We've all clicked "I'm not a robot" a thousand times. That familiarity is exactly what a growing cyberattack is counting on. It's called "ClickFix," and it’s showing up more often across the web. At EPK Solutions, we want to make sure our clients and community know how to spot it before it catches them off guard.

How the scam works

It usually starts innocently. You click a link from an email, an online ad, or even a legitimate website that's been compromised. A pop-up appears asking you to "verify you are human" or "fix an error" to continue.

But this is no ordinary CAPTCHA. Behind the scenes, the page secretly copies a hidden command onto your computer's clipboard. Then it gives you simple-looking instructions:

Press Windows + R, then Ctrl + V, then Enter.

If you follow them, you unknowingly run that hidden command — which downloads malware designed to steal your passwords, banking details, browser data, and more. All in a matter of seconds.

What makes ClickFix so dangerous is that you perform the action. Because the victim runs the command manually, the attack often slips past security tools that would normally block it.

The one rule that keeps you safe

Here's the simplest way to protect yourself:

No legitimate website, CAPTCHA, or error message will EVER ask you to press Windows + R and paste something. Ever!

If you see those instructions, stop immediately and close the tab. Don't paste anything.

If you think you've already fallen for it, disconnect from the internet, run a full malware scan, and change your passwords from a different, trusted device.

Spread the word

The best defense against ClickFix is awareness. Share this with your coworkers, friends, and family — especially anyone less tech-savvy.