Bill Hinton/Moment via Getty Images
Follow ZDNET: Add us as a preferred source on Google.
ZDNET’s key takeaways
- Clickfix attacks surged 500% in early 2025.
- Cybercriminals now use AI in BEC scams.
- AI is making phishing harder to detect.
Cybercriminals are shifting their techniques to focus on the human element, with Clickfix social engineering and AI abuse becoming even more popular.
Also: This new cyberattack tricks you into hacking yourself. Here’s how to spot it
On Wednesday, Mimecast published its latest Global Threat Intelligence Report, which tracked threat activity and analyzed trillions of signals from January to September 2025.
The report on modern cyberthreats includes the usual suspects: phishing, ransomware, exploitation of popular business tools like DocuSend, and industry-specific threats. However, two trends highlight a shift in tactics targeting the human element in scams, which are honing in on victims with greater efficiency.
Clickfix rates surge
Many cybersecurity companies and tech giants, including Microsoft, are alerting users to Clickfix — a social engineering technique that is being adopted by threat actors worldwide.
Clickfix is a method to bypass traditional anti-phishing techniques by luring victims into providing initial access to a network or system, thereby eliminating the need for malware to do so. Fake error messages, seemingly minor technical issue alerts, and more dubious messages — such as apparently free ways to install licensed software — are displayed to a victim alongside a simple step-by-step guide.
Unfortunately, these “guides” direct users to launch PowerShell and input commands that trigger the download of a malicious payload, including information stealers and ransomware.
Mimecast says that Clickfix rates surged by 500% in the first half of 2025, accounting for around 8% of all attacks.
Also: If a TikTok ‘tech tip’ tells you to paste code, it’s a scam. Here’s what’s really happening
Hiwot Mendahun, Mimecast Threat Research Engineer, told ZDNET that threat actors are adopting Clickfix as a means of initial access, and the company believes “it will continue to be used as a means to download infostealers, ransomware, remote access trojans (RATs), and custom malware.”
“The use of RMM [Remote Monitoring and Management] tools to enable initial access in the same way is also a vector we continue to see an increase in, with campaigns really focusing on the social engineering aspect,” Mendahun added.
New wave of AI-powered BEC scams
With any new technological innovation, abuse occurs. Artificial intelligence (AI), for example, is being increasingly adopted in phishing and Business Email Compromise (BEC) scams.
While impersonating employees or high-profile executives in phishing and BEC scams is nothing new, AI is being employed in ways that make email chains look more convincing — and not just for creating initial phishing emails.
Mimecast says that AI is being used to generate full conversation chains that impersonate multiple people, including vendors, executives, and third parties.
Also: Scammers have infiltrated Google’s AI responses – how to spot them
For example, during the reconnaissance phase, an attacker may find financial information and reports, HR data, and payroll information that could be used in AI-generated email threads. AI is then used to fabricate a conversation between vendors, employees, and high-profile figures, typically with a sense of urgency — such as a request to pay an invoice immediately.
Recent BEC attack vectors focus on fake invoice payments, bank account detail changes, payroll updates, and wire transfers. The team believes that as AI abuse ramps up with the use of deepfake voice and video content, these scams will become increasingly difficult to detect. And as AI tools are readily available, more cybercriminals will be able to enter the field.
Also: AI unleashes more advanced scams. Here’s what to look out for (and how to stay protected)
“The use of AI in these campaigns specifically gives threat actors the ability to really mass-produce a more targeted thread using automation and potentially altering content to help bypass content-based detection,” Mendahun commented. “Outside of the automated emails, we do see the use of deep voice and videos in BEC campaigns, which enhance the success rate for large fraudulent transactions to be made.”
Who is at risk?
According to Mimecast, education, IT, telecommunications, the legal sector, and real estate companies are the most at risk of impersonation and social engineering-based attacks, “as these sectors often have direct access to high-value targets, handle sensitive financial transactions, and manage confidential client information.”
Also: Perplexity’s Comet AI browser could expose your data to attackers – here’s how
Regarding real estate, the company says that social engineering attack rates are steadily climbing, which could indicate that some criminal groups are pivoting to this sector and away from more traditional targets.
Groups including Scattered Spider and TA2541 have been linked to attacks against these industries.
Recommendations
Phishing and social engineering attacks are nothing new, but the ways they are conducted are constantly evolving — and Clickfix techniques have added another dangerous element to the mix. To reduce the risk of a successful intrusion, consider the following:
Also: Phishing training doesn’t stop your employees from clicking scam links – here’s why
- Increased controls: By implementing additional authentication and authorization checks — preferably across multiple platforms or departments — there are more chances for unauthorized, fraudulent invoices and BEC-related payment requests to be caught before it is too late.
- Multi-factor authentication (MFA): Even if a phishing campaign succeeds, the use of two-factor authentication (2FA) or MFA can reduce the risk of account hijacking.
- Training and awareness: Employees, especially those with privileged status and access to sensitive resources or payment systems, should have regular training to spot phishing, BEC, and social engineering attempts. This doesn’t mean one-and-done annual training, however.
- Zero-trust architecture: When possible, organizations should consider implementing system architecture and controls based on zero-trust principles, so that employees do not have access to any resource that isn’t completely necessary for their job roles, thereby reducing the attack surface.
- Clickfix: Regarding Clickfix social engineering tactics, traditional anti-phishing methods won’t work, as they are designed to lure victims into performing a malicious activity themselves. Increasing awareness of Clickfix and emphasizing that submitting commands to a machine when you aren’t sure what they will do is dangerous and could lead to complete system hijacking.
Want more stories about AI? Check out AI Leaderboard, our weekly newsletter.
