Clickfix attacks surge 500% as AI powers sophisticated email scams

Cybercriminals are increasingly targeting the human element in security systems, with Clickfix social engineering attacks surging 500% in early 2025 and AI-powered business email compromise (BEC) scams becoming more sophisticated. This shift represents a fundamental change in cyber attack strategies, moving away from traditional malware-based approaches toward exploiting human psychology and trust, making these threats particularly dangerous for organizations across multiple sectors.

What you should know: Clickfix attacks have become a dominant threat vector, accounting for 8% of all cyberattacks by bypassing traditional security measures entirely.

• The technique uses fake error messages and technical alerts to trick victims into manually executing malicious PowerShell commands that download ransomware, information stealers, and other malware.
• Unlike traditional phishing, Clickfix doesn’t rely on malware initially—instead, it manipulates users into providing direct system access through social engineering.
• “The use of RMM [Remote Monitoring and Management] tools to enable initial access in the same way is also a vector we continue to see an increase in, with campaigns really focusing on the social engineering aspect,” said Hiwot Mendahun, Mimecast Threat Research Engineer.

AI’s dangerous evolution: Artificial intelligence is now being weaponized to create highly convincing multi-person email conversations that impersonate executives, vendors, and third parties.

• Attackers use AI to generate entire conversation threads between multiple parties, incorporating real financial data, HR information, and payroll details gathered during reconnaissance.
• These fabricated email chains typically create artificial urgency around fake invoice payments, bank account changes, payroll updates, and wire transfers.
• “The use of AI in these campaigns specifically gives threat actors the ability to really mass-produce a more targeted thread using automation and potentially altering content to help bypass content-based detection,” Mendahun explained.

Industries at highest risk: Education, IT, telecommunications, legal, and real estate sectors face the greatest exposure to these evolving social engineering attacks.

• These industries are targeted because they “often have direct access to high-value targets, handle sensitive financial transactions, and manage confidential client information.”
• Real estate companies are experiencing steadily climbing attack rates, suggesting criminal groups like Scattered Spider and TA2541 are pivoting toward this sector.
• The shift indicates cybercriminals are moving away from more traditional targets to exploit sectors with less mature security awareness.

The deepfake threat: Security experts warn that AI-generated voice and video content will make BEC scams even more difficult to detect.

• Deepfake technology is already being integrated into BEC campaigns to enhance success rates for large fraudulent transactions.
• As AI tools become more accessible, the barrier to entry for cybercriminals continues to lower, potentially expanding the threat landscape significantly.

Essential defense strategies: Organizations must implement multi-layered security approaches that account for these human-focused attack vectors.

• Increased controls: Implement additional authentication and authorization checks across multiple platforms to catch fraudulent requests before execution.
• Multi-factor authentication: Deploy 2FA or MFA to reduce account hijacking risks even when phishing succeeds.
• Continuous training: Provide regular, ongoing security awareness training rather than annual one-time sessions, especially for employees with privileged access.
• Zero-trust architecture: Limit employee access to only resources essential for their roles, reducing the overall attack surface.
• Clickfix awareness: Educate staff that traditional anti-phishing methods won’t detect these attacks, emphasizing the danger of executing unknown commands.