “behavioral floor” below which standard training cannot push.
This does not mean trainings are worthless. It means they need a fundamental update. Instead of teaching only “don’t click links,” they must include a new module: “no legitimate website will ever ask you to open the Run dialog and paste a command.” This single rule — encoded in every employee’s awareness — eliminates the effectiveness of the ClickFix lure. But this requires a change in approach from training providers and internal awareness programs, which has not yet happened in many organizations.
What do I hear from clients when we discuss ClickFix?
In my work as a Key Account Manager at nFlo, I speak with IT managers, directors, and people responsible for security across dozens of organizations. Reactions to ClickFix fall into several repeating patterns — and each one says something important about the state of preparedness in organizations.
The first reaction: “I didn’t know something like this existed.” This is the most common response in the public sector and among mid-size companies. IT managers track vulnerability alerts, update systems, maintain firewalls — but ClickFix doesn’t appear in typical security bulletins as a “vulnerability to patch.” It’s an attack on people, not on systems. And many IT professionals simply haven’t heard about it in the context of a direct threat to their organization.
The second reaction: “But we have a good antivirus.” This is an understandable belief — the organization has invested in EDR, SIEM, email filters. The problem is that ClickFix deliberately bypasses each of these layers separately. The user runs the command themselves, so EDR sees a legitimate action. The lure often doesn’t arrive by email, so the email filter doesn’t see it. The command uses native Windows tools (nslookup, PowerShell), so there is no executable file to scan. Explaining this to a client — without fearmongering, but with concrete facts — is one of the most important conversations I have.
The third reaction: “How much will this cost?” And here we get to the heart of the matter. Because the question isn’t “how much does protection cost,” but “how much does the lack of protection cost.” A client with 50 employees thinks they are not a target. But the data says otherwise — according to KnowBe4’s Phishing by Industry Benchmark Report 2025, 33.1% of untrained employees will click on a simulated phishing attack. In an organization of 50 people, that is statistically 16–17 individuals who could execute a malicious command.
The fourth reaction — the hardest one: “It won’t happen to us.” This is a classic belief I hear especially in public institutions. I always respond the same way: state-sponsored groups APT28 and Kimsuky adopted ClickFix for attacks on public administration and think tanks. If Russian military intelligence considered this technique effective enough, an organization in Poland — where the public sector is one of the primary targets — cannot assume it is safe.
How much does a successful social engineering attack really cost an organization?
Many companies think about the costs of cyberattacks in abstract terms — “that’s a big corporation problem” or “it doesn’t concern us.” But the data from 2025 is unforgiving and applies to organizations of every size.
Let’s start with a concrete case. In April 2025, the American company DaVita — a healthcare services provider — fell victim to a ransomware attack by the Interlock group, which began with the ClickFix technique. The result: 2.7 million patient records exfiltrated, $13.5 million in direct costs in a single quarter. In May 2025, the Kettering Health hospital network lost 941 GB of data — 732,490 files containing patient data, financial documents, and identification numbers. Costs were not publicly disclosed, but the Interlock group’s ransom demands range from hundreds of thousands to millions of dollars per incident.
IBM’s Cost of Data Breach 2025 report states that the average global cost of a data breach is $4.44 million. In the United States — $10.22 million, an all-time record. Breaches initiated by phishing — and ClickFix is an evolution of phishing — cost an average of $4.8 million. The Unit 42 Global Incident Response Report 2025 specifies that 86% of investigated cyberattacks caused direct business impact.
For mid-size companies, the amounts may be lower in absolute terms but proportionally equally destructive. The average cost of a data breach in an SME ranges from $120,000 to $1,240,000. For a company with annual revenue of $2.5 million, this can mean anywhere from several to dozens of percent of annual turnover. Add to this the indirect costs: loss of customer trust, regulatory penalties (more on this shortly in the context of NIS2), operational downtime, legal costs, and reputational damage.
Key takeaway: ClickFix attack costs in numbers — DaVita, April 2025: $13.5M in direct costs after Interlock/ClickFix attack — IBM 2025: average cost of phishing-initiated data breach = $4.8M — Unit 42 2025: 86% of attacks cause direct business impact — SMEs: average breach cost = $120,000 – $1,240,000 — Median time from receiving phishing to clicking: under 60 seconds (Verizon DBIR 2025)
How does ClickFix affect the public sector and mid-size organizations?
In conversations with public sector clients, I see a repeating pattern: one or two IT staff for an entire government office. A limited budget, hundreds of employees, outdated systems, no dedicated security position. This is an environment where ClickFix is particularly dangerous — and particularly effective.
The public sector accounts for 50% of nFlo’s client portfolio, so I know these problems firsthand. A municipal office employee is not an IT specialist. When they see a message saying “Your browser requires verification — follow the steps below,” they don’t have the mental or procedural tools to recognize the threat. Not because they are careless — but because nobody taught them that such a scenario exists. Their cybersecurity training — if it even took place — covered recognizing suspicious emails, not fake system messages requiring the execution of a command in the Run dialog.
In mid-size companies, the situation is similar, though with different nuances. A company with 50–200 employees typically has an IT department but not a SOC team. It has an antivirus, perhaps EDR — but there is nobody continuously analyzing logs and looking for behavioral anomalies. ClickFix in such an organization can operate undetected for days or weeks — because there is no one to check whether the accounting department user really should be running nslookup at 9:15 in the morning.
An additional problem for the public sector is procurement procedures. Even if an IT manager identifies the threat and knows what solution is needed, the tender process can take months. During that time, the organization remains exposed. Many government offices operate in a paradox — regulatory requirements (KRI, and in the future NIS2) demand protection, but procurement procedures prevent rapid response to new threats.
The Unit 42 report from 2025 confirms this trend: social engineering was the primary entry vector in 36% of all investigated incidents, and one-third of those used techniques other than classic phishing — including fake system messages and help desk manipulation. This is exactly the ClickFix profile.
Do NIS2 and regulatory frameworks require protection against techniques like ClickFix?
A question I hear increasingly from clients in the public sector and companies that are beginning to fall under new regulations: “Do I have to deal with this because the law says so?” The answer is unambiguous — yes.
The NIS2 Directive in Article 20 explicitly requires member states to ensure that management bodies of essential and important entities undergo cybersecurity training and that similar training is regularly offered to employees. The scope includes, among other things, recognizing phishing, social engineering, suspicious links, and CEO fraud attempts. Training must cover all organizational levels — from customer-facing employees to board members.
Penalties for non-compliance with NIS2 are significant. For essential entities — up to €10 million or 2% of global annual turnover (whichever is higher). For important entities — up to €7 million or 1.4% of turnover. In Poland additionally — a fine of up to PLN 100 million (approximately €23 million) if violations cause a direct and serious threat to national security, public order, or human life. And — what is particularly noteworthy — personal liability of management, including the possibility of a ban from holding management positions.
In the context of KRI (National Interoperability Framework) — a regulation already in force in the Polish public sector — information security requirements include risk management, employee training, and the implementation of appropriate technical and organizational safeguards. A ClickFix-type attack, which exploits a lack of employee awareness, directly falls into the category of risk that an organization should identify and address.
I tell clients directly: compliance is not a goal in itself, but it is an effective argument in conversations with management about the budget. When an IT manager goes to the mayor and says “we need training on a new type of social engineering,” the response may be “we don’t have the money for that.” But when they say “regulations require us to provide cybersecurity training, and failure to do so exposes us to a fine of up to €10 million and personal liability for management” — the conversation goes differently.
What is the real return on investment in social engineering protection?
Many clients ask me: “How much does it cost?” before asking “how much could we lose?” That is why I always start with economics — because budget decisions in organizations are made based on numbers, not on fear.
The cost of a professional security awareness training program on the market ranges from $12 to $36 per user per year, depending on the platform and scope. For an organization with 200 employees, this is an expense of approximately $5,000 to $15,000 per year. Compare this with the median cost of a data breach — $4.44 million globally according to IBM, and even in the minimum variant for SMEs — $120,000. A single successful breach costs more than a decade of continuous training.
KnowBe4 data from May 2025 shows that a well-run training program reduces employee susceptibility to phishing by 86% within 12 months. Organizations with comprehensive awareness programs reduce breach-related costs by an average of $1.5 million. ROI on security awareness training investment ranges from 3x to 7x — meaning for every dollar invested, the organization protects $3 to $7 in value.
But training alone is not everything. Training must be complemented by social engineering tests — controlled simulations that check how employees respond to real scenarios, including ClickFix. Without tests, you don’t know if the training worked. Without tests, you have no data to report to the board. Without tests, compliance is on paper only — and the regulator, in the event of an incident, will ask not only “did you train?” but “did you verify the effectiveness of your training?”
In practice, the recommended model is: quarterly training (e-learning + a module on new threats, including ClickFix) plus social engineering tests twice a year (phishing simulations and ClickFix scenarios). The cost of such a program for a 100-person organization is in the range of $5,000 to $12,000 per year — a fraction of potential losses.
Key takeaway: Economics of ClickFix protection — Training cost: $12–36/user/year — ROI: 3x–7x of the invested amount — Susceptibility reduction: 86% after 12 months (KnowBe4 2025) — Breach cost reduction: average $1.5M in organizations with training — For a 200-person company: $5,000–15,000/year vs potential loss of $120,000+ from a single incident
How to talk to the board about a threat that doesn’t show up in the logs?
The biggest challenge IT managers face is convincing the board to invest in protection against something that hasn’t happened yet. ClickFix further complicates this conversation — because it is not a vulnerability you can show in a scan, nor an alert in a SIEM that you can demonstrate on a dashboard.
In conversations with clients, I have developed an approach that works. I don’t start with fearmongering. I don’t show articles about “apocalyptic threats.” I start with three questions for the board:
First question: “If tomorrow an accounting department employee accidentally let an intruder into our system, how quickly would we find out?” The median time from compromise to detection — the so-called dwell time — is 7 days according to Unit 42 (2025). For a week, the attacker can explore the network, exfiltrate data, and prepare ransomware.
Second question: “How much would a week of operational downtime cost us?” This question transforms an abstract threat into a concrete number. Every organization can calculate how much it loses per day of system downtime.
Third question: “Do our current trainings include a scenario where an employee runs malicious code themselves, convinced they are fixing a browser problem?” In 95% of cases, the answer is “no.” And that is the moment when the board starts listening — because they see a specific gap, not an abstract threat.
The key in this conversation is avoiding the position of a “fearmongering salesperson.” It is not about making the board afraid. It is about them making an informed decision. It’s not about fear, it’s about informed decision-making — this is the sentence I repeat to clients like a mantra. A board that understands the risk and consciously decides on the level of acceptance is in a significantly better position than a board that doesn’t know about the threat.
What minimum protective steps should every IT manager take?
Not every organization can immediately implement advanced behavioral detection systems and DNS security. But every organization — regardless of budget and size — can take concrete steps that significantly reduce the risk of ClickFix. I discuss this with clients regularly and have a proven set of recommendations, organized from the simplest to the most advanced.
Step one — immediate and zero-cost: send all employees a simple, clear message: “No legitimate website will ever ask you to open the Run dialog (Windows+R) and paste a command. If you see such a message — close the browser and report it to the IT department.” One email, one poster in the break room, one sentence at a briefing. This is the simplest and one of the most effective controls.
Step two — low-cost, requires GPO: disable the Run dialog for users who do not need it in their daily work. The Group Policy “Remove Run menu from Start Menu” effectively eliminates the primary ClickFix vector. Finance, HR, and secretariat employees do not need the Run dialog. Administrators and helpdesk — yes, but for them you can implement monitoring.
Step three — requires network configuration: block DNS traffic (port 53) to servers outside the list of authorized organizational resolvers. The latest ClickFix variant — with DNS staging, described by Microsoft in February 2026 — uses DNS queries to external servers as a channel for delivering malicious code. A simple firewall rule eliminates this vector. Cost: administrator time for configuration.
Step four — requires a budget decision: restrict PowerShell execution on end-user workstations. Constrained Language Mode or AppLocker rules — this closes one of the most common channels for the second stage of the attack. Accounting department employees do not need to run PowerShell scripts.
Step five — investment in people: implement regular security awareness training with a module covering ClickFix scenarios, supplemented by social engineering tests at least twice a year. This is the only way to measure whether the organization is truly prepared — and not just formally compliant with requirements.
What does a ClickFix defense implementation plan look like for organizations at different maturity levels?
Based on conversations with dozens of clients — from one-person IT departments in government offices to multi-person security teams in corporations — I have developed a practical model that helps organizations assess their maturity level and plan their next steps. Not every organization needs to — or can — implement everything at once.
| Level | Organization profile | Action | Approximate cost | Implementation time |
|---|---|---|---|---|
| 1 — Basic | Any organization, regardless of budget | Employee communication + disable Run dialog via GPO | $0 (administrator time) | 1–2 days |
| 1 — Basic | Same as above | Block DNS to servers outside the authorized list | $0 (firewall configuration) | 1 day |
| 2 — Extended | Organizations with 50+ employees | E-learning training with ClickFix module (quarterly) | $1,500–4,000/year | 2–4 weeks |
| 2 — Extended | Same as above | Restrict PowerShell (Constrained Language Mode) | $0 (GPO configuration) | 3–5 days (testing) |
| 2 — Extended | Same as above | Social engineering tests 2x/year | $2,000–6,000/year | Cyclical |
| 3 — Advanced | Organizations with IT team of 5+ people | Command-line auditing + SIEM correlation rules | $2,500–7,500 (implementation) | 2–4 weeks |
| 3 — Advanced | Same as above | Full DNS response logging with anomaly analysis | $4,000–10,000/year | 4–8 weeks |
| 4 — Mature | Organizations with dedicated SOC | Browser isolation with clipboard control | $12,000+/year | 2–3 months |
| 4 — Mature | Same as above | DNS security with passive DNS and threat intelligence | $7,500–20,000/year | 4–8 weeks |
The key observation: level 1 is accessible to every organization — including municipal offices with one IT staff member and zero budget for new tools. Disabling the Run dialog and blocking unauthorized DNS traffic are two actions that can be completed within a single business day and that eliminate the core of the ClickFix mechanism. It is not a perfect solution — but it is a solid foundation from which to build further.
How to measure the effectiveness of social engineering defense?
Many organizations implement training and technical controls but do not measure their effectiveness. From the board’s perspective — and the regulator’s — this is a serious problem. It is not enough to say “we trained employees.” You need to prove that the training had an effect.
The first metric — and the most direct — is the result of social engineering tests. A professional test simulates real ClickFix scenarios: an employee receives a lure (email or redirect to a crafted page), sees a fake message with instructions, and either executes the malicious command or recognizes the threat and reports it. The “click” rate (in the case of ClickFix — “execution” rate) in the first test provides the baseline. KnowBe4’s Phishing by Industry Benchmark Report 2025 states that the average baseline for untrained employees is 33.1%. In the healthcare sector — as high as 41.9%.
The second metric — reporting speed. How much time passes from the moment an employee sees a suspicious message to the moment they report it to IT? In well-prepared organizations, this is minutes. In unprepared ones — the incident is not reported at all, because the employee doesn’t know that something happened.
The third metric — the trend over time. We are not interested in a single measurement, but in the trajectory. After the first training and test — a retest after 3 months. A well-run program should show a decline in the susceptibility rate of 40% within 90 days and 86% within 12 months (KnowBe4 benchmark). If the rate does not decline — the training needs modification.
The fourth metric — regulatory coverage. Do the trainings cover all required scenarios (phishing, social engineering, CEO fraud, fake system messages)? Do they cover all organizational levels, including the board? Are they documented in a way that will allow demonstrating compliance during a NIS2 audit or regulatory inspection?
I prepare a report for clients after every social engineering test — with trends, industry benchmarks, and specific recommendations. Not to point fingers at “culprits,” but to give the board a tool for making informed decisions about further investments in security.
How does nFlo help organizations prepare for the new era of social engineering?
At nFlo, we approach protection against social engineering — including ClickFix — as a process, not a one-time project. I work with clients for whom security is a daily operational challenge, not an abstract regulatory requirement. That is why our approach combines three elements: education, testing, and technical support.
In terms of social engineering testing, we design scenarios reflecting real techniques — including ClickFix variants with fake CAPTCHA messages and instructions to run system commands. We test how employees react, measure metrics, and deliver a report with specific recommendations. We are not interested in statistics for the sake of statistics — we are interested in whether the organization is safer after the test than before it.
The security architecture analysis we conduct takes into account the DNS layer as a potential attack vector. We verify whether the organization enforces the use of internal resolvers, whether it logs DNS responses, whether firewall rules block unauthorized DNS traffic, and whether SIEM systems correlate DNS events with endpoint activity. For many clients, this analysis reveals gaps they didn’t know about — because DNS is one of the most commonly overlooked elements in security architecture.
As part of incident management, we respond in under 15 minutes. In the case of ClickFix — where compromise occurs in seconds — response speed can mean the difference between isolating a single workstation and lateral movement by the attacker across the entire network. Experience from over 500 completed security projects enables the nFlo team to quickly identify behavioral patterns characteristic of new attack techniques.
But above all — I am available to clients as an advisor. When an IT manager at a government office hears about ClickFix and doesn’t know where to start, they can call me. We will discuss the situation, assess the risk, and plan concrete steps — tailored to their budget, team, and organizational maturity level. Because cybersecurity is not a product on a shelf. It is a partnership.
Frequently asked questions
Does ClickFix only affect Windows systems?
The variant described by Microsoft in February 2026 targets Windows, using the Run dialog (Win+R) and tools such as nslookup and PowerShell. However, ClickFix variants for macOS (using Terminal) and Linux were observed in campaigns from 2025. The social engineering mechanism — persuading a user to run a command — works regardless of the operating system.
Is a small organization (under 50 employees) at risk?
Yes. Criminal groups run mass campaigns — in August 2025, 13,695 ClickFix domains were identified in a single operation. They do not target specific companies, but rather anyone who lands on a crafted page. Organization size does not protect — employee awareness and proper system configuration do.
How long does it take to implement basic ClickFix protection?
Level 1 (employee communication + disabling Run dialog + DNS blocking) — 1–2 days. Level 2 (training + PowerShell restriction) — 2–4 weeks. Level 3 (monitoring + SIEM rules) — 4–8 weeks. The key is to start with level 1 immediately and implement subsequent levels gradually.
Won’t social engineering tests demotivate employees?
This is a common concern. In practice — well-conducted tests have an educational effect, not a punitive one. We do not point fingers at people who “got caught.” We show the organization where the gaps are and help close them. Employees who have gone through a social engineering test are significantly more alert to real threats — even if they fell for the lure the first time.
How does ClickFix fit into NIS2 requirements?
NIS2 (Article 20) imposes an obligation for regular cybersecurity training that includes, among other things, recognizing social engineering. ClickFix is a social engineering technique — a lack of training covering this scenario may be considered a gap in fulfilling regulatory obligations. Penalties for non-compliance reach €10 million or 2% of global turnover, with personal liability for management.
Where to start if I have a limited budget?
With three zero-cost steps: (1) inform employees that no website asks them to paste commands into the Run dialog, (2) disable the Run dialog via GPO for non-admin users, (3) block DNS traffic to servers outside the list of organizational resolvers. This eliminates the core of the ClickFix mechanism and requires no purchases.
