ClickFix is the social engineering technique the Australian Cyber Security Centre flagged in its recent advisory on attacks distributing Vidar Stealer through compromised Australian WordPress sites. If the term is new to you, here’s the plain-English version — because the people most likely to fall for it are the people running the businesses we look after.

What ClickFix actually is

It’s a fake fix. You land on a website that looks normal, and a pop-up appears that mimics a CAPTCHA, a Cloudflare check, or a “browser update needed” prompt. Instead of just ticking a box, the page tells you to press the Windows key, paste a command into Run or PowerShell, and hit Enter to “verify you’re human” or “complete the security check.” The command isn’t a verification — it’s a script that downloads malware. In the current Australian campaign, it’s pulling down Vidar Stealer, which then harvests browser passwords, saved logins, MFA tokens and crypto wallet data.

The clever bit is that it bypasses every email filter, browser warning, and antivirus prompt in the chain. The user runs the command voluntarily. From the operating system’s point of view, nothing is unusual — the legitimate Windows owner just opened PowerShell and ran a command.

Why it matters right now

The current campaign is using genuine Australian business websites as the delivery surface. That means your staff don’t have to wander somewhere shady — a regular browse of a familiar local site can serve the prompt. The iTnews coverage of the ACSC warning is worth a read for the broader context.

What to do

One rule: no legitimate website will ever ask you to copy a command and paste it into Run, PowerShell, or Terminal. Ever. If a page does, close the tab. Brief your team on the prompt to recognise. If you run a WordPress site, keep core, plugins and themes patched — these are the sites being hijacked to serve the bait. Cyber safety training is the long-term fix; it’s the kind of thing that turns “almost clicked” into “didn’t click.”