How to Tell a Real Security Check from a Fake One
Knowing the difference between a genuine Google or Cloudflare screen and a fraudulent one can save your system. Use this quick comparison:
If you ever see any request to open a command prompt, copy a script, or press Windows + R, it’s a scam.

Why ClickFix Attacks Are So Effective in 2026
Several trends have made the ClickFix attack a dominant threat this year:
- AI‑generated phishing pages – Attackers now use large language models to create flawless fake verification screens in any language. The pages look professional and adapt in real time based on your browser type and location.
- Abuse of legitimate tools – By relying on trusted Windows executables like PowerShell,
curl, or certutil, the attack hides in plain sight. Most antivirus software will not flag these because they’re essential system programs.
- The rise of hybrid work – More employees are using personal devices or working from home, where endpoint security may be weaker. A single compromised home PC can provide a stepping stone to corporate networks.
- Cookie theft via infostealers – Many ClickFix payloads deploy infostealers that steal browser cookies. Because cookies can bypass passwords and MFA, attackers can hijack online accounts without ever needing your credentials.
Understanding these trends helps reinforce why basic security advice (like “don’t run unknown commands”) is more important than ever.
A Closer Look at the Malicious Payload
What exactly does that one‑line PowerShell script do? While the exact code varies, most ClickFix payloads follow a simple three‑step pattern:
- Download – The script uses a command like
Invoke-WebRequest or curl.exe to fetch a larger malicious file from a remote server. The download source is often a legitimate‑looking domain that was compromised or registered specifically for the attack.
- Execute – The downloaded file is immediately executed. It could be a
.exe, a .msi installer, or an obfuscated script. Because the download happens in memory or a temporary folder, it rarely triggers file‑based antivirus scans.
- Establish persistence – The malware adds itself to the Windows Registry or creates a scheduled task so it survives reboots and remains hidden. Once persistence is established, the hacker can remotely control the computer, steal data, or encrypt files for ransomware.
The key takeaway is that even a single command can initiate a chain reaction that is nearly impossible to stop once started.
What Businesses Should Do to Protect Employees
If you run a small business or manage an IT team, add these layers of defence against ClickFix attacks:
- Restrict PowerShell execution – Use Group Policy (on Windows) to enforce PowerShell Constrained Language Mode or disable PowerShell entirely for users who don’t need it. This prevents many scripts from running even if a user is tricked.
- Deploy application allowlisting – Tools like Windows Defender Application Control (WDAC) can block any executable that isn’t on a pre‑approved list. Even if a script downloads a payload, the system will refuse to run it.
- Provide visual examples in training – Show employees real screenshots of ClickFix attacks during security awareness training. Tell them exactly what to watch for: any website that mentions PowerShell, Windows + R, or
cmd.exe in its instructions.
- Monitor for suspicious command lines – Use Endpoint Detection and Response (EDR) solutions to generate alerts whenever a script downloads content from the internet. Early detection can stop an attack before the payload executes.
How to Report a ClickFix Page
If you encounter a fake Google or Cloudflare verification screen, reporting it helps protect others.
- Google Safe Browsing – Go to safebrowsing.google.com/safebrowsing/report_phish/ and submit the deceptive URL.
- Cloudflare Abuse – If the site appears to be behind Cloudflare, forward the URL to abuse@cloudflare.com with a brief description and a screenshot.
- Microsoft Security Intelligence – Submit the malicious URL or file hash via microsoft.com/wdsi/support/report if the payload targets Windows.
- Your local CERT or CSIRT – Many countries have a national Computer Emergency Response Team that tracks cyber threats and can issue wider alerts.
Taking two minutes to report a phishing page can help get it taken down within hours.

Quick Checklist: Is That Security Prompt Real?
Before you follow any on‑screen instructions, run through this mental checklist:
- Did the page appear suddenly after clicking a link or opening an email? (If yes, be suspicious.)
- Is the domain exactly
google.com, cloudflare.com, or the official website you intended to visit?
- Does the page mention
PowerShell, cmd, Terminal, or Windows + R? (If yes, close the tab immediately.)
- Is there a countdown timer pressuring you to act quickly? (Legitimate checks don’t use fear tactics.)
- Can you close the tab without issue? (If the page resists closing, use Task Manager to end the browser process.)
If you answered “no” to any of these, assume the page is malicious. Close it, run a quick scan with your security software, and clear your browser cache.
im facing the same issue