ClickFix is a social engineering technique that is catching even cautious users off guard. Unlike a traditional phishing attack, where the target clicks a malicious link or opens a dangerous attachment, ClickFix works by convincing the victim to do the damage themselves by following what appear to be completely reasonable instructions to fix a problem on their computer.
Here is how it works:
- You visit a website, click a link in an email, or land on a page that suddenly displays what looks like a familiar error message from your browser or operating system.
- The message says something has gone wrong and offers a simple fix: Just copy a command and paste it into a box on your computer, then press Enter.
- If you do, malicious software is silently downloaded and installed in the background.
- From there, attackers can steal usernames and passwords, access remote systems, install ransomware that locks up your files and demand payment to restore access, or destroy data entirely.
Why Election Officials Should Be Concerned
The Election Security Exchange is not aware of ClickFix being used to target election offices. Nevertheless, the technique is increasingly widespread and is being deployed through phishing emails, compromised news websites, and even hacked versions of legitimate tools. Election offices are not immune.
What makes ClickFix particularly dangerous for election offices is that it is designed to look like a routine technology problem, not an attack. Election staff are accustomed to following instructions from their IT teams, troubleshooting error messages, and acting quickly when something appears to be broken, especially during the busy pre-election period. Like other social engineering techniques, ClickFix exploits that instinct.
What is Social Engineering?
According to the Center for Internet Security, social engineering is “the use of deception to manipulate individuals into providing a particular response, generally for a fraudulent or malicious purpose.”
The attack does not require the victim to download a file, click a suspicious link, or ignore a security warning. It just requires them to follow instructions.
Temporary and seasonal election workers are especially at risk. Unlike permanent staff, they may not have received security training, be less familiar with the normal IT procedures in your office, and may be reluctant to question unusual instructions for fear of seeming incompetent or difficult. However, they often have access to the same systems as full-time employees.
What Election Offices Should Do
ClickFix attacks are largely preventable with a combination of awareness and basic safeguards. Election offices should consider taking the following steps:
- Train Your Team: Tell everyone (including temporary and seasonal staff), “No legitimate website, browser, or operating system will ever ask you to open PowerShell or a Run box and paste a command to fix an issue. If you see that, stop and call IT immediately.” For broader guidance on recognizing phishing in all forms, refer to the Election Security Exchange’s Phishing Threats resource, highlighted below in the Resource Library.
- Talk to IT Teams/Vendors Now: Ask them, “Do we have anything set up to stop staff from running unauthorized commands through built-in Windows tools like PowerShell?” If not, work with them to get these safeguards in place. If a third-party vendor has network access, ask them what they’re doing to prevent their staff from falling for ClickFix. Their slip-up is your risk.
- Lock Down Admin Tools. Most staff don’t need access to tools like PowerShell. Have your IT or MSP restrict who can run these tools. Fewer targets means less risk.
- Get Good Offline Backups. If the attacks succeed and ransomware is installed, secure, offline backups are your lifeline. Test them and make sure attackers can’t reach them from your main network.
The demands of running an election require balancing careful review with quick decision-making. ClickFix is designed to exploit that environment. Taking 10 seconds, before following such on-screen instructions, to consider whether they are genuine can be enough to stop this attack in its tracks.
The Situation Room focuses on real security incidents and threats in the news relevant to election security. To review previous issues, see the newsletter archive.