ClickFix phishing links increased nearly 400% in 12 months report says – Source: www.proofpoint.com

The volume of malicious links associated with ClickFix-based attacks nearly quadrupled between May 2024 and May 2025, according to Proofpoint’s “The Human Factor 2025 Vol. 2” report published Thursday.

The report analyzes phishing link data over a 12-month period, including insights from more than 3.4 trillion emails, 21 trillion URLs and 1.4 trillion SMS messages. Proofpoint found that malicious URLs were four times more prevalent than malicious attachments in emails received by targets.

The ClickFix social-engineering technique involves tricking the target into copying and pasting malicious commands into their machine’s terminal, under the guise of resolving an error, usually a failed CAPTCHA prompt.

ClickFix activity spiked significantly beginning in February 2025, resulting in a 400% year-over-year increase by May 2025. This increase made ClickFix one of the most common attack techniques spread via URLs, according to Proofpoint.

However, credential-phishing attacks were still more common than sophisticated malware attacks such as ransomware, with 3.7 billion phishing links targeting credentials while only 8.3 million sought to spread malware.

Out of the malware spread via URL, more than a third (34%) involved remote access software, which was the most common malware type, followed by keyloggers and infostealers.

For credential theft, many threat actors turned to phishing kits like CoGUI and Darcula for high-volume attacks, with some reaching tens of millions of emails in a single campaign.

These phishing kits provide premade templates for attackers to easily impersonate brands. Amazon was the brand most often impersonated by the CoGUI kit, making up 61% of phishing lures used in CoGUI-based attacks.

Darcula is mainly used in SMS phishing (smishing) campaigns, noted Proofpoint, with smishing threats overall seeing an enormous 2,534% increase in 2024.

About 55% of suspected smishing texts contained URLs, and 75% of organizations have reported being targeted by smishing campaigns, Proofpoint previously found in its State of the Phish 2024 report.

QR code phishing, or quishing, was also highlighted in the report. In the first half of 2025, nearly 4.2 million quishing attacks were observed by Proofpoint. These attacks deliver phishing URLs by tricking targets into scanning QR codes, making the malicious links more difficult for security systems to detect than traditional hyperlinks.

Attackers also misuse legitimate file sharing services like Microsoft OneDrive, Dropbox and Google Drive to mask the malicious nature of malware-delivering links, the report notes.

Proofpoint recommended organizations ensure they protect their entire potential phishing attack surface, including not across the entire email life cycle (pre-delivery, post-delivery and click-time) but also across messaging systems like SMS, Microsoft Teams and social media.

Identifying and enhancing protections for the most commonly targeted employees, and those most likely to engage with phishing links, can also help reduce the impact of social engineering on an organization, Proofpoint says.

AI-based detection and response solutions can also help companies tackle growing phishing threats, the report concludes.

“To tackle today’s evolving and emerging human-centric threats at scale, you need multilayered, AI-driven detection. Only an advanced AI-powered solution can spot the most subtle malicious indicators for threats that appear within any channel — whether that’s email, messaging, SaaS apps or collaboration tools,” the report states.