Country/Region
Phishing Intelligence

Phishing Alert: New ‘ClickFix’ Scam Targeting the Hospitality Sector to Steal Sensitive Information

March 28th, 2025

Contributor: Aleena Jibin

Key Insight

A new phishing scam is targeting companies, especially in the hospitality sector, using a method called ClickFix to steal sensitive information. In this scam, attackers send fake emails impersonating trusted services like Booking.com, tricking users into downloading malware.

The incident

First, they send an email that appears to be from a trusted source, such as Booking.com, with a link or PDF attachment. The email claims that the user needs to fix an urgent issue and directs them to a fake webpage. When the victim clicks the link, they are taken to a page that mimics Booking.com, which includes a fake CAPTCHA designed to deceive the user into thinking the page is legitimate.

The webpage creates the illusion of a verification process, prompting users to take action. Attackers take advantage of human problem-solving tendencies by displaying fake error messages or instructions that ask users to ‘fix’ the issue. They trick users into copying, pasting, and running specific commands, which leads to the installation of malware on the victim’s system.

phishing-using-clickfix-technique.png

How to spot a phishing email? - Download

Impact of the incident

The ClickFix technique makes phishing attacks harder to detect and defend against. Since the attack occurs in multiple stages, victims are more likely to believe it is legitimate, as they may not expect phishing to come through such a gradual process. This makes it easier for attackers to build trust and successfully deceive users.
Once the malware is installed, it can steal sensitive information, such as financial data and login credentials, leading to fraud. The ClickFix technique bypasses traditional security measures because it relies on users actions rather than vulnerabilities in software. This increases the risk of data breaches, financial losses, and compromised accounts.
The multi-stage nature of the attack also makes it harder for automated security systems to detect and stop, leaving organizations more vulnerable. To protect against these types of evolving threats, organizations must focus on educating users. Additionally, they need to strengthen defenses that account for human behavior rather than relying solely on traditional security measures.

How to stay safe?

  • Educate employees-Train staff to recognize phishing attempts and suspicious requests, particularly those involving error messages or prompts to “fix” a problem.
  • Avoid running commands from emails-Never use keyboard shortcuts or paste commands from an email, especially if they seem out of place or instruct you to perform actions that seem unnecessary.
  • Monitor for unusual activity-Periodically check for any unauthorized access or abnormal activity on organizational systems and networks. Immediately alert your IT team if anything suspicious is detected.
  • Be cautious of unexpected email communications-If you receive unexpected emails asking you to take action, particularly from unfamiliar sources, verify their legitimacy through official channels before proceeding.

Source

Phishing campaign impersonates Booking .com, delivers a suite of credential-stealing malware | Microsoft Security Blog


Book a Free Demo

Reduce human cyber and compliance risks with targeted training.

Get a guided walkthrough — at a time that suits your timezone.

Book a Free Demo
Book a demo