The 'Paste This to Fix It' Scam Is Coming for Your Mac.

No real website asks you to paste a command to prove you're human.

That single rule will protect your office from one of the fastest-growing scams aimed at Mac users right now. The setup looks harmless — a page tells you to copy a little something and paste it into your Mac to "verify" you're a person or to "free up disk space." The moment you do, you have installed the malware yourself.

The real thing you should know about

The technique has a name: ClickFix. The anchor is simple: ClickFix tricks Mac users into pasting a malicious command into Terminal or Script Editor, and that command quietly installs a password-stealing program. It has climbed to become one of the top ways attackers get their software onto a machine, because it skips every technical defense and goes straight for the person at the keyboard.

Here is the shape of it, without any of the dangerous specifics. You land on a page — maybe through a search ad, a hijacked website, a fake "your Mac is low on storage" pop-up, or a phony video site. The page shows what looks like a normal verification step: a fake CAPTCHA, a "reclaim disk space" button, or an "error — run this to fix" message. It then walks you through copying some text and pasting it into a Mac app. People follow along because the instructions feel official and the page looks polished. When the command runs, it pulls down and installs an infostealer — often the Atomic Stealer, also called AMOS — which then goes hunting for your saved passwords, browser logins, and anything else of value on the machine.

The clever, nasty part is how it adapts. Apple recently added a warning when certain risky commands get pasted into Terminal. The scammers simply changed lanes: many of these lures now steer victims into Script Editor instead, which does not throw the same warning. So a protection that should have helped gets sidestepped, and the average person has no idea Script Editor is even capable of doing harm.

Why a small firm should actually care

You might assume only careless people fall for this. The opposite is true. The victims are usually competent, busy professionals who were trying to do the right thing — fix an error, pass a verification, get back to work. The scam works precisely because it borrows the look of routine tech support and asks for one small, reasonable-seeming action.

For a small business, the blast radius is large. The person most likely to be doing five things at once — searching for a quick fix, downloading a tool, clearing space on a laptop — is often the office manager or owner, the very person whose Mac holds the logins that run everything. One pasted command can hand over the email account, the cloud file storage, the practice-management or accounting software, and saved browser passwords in one shot.

For healthcare and dental offices, that exposure can reach patient records, which turns an annoying malware cleanup into a reportable breach with notification duties and regulatory attention. And because the stolen item is often a live login or session, the attacker may not need to "hack" anything else — they can simply walk in using your credentials. There is no firewall setting that fixes a problem you invited in by hand, which is exactly why this vector has gotten so popular with criminals.

What protection actually looks like

The encouraging news: this is one of the most preventable attacks out there, because it depends entirely on convincing a human to take an unusual action. Shut down that one moment, and the whole scheme falls apart.

The first layer is awareness, and it fits on a sticky note: no legitimate website, CAPTCHA, or "disk cleanup" tool will ever ask you to copy text and paste it into Terminal or Script Editor. None. If a page gives you those instructions, that page is the attack. Close it. Tell your team the same thing in plain language, because the people who know this rule simply do not fall for the trick. A short, regular dose of security awareness training keeps it fresh, especially for new hires.

The second layer catches the lure before anyone even sees it. DNS and web filtering — the kind delivered by a service like Cisco Umbrella — checks the sites your office tries to reach and blocks the known-bad pages that host these scams. If the fake "verify you're human" page never loads, nobody can be talked into pasting anything. It works quietly in the background across every device, in the office or working from home, and it does not depend on anyone making the right call in a rushed moment.

Together those two layers — trained people plus a filter that blocks the bait — give you enterprise-grade protection against a very modern scam, without needing an in-house security team to run it.

The bottom line

The "paste this to fix it" scam wins by looking boring and official, and by asking for a tiny favor that turns out to be the whole break-in. The defense is just as simple to state: real fixes never ask you to run a command you were handed by a webpage. Teach that one line, and put a web filter in front of it so the bait rarely reaches your team at all.

That is the combination we set up for the firms we protect — practical user training plus DNS and web filtering tuned to block these lure pages before they load. If you want your team to be the kind that closes the tab instead of pasting the command, let's talk about getting enterprise-grade protection in place, made simple and sized for your business.