ClickFix Phishing Attacks Surge Nearly 400%

ClickFix Phishing Attacks Surge Nearly 400% in Just One Year

Phishing evolves: ClickFix attacks jump 400% in a year while quishing rises, proving criminals favor social engineering over malware.

Written By
Matt Gonzales
Matt Gonzales
Aug 19, 2025
3 minute read
eSecurity Planet content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Cybercriminals are betting big on phishing… and it’s paying off.

Last year saw 3.7 billion malicious links targeting logins, while ClickFix campaigns surged nearly 400%, signaling a dangerous shift in attacker strategy, according to a new report by Proofpoint. Security experts warn that if this trend continues, phishing could eclipse other cyberattack methods entirely in the years ahead.

“ClickFix reminds us: the weakest link isn’t email,” said Ken Underhill, a cybersecurity professional at TechnologyAdvice. “It’s human behavior at the keyboard.”

ClickFix drives a new era of social engineering

Proofpoint’s Human Factor 2025 Vol. 2 report shows how phishing has evolved from clumsy scams into one of the most effective tools in a criminal’s arsenal. The ClickFix technique, which prompts users to grant access or fix a supposed issue by clicking a fraudulent link, has gained explosive traction over the past year.

Between May 2024 and May 2025, the volume of phishing URLs tied to ClickFix almost quadrupled. The greatest spike came in early 2025, when activity accelerated rapidly. This surge reflects a broader trend: attackers are shifting away from technical exploits and malware-heavy attachments, instead favoring social engineering at scale — exploiting trust and urgency to bypass defenses.

Alongside ClickFix, researchers also pointed to the rise of “quishing,” a phishing technique that embeds QR codes into emails or documents. By scanning the code, users are redirected to malicious sites designed to steal credentials. Proofpoint noted that quishing has steadily grown as attackers look for new ways to dodge email filters and exploit human curiosity.

Credentials first, malware second

The overwhelming majority of phishing campaigns, around 3.7 billion URLs in the past year, were aimed at stealing usernames and passwords. In contrast, only 8.3 million links attempted to deliver malware payloads. The disparity highlights how stolen credentials have become a more reliable entry point for attackers.

When malware was delivered, remote-access tools were the top choice, appearing in about one-third of observed cases. Keyloggers and infostealers followed, designed to siphon sensitive information and maintain persistence within compromised systems. Together, these tactics show that while malware is still part of the threat landscape, criminals increasingly see phishing for credentials as the fastest route to profit.

Advertisement

What it means for defenders

The spike in ClickFix phishing underscores a sobering reality: the inbox is now the frontline of cybersecurity. Attackers don’t need zero-day exploits or advanced malware when a convincing link can achieve the same result.

To protect against this shift, organizations should focus on layered defenses:

Just as critical is ongoing employee training to help staff recognize deceptive tactics before a single click can trigger a breach.

As phishing continues to evolve, the lesson is clear: technology alone won’t stop these attacks. Building a security-aware workforce may be the most important defense of all.

“Resilience against ClickFix comes from layered defenses — technology, processes, and people working together,” Underhill said.

Want to better protect your logins against phishing and credential theft? Check out our guide to the six best password managers for small businesses.

Matt Gonzales

Matt Gonzales is a technology journalist, editor, and content strategist with more than a decade of experience covering emerging technologies, enterprise IT, cybersecurity, artificial intelligence, and workplace innovation. As Managing Editor for eWeek and TechRepublic, he leads editorial strategy and newsroom operations while helping business and IT leaders navigate an evolving technology landscape. Throughout his career, Matt has held leadership roles overseeing content development, editorial planning, and newsroom operations across digital publications and enterprise media organizations. Before joining TechnologyAdvice, he served as an editor at SHRM, where he covered workplace trends and emerging technologies, and as Lead Writer and Editor for Marine Corps Systems Command, where he reported on defense technologies, innovation initiatives, and government technology programs. Matt's expertise spans cybersecurity, enterprise technology, AI, B2B software, technical writing, and digital publishing. He has reported on major technology developments, including the rapid evolution of generative AI, helping readers understand both the opportunities and risks associated with emerging technologies. His work combines deep research, editorial rigor, and practical business insights to make complex technical topics accessible to a broad audience. An award-winning journalist, Matt has earned recognition for excellence in reporting and editorial leadership. He holds a Bachelor of Science in Communication with a concentration in Journalism from East Carolina University and continues to focus on delivering trusted analysis and actionable insights for technology, cybersecurity, and business professionals.

eSecurity Planet Logo

eSecurity Planet is a leading resource for IT professionals at large enterprises who are actively researching cybersecurity vendors and latest trends. eSecurity Planet focuses on providing instruction for how to approach common security challenges, as well as informational deep-dives about advanced cybersecurity topics.

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.